Secure web messaging in HTML5
Download as pptx, pdf1 like1,973 views
The document provides an overview of secure web messaging in HTML5. It discusses how traditional methods of communication like JavaScript, AJAX, and frames had limitations due to the same-origin policy. The HTML5 postMessage API allows for secure cross-origin communication between frames by abstracting multiple principals. While more secure than previous techniques, the postMessage API still requires careful configuration of target origins, validation of received data, and mitigation of framing attacks to prevent security issues like cross-site scripting.
1 of 20
Downloaded 40 times
![Isolation with Frames
Different security contexts for different origins
Brings modularity but less interactive than embedding JS
No standard communication mechanism
Comply with SOP - Run remote code safely
<!-- This is allowed -->
<iframe src="sameDomainPage.html"> </iframe>
alert(frames[0].contentDocument.body); //works fine
<!-- This is **NOT** allowed -->
<iframe src="http://crossDomain.com"> </iframe>
alert(frames[0].contentDocument.body); //throws error](https://image.slidesharecdn.com/securewebmessaginginhtml5-120128232659-phpapp01/85/Secure-web-messaging-in-HTML5-8-320.jpg)
![Frame Navigation
Beware! Frames can be navigated to different origins!
Frame-Frame relationships
Can script in Frame A modify DOM of Frame B?
Can Script in Frame A “navigate” or change the origin of Frame B?
Frame navigation is NOT the same as SOP - often mistaken!
<iframe src=“http://crossDomain.com"> </iframe>
<!-- This is **NOT** allowed -->
alert(frames[0].src); //throws error – SOP restriction
<!-- This is allowed -->
alert(frames[0].src=“http://bing.com”); //works fine - frame navigation](https://image.slidesharecdn.com/securewebmessaginginhtml5-120128232659-phpapp01/85/Secure-web-messaging-in-HTML5-9-320.jpg)
![Same-Window attack!
top.frames[1].location = "http://www.attacker.com/...";
top.frames[2].location = "http://www.attacker.com/...";
...
Courtesy: Stanford Web Security Lab](https://image.slidesharecdn.com/securewebmessaginginhtml5-120128232659-phpapp01/85/Secure-web-messaging-in-HTML5-11-320.jpg)
![HTML5 Post Message API
Syntax: otherwindow.postMessage(message, targetOrigin);
targetOrigin can be a trusted source or wild card *“*”+
//Posting message to a cross domain partner.
frames[0].postMessage(“Hello Partner!”, "http://localhost:81/");
//Retrieving message from the sender
window.onmessage = function (e) {
if (e.origin == 'http://localhost') {
//sanitize and accept data
}
};](https://image.slidesharecdn.com/securewebmessaginginhtml5-120128232659-phpapp01/85/Secure-web-messaging-in-HTML5-16-320.jpg)
Ad
Recommended
JSFoo Chennai 2012
JSFoo Chennai 2012Krishna T This document discusses security challenges with web applications that combine content from multiple sources (mashups). It covers how the same-origin policy isolates origins but exempts scripts, allowing cross-site scripting attacks. Frame-based communication and the postMessage API provide secure cross-origin messaging capabilities. The document recommends sandboxing iframes and using features like CORS to mitigate risks in mashups.
Browser Internals-Same Origin Policy
Browser Internals-Same Origin PolicyKrishna T The document discusses the Same Origin Policy (SOP), which governs how different web origins can interact with each other and what resources can be accessed across origins. It elaborates on various methods and hacks to bypass SOP restrictions for cross-origin communication, including JSONP and HTML5's postMessage API. Additionally, it introduces CORS (Cross-Origin Resource Sharing) as a newer standard for secure cross-origin access.
Html5 security
Html5 securityKrishna T The document discusses security considerations for HTML5. It notes that while HTML5 specifications are not inherently flawed, bad code can introduce new vulnerabilities. It outlines several attack vectors like XSS, history tampering, web storage manipulation, and clickjacking. It also discusses mitigations like script isolation, cross-document messaging, sandboxing, and CORS, noting their limitations. The document aims to raise awareness of the expanded client-side attack surface in HTML5.
Clickjacking DevCon2011
Clickjacking DevCon2011Krishna T The document summarizes techniques for preventing clickjacking attacks, including frame busting code, the X-Frame-Options HTTP header, and Content Security Policy. It provides examples of how to implement these techniques and their limitations. It encourages attendees to check their own websites and applications for clickjacking vulnerabilities and ways to secure them against these risks.
Html5 for Security Folks
Html5 for Security Folksn|u - The Open Security Community HTML5 introduces many new features that can impact security, both positively and negatively. It allows richer multimedia but also makes some attacks easier. Features like Cross-Origin Resource Sharing, Web Storage, and IFRAME sandboxing could enable attacks like session hijacking or user tracking if not implemented correctly. The IFRAME sandboxing feature is particularly useful for security as it disables scripts and popups, though relaxing its restrictions too much could re-enable frame busting defenses. References are provided for further information on HTML5 security examples and specifications.
