Presentation Title Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)
Browsers are escalating their feature set to accommodate new specifications like HTML 5, XHR Level 2 and DOM Level 3. It is forming the backbone of next generation applications running on mobile, PDA devices or desktops. The blend of DOM (Remote Execution stack) , XHR L2 (Sockets for injections) and HTML5 (Exploit delivery platform) is becoming easy victim for attackers and worms. We have already witnessed these types of attacks on popular sites like twitter, facebook or yahoo. It is of the essence to understand attack surface and vectors to protect next generation applications. We have enormous expansion of attack surface after inclusion of features like audio/video tags, drag/drop APIs, CSS-Opacity, localstorage, web workers, DOM selectors, Mouse gesturing, native JSON, Cross Site access controls, offline browsing etc. This extension of attack surface and exposure of server side APIs allow attacker to perform following lethal attacks and abuses.
1. XHR abuse with attacking Cross Site access controls using level 2 calls
2. JSON manipulations and poisoning
3. DOM API injections and script executions
4. Abusing HTML5 tag structure and attributes
5. Localstorage manipulation and foreign site access
6. Attacking client side sandbox architectures
7. DOM scrubbing and logical abuse
8. Browser hijacking and exploitation through advanced DOM features
9. One-way CSRF and abusing vulnerable sites
10. DOM event injections and controlling (Clickjacking)
11. Hacking widgets, mashups and social networking sites
12. Abusing client side Web 2.0 and RIA libraries
We will be covering above attacks and their variants in detail along with some real life cases and demonstrations. It is also important to understand methods of discovering these types of vulnerabilities across application base. We will see some new scanning tools and approaches to identify some of these key issues.
About Shreeraj Shah
Shreeraj Shah, B.E., MSCS, MBA, is the founder of Blueinfy, a company that provides application security services. Prior to founding Blueinfy, he was founder and board member at Net Square. He also worked with Foundstone (McAfee), Chase Manhattan Bank and IBM in security space. He is also the author of popular books like Hacking Web Services (Thomson 06) and Web Hacking: Attacks and Defense (Addison-Wesley 03). In addition, he has published several advisories, tools, and whitepapers, and has presented at numerous conferences including RSA, AusCERT, InfosecWorld (Misti), HackInTheBox, Blackhat, OSCON, Bellua, Syscan, ISACA etc. His articles are regularly published on Securityfocus, InformIT, DevX, O’reilly, HNS. His work has been quoted on BBC, Dark Reading, Bank Technology as an expert.