SQL Injections
0HTML5 is an emerging stack for next generation applications. HTML5 is enhancing browser capabilities and able to execute Rich Internet Applications in the context of modern browser architecture. Interestingly HTML5 can run on mobile devices as well and it makes even more complicated. HTML5 is not a single technology stack but combination of various components like XMLHttpRequest (XHR), Document Object model (DOM), Cross Origin Resource Sharing (CORS) and enhanced HTML/Browser rendering. It brings several new technologies to the browser which were not seen before like localstorage, webSQL, websocket, webworkers, enhanced XHR, DOM based XPATH to name a few. It has enhanced attack surface and point of exploitations for attacker and malicious agents. By leveraging these vectors one can craft stealth attacks and silent exploits, it is hard to detect and easy to compromise. In this paper and talk we are going to walk through these new architectures, attack surface and possible threats. Here is the top 10 threats which we are going to cover in detail with real life examples and demos.
A1 - CORS Attacks & CSRF
A2 - ClickJacking, CORJacking and UI exploits
A3 - XSS with HTML5 tags, attributes and events
A4 - Web Storage and DOM information extraction
A5 - SQLi & Blind Enumeration
A6 - Web Messaging and Web Workers injections
A7 - DOM based XSS with HTML5 & Messaging
A8 - Third party/Offline HTML Widgets and Gadgets
A9 - Web Sockets and Attacks
A10 - Protocol/Schema/APIs attacks with HTML5
Above attack vectors and understanding will give more idea about HTML5 security concerns and required defense. It is imperative to focus on these new attack vectors and start addressing in today's environment before attackers start leveraging these features to their advantage. We are going to see new tricks for HTML5 vulnerabilities scanning and tools.
Black Hat - USA - 2012 Hacking conference
#hacking, #hackers, #infosec, #opsec, #IT, #security
Other Videos By All Hacking Cons
| 2021-12-31 | Trust, Security and Society Presented By Bruce Schneier |
| 2021-12-31 | Ghost in the Air Traffic |
| 2021-12-31 | Random Number Generator in PHP |
| 2021-12-31 | BlackOps |
| 2021-12-31 | We have you by the Gadgets |
| 2021-12-31 | Torturing OpenSSL |
| 2021-12-31 | Probing The Mobile Operating Networks |
| 2021-12-31 | Find Me in your Database |
| 2021-12-31 | Digging Deep into the Flash Sandboxes |
| 2021-12-31 | The Big Picture |
| 2021-12-31 | SQL Injections |
| 2021-12-31 | File Disinfection Framework Striking back at the Polymorphic Viruses |
| 2021-12-31 | Easy Local Windows Kernel Exploitation |
| 2021-12-31 | Blended Threats and JavaScript: a plan for permanent network compromise |
| 2021-12-31 | The Info Leak Era Software Exploitation |
| 2021-12-31 | How many bricks does it take to Crack a Microcell? |
| 2021-12-31 | Windows 7 Phone Hacking & Exploitation |
| 2021-12-31 | The Christopher Columbus Rule and DHS |
| 2021-12-31 | Web Tracking for You |
| 2021-12-31 | Smashing the Furure for Fun & Profit Presented By:Jeff Moss Bruce Schneier Adam Shostack |
| 2021-12-31 | Recent Java Exploitation Trends and Malware |