Attacking Web Proxies
Attacking Web ProxiesInMobi Technology The document discusses vulnerabilities and attacks on web-based proxies, explaining how they function and their common uses like anonymous browsing and traffic management. It highlights security flaws such as the bypassing of the Same Origin Policy (SOP) through techniques like iframe manipulation, posing risks like data exfiltration. Solutions like proxy hot-linking protection and the importance of Content Security Policy (CSP) are suggested to mitigate these risks.
Dom based xss
Dom based xssLê Giáp This document discusses DOM based cross-site scripting (XSS) and methods for detecting it. It begins by explaining what DOM and XSS are, and defines DOM based XSS as exploiting client-side script execution by modifying the DOM environment. Next, it provides examples of how DOM based XSS can work by manipulating DOM objects like document.location. The document concludes by outlining approaches for detecting DOM based XSS including general analysis, using the headless browser PhantomJS to programmatically interact with web pages, and leveraging a modified version of PhantomJS called Tainted PhantomJS that is designed specifically for DOM based XSS detection.
Browser Security
Browser SecurityRoberto Suggi Liverani The document discusses browser security concerns, particularly focusing on risks related to HTML5 web applications and browser plugins. It highlights the vulnerabilities in new web technologies and presents examples of potential attacks, such as browser SQL injection and application cache poisoning. The author emphasizes the importance of addressing these issues collaboratively with browser and framework vendors to enhance web security.
New Insights into Clickjacking
New Insights into ClickjackingMarco Balduzzi The document discusses clickjacking, a web threat that tricks users into clicking on malicious elements via disguised iframes, potentially leading to data theft and spam. An automated detection and testing solution was developed, which analyzed over one million websites, identifying two actual clickjacking attacks and numerous borderline cases. The analysis suggests that while clickjacking has gained media attention, it is not currently a major threat due to complexity in execution and the rarity of transparent iframes.
Owasp Top 10 A3: Cross Site Scripting (XSS)
Owasp Top 10 A3: Cross Site Scripting (XSS)Michael Hendrickx This document discusses cross-site scripting (XSS) attacks. It defines XSS as an attack where malicious scripts are injected into otherwise trusted websites. The document outlines three types of XSS attacks and provides examples of real-world XSS worms. It explains how to exploit stored, reflected, and DOM-based XSS vulnerabilities. Finally, it recommends ways to prevent XSS, including input and output filtering, encoding output, and using mitigations like HttpOnly cookies and content security policies.
Html5 localstorage attack vectors
Html5 localstorage attack vectorsShreeraj Shah Local storage can expand the attack surface for web applications by allowing sensitive data to be accessed through malware or viruses. It is also vulnerable to cross-site scripting (XSS) attacks, where malicious code could harvest and transmit stored data. Additionally, lack of privacy controls enables persistent user tracking across domains and invasion of privacy. Proper security defenses and protections are needed to mitigate risks from local storage.
Top Ten Web Hacking Techniques – 2008
Top Ten Web Hacking Techniques – 2008Jeremiah Grossman The document outlines the top ten web hacking techniques of 2008 as identified by Jeremiah Grossman, emphasizing various vulnerabilities and exploits such as clickjacking, Flash parameter injection, and cross-site scripting. It discusses several attack methodologies, their mechanisms, and provides defense strategies against these emerging threats. Overall, it serves as a crucial resource for understanding and navigating the evolving landscape of web security risks.
Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Jeremiah Grossman This document discusses the top 10 web hacking techniques of 2012. It provides an overview of each technique including CRIME, attacking memcached via SSRF, Chrome addon hacking, bruteforcing PHPSESSID, blended threats using JavaScript, cross-site port attacks, permanently backdooring HTML5 client-side applications using local storage, CAPTCHA re-riding attacks, gaining access to HttpOnly cookies in 2012 through Java applets, and attacking OData through HTTP verb tunneling and navigation properties. The document also discusses the history of past web hacking techniques and provides background information on topics like HttpOnly cookies, XST, and CAPTCHAs.
When Ajax Attacks! Web application security fundamentals
When Ajax Attacks! Web application security fundamentalsSimon Willison The document is a presentation about web application security fundamentals and attacks. It discusses topics like cross-site scripting (XSS), cross-site request forgery (CSRF), UTF-7 encoding, and other techniques like JSON parsing (JSONP). In the past, security tutorials focused on not trusting user input, avoiding SQL injection, and preventing JavaScript injection, but the presenter aims to discuss more modern attacks.
BsidesDelhi 2018: DomGoat - the DOM Security Playground
BsidesDelhi 2018: DomGoat - the DOM Security PlaygroundBSides Delhi The document outlines Domgoat, a learning platform focused on Document Object Model (DOM) security, highlighting its purpose and features similar to Webgoat. It emphasizes the significance of client-side security, explaining vulnerabilities like client-side code execution and the risks associated with attacker-controlled data. The roadmap includes plans for demos, releases, and support for various security aspects, encouraging awareness and education in DOM security.
Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeJeremiah Grossman The document discusses securing web applications from common vulnerabilities like cross-site scripting (XSS) and cross-site request forgery (CSRF). It outlines various techniques attackers use to exploit these issues, such as injecting malicious scripts into user input or forging unauthorized requests. The document then provides recommendations for developers to prevent these attacks, such as carefully validating and encoding all user input, and authenticating that requests are intended by the user.
Browser Security 101
Browser Security 101 Stormpath The document outlines key aspects of browser security, particularly for modern web applications, focusing on threats like XSS, CSRF, and MITM attacks. It discusses best practices for securing user credentials, sessions, and communication, along with the use of cookies and session identifiers. Additionally, it emphasizes the importance of utilizing frameworks and tools for effective security measures in application development.
Java script, security and you - Tri-Cities Javascript Developers Group
Java script, security and you - Tri-Cities Javascript Developers GroupAdam Caudill This document discusses the security threats posed by JavaScript usage on the modern web. It outlines common exploits like cross-site scripting and cross-site request forgery that can be used to hijack user accounts, steal data, and infect browsers with malware. The document also covers emerging HTML5 features like WebSockets, local storage, and geolocation that could enable new types of attacks if not properly secured. It recommends that developers "hack themselves first" by proactively testing their own sites for vulnerabilities in order to build more secure JavaScript applications.
Web browser privacy and security
Web browser privacy and security amiable_indian The document discusses security and privacy issues related to web browsers. It outlines how targeted attacks on web browsers are increasingly motivated by financial gain. It then discusses common web browser vulnerabilities and how informed consent is important for privacy and security. The document proposes designs for enhancing user understanding of events like cookies with minimal distraction. It also discusses strengthening browser security against man-in-the-middle and eavesdropping attacks.
Starwest 2008
Starwest 2008Caleb Sima Caleb Sima is the founder and CTO of SPI Dynamics, a security company. He has over 11 years of experience in security and is a frequent speaker on topics like exploiting web security vulnerabilities and hacking web applications. The document discusses various web application vulnerabilities like SQL injection, cross-site scripting, and session hijacking, and provides examples of exploiting these vulnerabilities on real websites.
Top Ten Web Hacking Techniques (2008)
Top Ten Web Hacking Techniques (2008)Jeremiah Grossman The document outlines the top ten web hacking techniques from 2008, highlighting various vulnerabilities, such as flash parameter injection, clickjacking, and cross-domain leaks. It emphasizes the need for proper defenses, including user input sanitization and secure application design, to mitigate these threats. The techniques discussed are crucial for understanding evolving web security challenges faced by organizations.
Sandboxed platform using IFrames, postMessage and localStorage
Sandboxed platform using IFrames, postMessage and localStoragetomasperezv This document discusses using iframes, postMessage, and localStorage for communication in a sandboxed web application platform. It notes both advantages and disadvantages of iframes, describes how to securely communicate between iframes and different browser tabs or windows using postMessage, and explores strategies and considerations for using localStorage for communication.
Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Jeremiah Grossman The document details the top ten web hacking techniques from 2010, highlighting innovative approaches such as the 'padding oracle' crypto attack, evercookies, and clickjacking to exploit web application vulnerabilities. It discusses how these methods can subvert common protections, demonstrating risks associated with exploiting auto-complete and browser caching. The document serves as a summary of evolving web security challenges, emphasizing the need for vigilance in defending against such attacks.
Xss is more than a simple threat
Xss is more than a simple threatAvădănei Andrei XSS (cross-site scripting) is a client-side vulnerability that allows injection of malicious JavaScript which can then be run on a victim's browser. The document discusses different types of XSS (non-persistent, persistent, DOM-based), examples of how to perform basic and advanced XSS attacks, ways XSS has been used on major websites, and how attackers can exploit XSS vulnerabilities for activities like session hijacking, cookie stealing, clickjacking, and more.
Browser Security by pratimesh Pathak ( Buldhana)
Browser Security by pratimesh Pathak ( Buldhana) Pratimesh Pathak Browser security aims to protect users from malware and privacy leaks. The document discusses browser security topics like cookies, plug-ins, and preserving privacy. It also covers security risks like annoyance, information theft, and system compromise from malicious code. The browser verifies code and uses a security manager to control access based on a system policy.
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesAbraham Aranguren The document discusses XML External Entity (XXE) vulnerabilities in web services, presenting various types of web services like XML-RPC, JSON-RPC, and SOAP. It highlights common attacks such as SQL Injection (SQLi), Cross-Site Scripting (XSS), and XXE, emphasizing that these injection attacks are the top web security risks. Mitigation strategies for each type of attack are provided, along with examples and recommended practices for secure web service implementation.
MITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another PerspectiveGreenD0g This document discusses the vulnerabilities in TLS (SSL) protocols especially concerning man-in-the-middle (MITM) attacks on HTTPS. It outlines various exploitation techniques, including certificate misconfigurations and the manipulation of server responses, enabling attackers to bypass security measures and gain control over user data. The presentation emphasizes the need for increased awareness and further research into these threats and the effectiveness of TLS security.
VSA: The Virtual Scripted Attacker, Brucon 2012
VSA: The Virtual Scripted Attacker, Brucon 2012Abraham Aranguren This document discusses DOM cross-site scripting (XSS) vulnerabilities and a new tool called VSA that aims to automatically find such vulnerabilities. It notes that DOM XSS is difficult to detect as it occurs client-side, but that VSA claims to find many more vulnerabilities than traditional tools through running entirely on the browser where JavaScript executes. The document provides examples of top companies that have had DOM XSS issues found via bug bounty programs. It also includes a question about whether readers want VSA to scan their sites.
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesBrad Hill 1) HTML5 and new web standards like Content Security Policy and cross-origin resource sharing improve security by enabling enforcement of policies like script isolation in the client instead of through server-side filtering.
2) Script injection vulnerabilities like cross-site scripting can be solved using these new client-side techniques rather than incomplete server-side simulations.
3) Mashups can be made more secure by using CORS to retrieve validated data instead of injecting code, and postMessage with isolated iframes to communicate with legacy APIs.
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...Divyanshu The document provides an overview of browser security challenges, focusing on mechanisms like the Same Origin Policy (SOP) and Content Security Policy (CSP), as well as common vulnerabilities and attack vectors, such as spoofing and cross-site scripting. It includes demos and codes for exploitation scenarios including Denial of Service attacks, Remote Code Execution, and various forms of content spoofing. The document emphasizes the importance of security measures and mitigations to defend against these vulnerabilities in modern browsers.
More Related Content
What's hot (20)
New Insights into Clickjacking
New Insights into ClickjackingMarco Balduzzi The document discusses clickjacking, a web threat that tricks users into clicking on malicious elements via disguised iframes, potentially leading to data theft and spam. An automated detection and testing solution was developed, which analyzed over one million websites, identifying two actual clickjacking attacks and numerous borderline cases. The analysis suggests that while clickjacking has gained media attention, it is not currently a major threat due to complexity in execution and the rarity of transparent iframes.
Owasp Top 10 A3: Cross Site Scripting (XSS)
Owasp Top 10 A3: Cross Site Scripting (XSS)Michael Hendrickx This document discusses cross-site scripting (XSS) attacks. It defines XSS as an attack where malicious scripts are injected into otherwise trusted websites. The document outlines three types of XSS attacks and provides examples of real-world XSS worms. It explains how to exploit stored, reflected, and DOM-based XSS vulnerabilities. Finally, it recommends ways to prevent XSS, including input and output filtering, encoding output, and using mitigations like HttpOnly cookies and content security policies.
Html5 localstorage attack vectors
Html5 localstorage attack vectorsShreeraj Shah Local storage can expand the attack surface for web applications by allowing sensitive data to be accessed through malware or viruses. It is also vulnerable to cross-site scripting (XSS) attacks, where malicious code could harvest and transmit stored data. Additionally, lack of privacy controls enables persistent user tracking across domains and invasion of privacy. Proper security defenses and protections are needed to mitigate risks from local storage.
Top Ten Web Hacking Techniques – 2008
Top Ten Web Hacking Techniques – 2008Jeremiah Grossman The document outlines the top ten web hacking techniques of 2008 as identified by Jeremiah Grossman, emphasizing various vulnerabilities and exploits such as clickjacking, Flash parameter injection, and cross-site scripting. It discusses several attack methodologies, their mechanisms, and provides defense strategies against these emerging threats. Overall, it serves as a crucial resource for understanding and navigating the evolving landscape of web security risks.
Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Jeremiah Grossman This document discusses the top 10 web hacking techniques of 2012. It provides an overview of each technique including CRIME, attacking memcached via SSRF, Chrome addon hacking, bruteforcing PHPSESSID, blended threats using JavaScript, cross-site port attacks, permanently backdooring HTML5 client-side applications using local storage, CAPTCHA re-riding attacks, gaining access to HttpOnly cookies in 2012 through Java applets, and attacking OData through HTTP verb tunneling and navigation properties. The document also discusses the history of past web hacking techniques and provides background information on topics like HttpOnly cookies, XST, and CAPTCHAs.
When Ajax Attacks! Web application security fundamentals
When Ajax Attacks! Web application security fundamentalsSimon Willison The document is a presentation about web application security fundamentals and attacks. It discusses topics like cross-site scripting (XSS), cross-site request forgery (CSRF), UTF-7 encoding, and other techniques like JSON parsing (JSONP). In the past, security tutorials focused on not trusting user input, avoiding SQL injection, and preventing JavaScript injection, but the presenter aims to discuss more modern attacks.
