HTML5 Top 10 Threats Stealth Attacks and Silent Exploits
2012-04-01 14:57
253 查看
HTML5 is an emerging stack for next generation applications. HTML5 is enhancing browser capabilities and able
to execute Rich Internet Applications in the context of modern browser architecture. Interestingly HTML5 can run on mobile devices as well and it makes even more complicated. HTML5 is not a single technology stack but combination of various components like
XMLHttpRequest (XHR), Document Object model (DOM), Cross Origin Resource Sharing (CORS) and enhanced HTML/Browser rendering. It brings several new technologies to the browser which were not seen before like localstorage, webSQL, websocket, webworkers, enhanced
XHR, DOM based XPATH to name a few. It has enhanced attack surface and point of exploitations for attacker and malicious agents. By leveraging these vectors one can craft stealth attacks and silent exploits, it is hard to detect and easy to compromise.
• ClickJacking & Phishing by mixing layers and iframe
• CSRF and leveraging CORS to bypass SOP
• Attacking WebSQL and client side SQL injection
• Stealing information from Storage and Global variables
• HTML 5 tag abuse and XSS
• HTML 5/DOM based XSS and redirects
• DOM injections and Hijacking with HTML 5
• Abusing thick client features
• Using WebSockets for stealth attacks
• Abusing WebWorker functionality
Above attack vectors and understanding will give more idea about HTML5 security concerns and required defense.
It is imperative to focus on these new attack vectors and start addressing in today’s environment before attackers start leveraging these features to their advantage.
Download PDF: https://media.blackhat.com
to execute Rich Internet Applications in the context of modern browser architecture. Interestingly HTML5 can run on mobile devices as well and it makes even more complicated. HTML5 is not a single technology stack but combination of various components like
XMLHttpRequest (XHR), Document Object model (DOM), Cross Origin Resource Sharing (CORS) and enhanced HTML/Browser rendering. It brings several new technologies to the browser which were not seen before like localstorage, webSQL, websocket, webworkers, enhanced
XHR, DOM based XPATH to name a few. It has enhanced attack surface and point of exploitations for attacker and malicious agents. By leveraging these vectors one can craft stealth attacks and silent exploits, it is hard to detect and easy to compromise.
• ClickJacking & Phishing by mixing layers and iframe
• CSRF and leveraging CORS to bypass SOP
• Attacking WebSQL and client side SQL injection
• Stealing information from Storage and Global variables
• HTML 5 tag abuse and XSS
• HTML 5/DOM based XSS and redirects
• DOM injections and Hijacking with HTML 5
• Abusing thick client features
• Using WebSockets for stealth attacks
• Abusing WebWorker functionality
Above attack vectors and understanding will give more idea about HTML5 security concerns and required defense.
It is imperative to focus on these new attack vectors and start addressing in today’s environment before attackers start leveraging these features to their advantage.
Download PDF: https://media.blackhat.com
相关文章推荐
- Top 10 Core Data Tools and Libraries
- Top 10 Algorithms of 20th and 21st Century
- Top 10:HTML5、JavaScript 3D游戏引擎和框架
- Top 10 things to know about Visual Studio 2008 and .NET Framework 3.5(ZT)
- Top 10 Mapping APIs: Google Maps, Microsoft Bing Maps and MapQuest
- Top 10 Backup and Recovery best practices
- Top 10 Backup and Recovery Best Practices (文档 ID 388422.1)
- Top 10 Reasons to Use HTML5 Right Now
- Top 10 things to know about Visual Studio 2008 and .NET Framework 3.5
- Top 10 Most Useful iOS Libraries to Know and Love
- Top 10 tricky Java interview questions and answers
- Top 10 Performance Problems taken from Zappos, Monster, Thomson and Co
- 10 Best HTML5 Sketching and Drawing Tools for Designers
- 10 Best HTML5 Sliders For Designers and Developers to Beautify Their Websites
- Top 10 Java Serialization Interview Questions and Answers
- Top 10 steps to optimize data access in SQL Server: Part II (Re-factor TSQL and apply best practices)
- Top 10 Free Wireless Network hacking/monitoring tools for ethical hackers and businesses
- Top 10 steps to optimize data access in SQL Server: Part III (Apply advanced indexing and denormalization)
- Top 10 Struts Interview Question And Answer - J2EE
- Cross Site Scripting Attacks: Xss Exploits and Defense