Thursday, September 24, 2015

HTML5 – Hazards and Defense – Podcast with Brakeing Down Security

Part 1 -  2015-039: Hazards of HTML5

Shreeraj Shah (@shreeraj on Twitter) came on this week to give us a run-down of some of the issues with HTML5? How can a new standard actually be worse than something like Flash? And why would a standard not address existing OWASP issues, and even create new issues, like the ability of a browser to have a database inside of it managing everything?

This week we discuss HTML5 history, some of the pitfalls, and discuss some of the new technologies found in HTML5 that will create more headaches for agents of infosec.

Listen the Podcast over HERE

Part 2 -  2015-040; Defending against HTML 5 vulnerabilities

Last week, we discussed with Shreeraj Shah about HTML5, how it came into being and the fact that instead of solving OWASP issues, it introduces new and wonderful vulnerabilities, like exploiting locally stored web site info using XSS techniques, and doing SQLI on the new browser WebSQL.
So this week, it's all about defensive techniques that you can use to educate your developers against making mistakes that could get your company's web application on the front page of the news paper.

Listen the Podcast over HERE

You can find various articles on this topic and issues covered during the session over here.

1. Next Generation Application Architecture & HTML5
2. HTML5 features in a nutshell
3. HTML5/Browser Evolution and Threats
4. Cross Origin Resource Sharing Policy and its impact
5. CSRF and Cross Domain Response Extraction in Era of CORS
6. WebSocket Security - Protecting streams Over HTTP
7. Attack Vectors and Threats for HTML5 Storage (note)
8. Talks on HTML5 Security (HITB and AppSecUSA 2012)
9. XSS & CSRF with HTML5 - Attack, Exploit and Defense
10. File System API with HTML5 – Juice for XSS
11. CSRF with upload – XHR-L2, HTML5 and Cookie replay
12. Blind WebSQL and Storage extraction for HTML5 Apps
13. Cross Origin Resource Jacking (CORJacking) - DOM based attack vector
14. Top 10 HTML5 Threats & Attack Vectors

Also, at OWASP we are maintaining HTML5 cheatsheet which you can find it over.

HTML5 OWASP cheat Sheet

Enjoy!