BsidesDelhi 2018: DomGoat - the DOM Security Playground
BsidesDelhi 2018: DomGoat - the DOM Security PlaygroundBSides Delhi The document outlines Domgoat, a learning platform focused on Document Object Model (DOM) security, highlighting its purpose and features similar to Webgoat. It emphasizes the significance of client-side security, explaining vulnerabilities like client-side code execution and the risks associated with attacker-controlled data. The roadmap includes plans for demos, releases, and support for various security aspects, encouraging awareness and education in DOM security.
Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeJeremiah Grossman The document discusses securing web applications from common vulnerabilities like cross-site scripting (XSS) and cross-site request forgery (CSRF). It outlines various techniques attackers use to exploit these issues, such as injecting malicious scripts into user input or forging unauthorized requests. The document then provides recommendations for developers to prevent these attacks, such as carefully validating and encoding all user input, and authenticating that requests are intended by the user.
Browser Security 101
Browser Security 101 Stormpath The document outlines key aspects of browser security, particularly for modern web applications, focusing on threats like XSS, CSRF, and MITM attacks. It discusses best practices for securing user credentials, sessions, and communication, along with the use of cookies and session identifiers. Additionally, it emphasizes the importance of utilizing frameworks and tools for effective security measures in application development.
Java script, security and you - Tri-Cities Javascript Developers Group
Java script, security and you - Tri-Cities Javascript Developers GroupAdam Caudill This document discusses the security threats posed by JavaScript usage on the modern web. It outlines common exploits like cross-site scripting and cross-site request forgery that can be used to hijack user accounts, steal data, and infect browsers with malware. The document also covers emerging HTML5 features like WebSockets, local storage, and geolocation that could enable new types of attacks if not properly secured. It recommends that developers "hack themselves first" by proactively testing their own sites for vulnerabilities in order to build more secure JavaScript applications.
Web browser privacy and security
Web browser privacy and security amiable_indian The document discusses security and privacy issues related to web browsers. It outlines how targeted attacks on web browsers are increasingly motivated by financial gain. It then discusses common web browser vulnerabilities and how informed consent is important for privacy and security. The document proposes designs for enhancing user understanding of events like cookies with minimal distraction. It also discusses strengthening browser security against man-in-the-middle and eavesdropping attacks.
Starwest 2008
Starwest 2008Caleb Sima Caleb Sima is the founder and CTO of SPI Dynamics, a security company. He has over 11 years of experience in security and is a frequent speaker on topics like exploiting web security vulnerabilities and hacking web applications. The document discusses various web application vulnerabilities like SQL injection, cross-site scripting, and session hijacking, and provides examples of exploiting these vulnerabilities on real websites.
Top Ten Web Hacking Techniques (2008)
Top Ten Web Hacking Techniques (2008)Jeremiah Grossman The document outlines the top ten web hacking techniques from 2008, highlighting various vulnerabilities, such as flash parameter injection, clickjacking, and cross-domain leaks. It emphasizes the need for proper defenses, including user input sanitization and secure application design, to mitigate these threats. The techniques discussed are crucial for understanding evolving web security challenges faced by organizations.
Sandboxed platform using IFrames, postMessage and localStorage
Sandboxed platform using IFrames, postMessage and localStoragetomasperezv This document discusses using iframes, postMessage, and localStorage for communication in a sandboxed web application platform. It notes both advantages and disadvantages of iframes, describes how to securely communicate between iframes and different browser tabs or windows using postMessage, and explores strategies and considerations for using localStorage for communication.
Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Jeremiah Grossman The document details the top ten web hacking techniques from 2010, highlighting innovative approaches such as the 'padding oracle' crypto attack, evercookies, and clickjacking to exploit web application vulnerabilities. It discusses how these methods can subvert common protections, demonstrating risks associated with exploiting auto-complete and browser caching. The document serves as a summary of evolving web security challenges, emphasizing the need for vigilance in defending against such attacks.
Xss is more than a simple threat
Xss is more than a simple threatAvădănei Andrei XSS (cross-site scripting) is a client-side vulnerability that allows injection of malicious JavaScript which can then be run on a victim's browser. The document discusses different types of XSS (non-persistent, persistent, DOM-based), examples of how to perform basic and advanced XSS attacks, ways XSS has been used on major websites, and how attackers can exploit XSS vulnerabilities for activities like session hijacking, cookie stealing, clickjacking, and more.
Browser Security by pratimesh Pathak ( Buldhana)
Browser Security by pratimesh Pathak ( Buldhana) Pratimesh Pathak Browser security aims to protect users from malware and privacy leaks. The document discusses browser security topics like cookies, plug-ins, and preserving privacy. It also covers security risks like annoyance, information theft, and system compromise from malicious code. The browser verifies code and uses a security manager to control access based on a system policy.
