5What is HTML5 Next major version of HTML. The Hypertext Markup Language version 5 (HTML5) is the successor of HTML 4.01, XHTML 1.0 and XHTML 1.1Adds new tags, event handlers to HTML. Many more….HTML5 is not finished
6supported by latest versions of FireFox, Chrome, Safari and Opera. HTML5 is already here.HTML5 TEST -Many features supported by latest versions of FireFox, Chrome, Safari and Opera.
9WEB BROWSER SECURITY MODELS The same origin policyThe cookies security modeThe Flash security model/SandBox
10Same Origin PolicyThe same origin policy prevents document or script loaded from one origin, from getting or setting properties from a of a document from a different origin.An origin is defined as the combination ofhost name,protocol,and port number;
11The Browser “Same Origin” Policy bank.comXHRTAGSee Also:TAGXHRJSblog.netdocument, cookies
12What Happens if the Same Origin Policy Is Broken?
15Cross Origin Request (COR) Originally Ajax calls were subject to Same Origin PolicySite A cannot make XMLHttpRequests to Site BHTML5 makes it possible to make these cross do main Calls site A can now make XMLHttpRequests to Site B as long as Site B allows it.Response from Site B should include a header:Access ‐Control ‐Allow‐Origin: Site A
28Not only NAT’ed IP ,You can lots more system info Demo
30Port Scanningwindow.onerror = err; <script src=http://ip/></script> if (! msg.match(/Error loading script/)) //ip does not exit’s Else Find internal ip
if (! msg.match(/Error loading script/)) //ip does not exit’s Else Find internal ip",
31Blind Web Server Fingerprinting Apache Web Server /icons/apache_pb.gifHP Printer /hp/device/hp_invent_logo.gif<img src="http://intranet_ip/unique_image_url" onerror="ﬁngerprint()" />
34Port Scanning: Beating protections Blocking example for known ports (Firefox, WebSockets and CORS) ➔ Workaround! ➔ ftp://example.com:22 It works on Internet Explorer, Mozilla Firefox, Google Chrome and Safari Based on timeouts, it can be configuredWTFun
36Self‐triggering XSS exploits with HTML5 A common XSS occurrence is injection inside some attribute of INPUT tags. Current techniques require user interaction to trigger this XSS <input type="text" value="‐>Injecting here" onmouseover="alert('Injected val')"> • HTML5 turns this in to self ‐triggering XSS <input type="text” value="‐‐>Injecting here" onfocus="alert('Injected value')" autofocus>
37Black‐list XSS filters Html5 introduce many new tag
43Cross-Site Request Forgery bank.comGo to Transfer Assetshttps://bank.com/fn?param=1Select FROM Fundhttps://bank.com/fn?param=1Select TO Fundhttps://bank.com/fn?param=1Select Dollar Amounthttps://bank.com/fn?param=1Submit Transactionhttps://bank.com/fn?param=1Confirm Transactionhttps://bank.com/fn?param=1attacker’s post at blog.net
44XSS & CSRF- Killer Combo Programmers Prepare, Users Beware DemoXSS & CSRF- Killer Combo Programmers Prepare, Users BewareIf xss is there all csrf protection can be bypass<form method="POST" name="form0" action="http://my.victim.mutillidae:81/mutillidae/index.php?page=add-to-your-blog.php"><input type="hidden" name="csrf-token" value="SecurityIsDisabled"/><input type="hidden" name="blog_entry" value="This is come from CSRF"/><input type="hidden" name="add-to-your-blog-php-submit-button" value="Save Blog Entry"/></form>
45How Does CSRF Work? Tags <img src=“https://bank.com/fn?param=1”> <iframe src=“https://bank.com/fn?param=1”><script src=“https://bank.com/fn?param=1”>Autoposting Forms<body onload="document.forms.submit()"><form method="POST" action=“https://bank.com/fn”><input type="hidden" name="sp" value="8109"/></form>XmlHttpRequestSubject to same origin policy
46What Can Attackers Do with CSRF? Anything an authenticated user can doClick linksFill out and submit formsFollow all the steps of a wizard interface
47Using CSRF to Attack Internal Pages attacker.cominternal browserCSRFTAGInternal SiteAllowed!internal.mybank.com
51Offline Web Application Cache PoisoningCaching of the root directory possible.HTTP and HTTPs caching possible.
52Ok Enough, Just tell me can attacker Get a remote (Control)shell of my PC??
54In summary = + = + + = Cracking Hashes in JS Cloud Web Worker=Cracking Hashes in JS CloudCross-origin resource sharingWeb Worker+=Powerful DDoS attacksCross-origin resource sharingWeb socketWeb Worker++=Web-based Botnet.
55Is HTML5 hopelessly (in)secure? Ahem no…but security has been a major consideration in the design of the specification But it is incredibly hard to add features in any technology without increasing the possibility of abused.
56Reference Compass Security AG security-v1.htmlhttps://www.owasp.org/index.php/HTML5_Sec urity_Cheat_Sheet
57Be secure & safe Twitter:@nahidupa HTML5 make everybody happy including h4ck3rs and make security professional busy.