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesAbraham Aranguren The document discusses XML External Entity (XXE) vulnerabilities in web services, presenting various types of web services like XML-RPC, JSON-RPC, and SOAP. It highlights common attacks such as SQL Injection (SQLi), Cross-Site Scripting (XSS), and XXE, emphasizing that these injection attacks are the top web security risks. Mitigation strategies for each type of attack are provided, along with examples and recommended practices for secure web service implementation.
MITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another PerspectiveGreenD0g This document discusses the vulnerabilities in TLS (SSL) protocols especially concerning man-in-the-middle (MITM) attacks on HTTPS. It outlines various exploitation techniques, including certificate misconfigurations and the manipulation of server responses, enabling attackers to bypass security measures and gain control over user data. The presentation emphasizes the need for increased awareness and further research into these threats and the effectiveness of TLS security.
VSA: The Virtual Scripted Attacker, Brucon 2012
VSA: The Virtual Scripted Attacker, Brucon 2012Abraham Aranguren This document discusses DOM cross-site scripting (XSS) vulnerabilities and a new tool called VSA that aims to automatically find such vulnerabilities. It notes that DOM XSS is difficult to detect as it occurs client-side, but that VSA claims to find many more vulnerabilities than traditional tools through running entirely on the browser where JavaScript executes. The document provides examples of top companies that have had DOM XSS issues found via bug bounty programs. It also includes a question about whether readers want VSA to scan their sites.
Similar to Secure web messaging in HTML5 (20)
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesBrad Hill 1) HTML5 and new web standards like Content Security Policy and cross-origin resource sharing improve security by enabling enforcement of policies like script isolation in the client instead of through server-side filtering.
2) Script injection vulnerabilities like cross-site scripting can be solved using these new client-side techniques rather than incomplete server-side simulations.
3) Mashups can be made more secure by using CORS to retrieve validated data instead of injecting code, and postMessage with isolated iframes to communicate with legacy APIs.
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...Divyanshu The document provides an overview of browser security challenges, focusing on mechanisms like the Same Origin Policy (SOP) and Content Security Policy (CSP), as well as common vulnerabilities and attack vectors, such as spoofing and cross-site scripting. It includes demos and codes for exploitation scenarios including Denial of Service attacks, Remote Code Execution, and various forms of content spoofing. The document emphasizes the importance of security measures and mitigations to defend against these vulnerabilities in modern browsers.
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesBrad Hill The document discusses the security implications of HTML5 and how it addresses common vulnerabilities like cross-site scripting (XSS) through content security policies and client-side technologies. It emphasizes that while HTML5 improves the security posture of web applications, XSS remains an issue that can be mitigated with proper application architecture. Additionally, it highlights the use of Cross-Origin Resource Sharing (CORS) and sandboxed iframes to enhance security in web mashups.
XCS110_All_Slides.pdf
XCS110_All_Slides.pdfssuser01066a This document provides an introduction to web security and the browser security model. It discusses goals of web security including safely browsing the web and supporting secure web applications. It outlines common web threat models and covers topics like HTTP, rendering content, isolation using frames and same-origin policy, communication between frames, frame navigation policies, client state using cookies, and clickjacking. The document aims to provide background knowledge on how the web and browsers work from a security perspective.
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Jay Nagar This document discusses the Heartbleed vulnerability in OpenSSL and its potential impacts. Heartbleed is a bug in the OpenSSL cryptography library that exposes the contents of the server's memory, including private keys and user session cookies. An attacker can exploit Heartbleed to steal sensitive data from vulnerable servers or impersonate services. The vulnerability had widespread implications because OpenSSL is used to secure a majority of websites. While patching servers and changing passwords addressed direct theft of information, Heartbleed also weakened the security of encrypted communications and online identities.
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...Mario Heiderich This document discusses using ES5 capabilities to help mitigate cross-site scripting (XSS) vulnerabilities. It summarizes the history of JavaScript and XSS, current approaches to mitigation, and limitations. It then proposes using ES5 features like Object.defineProperty to prohibit unauthorized access to DOM properties and add monitoring of property access. This could enable intrusion detection and role-based access control without impedance mismatches. Examples show freezing DOM objects to prevent tampering. Limitations include blacklisting and compatibility issues, but the approach aims to detect and prevent XSS at the client level without server-side filtering.
Will Web 2.0 applications break the cloud?
Will Web 2.0 applications break the cloud?Flaskdata.io The document discusses the challenges and risks associated with rich web applications in cloud computing, focusing on performance, security, and common mistakes made by CIOs. It emphasizes the high cost of application vulnerabilities and poor latency, while suggesting future technologies like web sockets, Node.js, and CouchDB as solutions to improve efficiency and reduce threat surfaces. Ultimately, the document warns that security measures are essential yet costly, and highlights the economic impact of latency on businesses.
Warning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScriptCyber Security Alliance The document discusses security vulnerabilities in JavaScript, particularly focusing on the implications of HTML5 features like sandboxing and the risks associated with cross-site scripting (XSS). It details specific attack methods, such as 'monster XSS,' that exploit these vulnerabilities to capture user data, and emphasizes the importance of securing client-side applications. Recommendations provided include avoiding unnecessary permissions in iframes and maintaining vigilance against XSS attacks.
Detection of webshells in compromised perimeter assets using ML algorithms
Detection of webshells in compromised perimeter assets using ML algorithms Rod Soto Rod Soto and Joseph Zadeh discuss detecting webshells in compromised perimeter assets using machine learning algorithms. They define webshells and how they are commonly used by attackers to gain access to networks. Two approaches are described for detecting webshells using ML: global models that analyze overall asset behavior, and local models that examine individual web server content and traffic patterns. Detecting deviations from normal behavior across both local and global views can help identify compromised assets with webshells.
Caja "Ka-ha" Introduction
Caja "Ka-ha" Introductionyiming he Caja is a tool that sanitizes JavaScript to make it secure and prevent malicious behavior like stealing cookies, DDOS attacks, or accessing unauthorized information. It uses an object-capability model where code can only interact with explicitly granted objects, preventing access to the global namespace. Caja rewrites source code and enhances property descriptors to allow runtime checks of object access. It also isolates code by running it within an iframe. This allows untrusted third-party code to be safely embedded while preventing harmful actions. Caja is demonstrated using examples of simple and DOM manipulation code and how it is compiled to only permit the intended interactions.
Top 10 Web Hacks 2012
Top 10 Web Hacks 2012Matt Johansen The document outlines the top ten web hacking techniques of 2012 as identified by WhiteHat Security, highlighting advancements in web-based attacks, including methods like CRIME, SSRF exploitation, and captcha re-riding. It emphasizes the challenges posed by vulnerabilities in web security, especially with the integration of HTML5 features like local storage that can lead to persistent attacks. The report serves as a crucial resource for understanding emerging threats in web security for both developers and security professionals.
AJAX: How to Divert Threats
AJAX: How to Divert ThreatsCenzic The document discusses AJAX as a method for creating dynamic web applications, highlighting its interaction with the same-origin policy, security vulnerabilities, and automation challenges. It outlines various security risks associated with AJAX, such as Cross-Site Scripting (XSS), SQL Injection, and JavaScript hijacking, along with best practices for mitigating these risks. The presentation also emphasizes the importance of strong server-side validation and caution against relying solely on client-side security measures.
HTML5 Real-Time and Connectivity
HTML5 Real-Time and ConnectivityPeter Lubbers This document presents an overview of HTML5 features related to real-time web connectivity, focusing on topics like the web origin concept, cross-document messaging, CORS, and WebSocket technology. It discusses security considerations, browser support, and the advantages of using WebSocket for efficient bi-directional communication in web applications. Additionally, it highlights the importance of choosing the right technology based on specific use cases rather than treating HTML5 as a monolithic solution.
Locking the Throneroom 2.0
Locking the Throneroom 2.0Mario Heiderich This document summarizes Mario Heiderich's presentation titled "Locking the Throne Room - How ES5+ will change XSS and Client Side Security" given at BlueHat, Redmond 2011. The presentation discusses how new features in ECMAScript 5 (ES5), such as Object.defineProperty(), can be used to prevent cross-site scripting (XSS) attacks by locking down access to sensitive DOM properties and methods on the client-side in a tamper-resistant way. This moves XSS mitigation closer to the client where the attacks occur, avoiding issues caused by impedance mismatches between server-side filters and client-side execution. The approach could allow role-based access control and intrusion
Cross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning CenterMichael Coates This document discusses cross-site scripting (XSS) vulnerabilities. It covers the business risks of XSS, including account compromise and malware installation. It explains how XSS works by giving an example of a reflected XSS attack. It then discusses different XSS attack points and variations. The document outlines mitigation techniques like output encoding and content security policies. It provides examples of how these defenses work to prevent XSS exploits. Finally, it discusses tools like the OWASP XSS prevention cheat sheet and upcoming security training sessions.
Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Ikhade Maro Igbape The document discusses cross-site scripting (XSS), highlighting its causes, types, and defense mechanisms. It defines XSS as a vulnerability arising from the failure to sanitize user inputs, leading to potential attacks like cookie theft and session hijacking. Various preventive measures, including input validation and secure cookie handling, are presented alongside testing methods to detect XSS vulnerabilities.
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...CODE BLUE The document discusses the development of cross-platform desktop applications using the Electron framework, highlighting its capabilities and security vulnerabilities. It emphasizes the significance of security measures to prevent issues such as DOM-based XSS and the risks associated with enabling Node.js in the renderer process. Various strategies for mitigating these vulnerabilities, such as content security policies and disabling Node integration, are also examined.
Secure Mashups
Secure Mashupskriszyp The document discusses techniques for creating secure mashups, including server-side and client-side approaches. It describes challenges around trust between participants and potential exploits. It provides an overview of tools like ADsafe, Caja, and dojox.secure that aim to sandbox code by restricting language features and access. Dojox.secure in particular provides a full framework for loading, validating, and restricting access to DOM for third-party widgets in a controlled manner.
04. xss and encoding
04. xss and encodingEoin Keary XSS (cross-site scripting) is a common web vulnerability that allows attackers to inject client-side scripts. The document discusses various types of XSS attacks and defenses against them. It covers:
1) Reflected/transient XSS occurs when untrusted data in URL parameters is immediately displayed without sanitization. Stored/persistent XSS occurs when untrusted data is stored and later displayed. DOM-based XSS manipulates the DOM.
2) Defenses include HTML/URL encoding untrusted data before displaying it, validating all inputs, and using context-specific encoding for HTML elements, attributes, JavaScript, and URLs.
3) The OWASP Java Encoder Project and Microsoft Anti
Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008abhijitapatil The document discusses various cybersecurity topics including vulnerabilities, threats, attacks, and countermeasures. It provides an overview of the Open Web Application Security Project (OWASP) which focuses on improving application security. It also summarizes common web vulnerabilities like cross-site scripting (XSS), SQL injection, buffer overflows, and cross-site request forgery (CSRF). Recommendations are given to prevent these vulnerabilities.
Ad
Recently uploaded (20)
Hyderabad MuleSoft In-Person Meetup (June 21, 2025) Slides
Hyderabad MuleSoft In-Person Meetup (June 21, 2025) SlidesRavi Tamada Hyderabad MuleSoft In-Person Meetup (June 21, 2025) Slides
"Scaling in space and time with Temporal", Andriy Lupa.pdf
"Scaling in space and time with Temporal", Andriy Lupa.pdfFwdays Design patterns like Event Sourcing and Event Streaming have long become standards for building real-time analytics systems. However, when the system load becomes nonlinear with fast and often unpredictable spikes, it's crucial to respond quickly in order not to lose real-time operating itself.
In this talk, I’ll share my experience implementing and using a tool like Temporal.io. We'll explore the evolution of our system for maintaining real-time report generation and discuss how we use Temporal both for short-lived pipelines and long-running background tasks.
Agentic AI for Developers and Data Scientists Build an AI Agent in 10 Lines o...
Agentic AI for Developers and Data Scientists Build an AI Agent in 10 Lines o...All Things Open Presented at All Things Open RTP Meetup
Presented by William Hill - Developer Advocate, NVIDIA
Title: Agentic AI for Developers and Data Scientists
Build an AI Agent in 10 Lines of Code and the Concepts Behind the Code
Abstract: In this talk we will demonstrate building a working data science AI agent in 10 lines of basic Python code in a Colab notebook. Our AI Agent will perform LLM prompt-driven visual analysis using open-source libraries. In this session we will show how to develop an AI Agent using GPUs through NVIDIA’s developer program and Google Colab notebooks. After coding our AI Agent, we will break down the 10 lines of code. We will show the key components and open source library integrations that enable the agent's functionality, focusing on practical implementation details and then the theoretical concepts. The presentation concludes with a survey of current LLM technologies and the latest trends in developing AI applications for enthusiasts and enterprises
Mastering AI Workflows with FME by Mark Döring
Mastering AI Workflows with FME by Mark DöringSafe Software Harness the full potential of AI with FME: From creating high-quality training data to optimizing models and utilizing results, FME supports every step of your AI workflow. Seamlessly integrate a wide range of models, including those for data enhancement, forecasting, image and object recognition, and large language models. Customize AI models to meet your exact needs with FME’s powerful tools for training, optimization, and seamless integration
Curietech AI in action - Accelerate MuleSoft development
Curietech AI in action - Accelerate MuleSoft developmentshyamraj55 CurieTech AI in Action – Accelerate MuleSoft Development
Overview:
This presentation demonstrates how CurieTech AI’s purpose-built agents empower MuleSoft developers to create integration workflows faster, more accurately, and with less manual effort
linkedin.com
+12
curietech.ai
+12
meetups.mulesoft.com
+12
.
Key Highlights:
Dedicated AI agents for every stage: Coding, Testing (MUnit), Documentation, Code Review, and Migration
curietech.ai
+7
curietech.ai
+7
medium.com
+7
DataWeave automation: Generate mappings from tables or samples—95%+ complete within minutes
linkedin.com
+7
curietech.ai
+7
medium.com
+7
Integration flow generation: Auto-create Mule flows based on specifications—speeds up boilerplate development
curietech.ai
+1
medium.com
+1
Efficient code reviews: Gain intelligent feedback on flows, patterns, and error handling
youtube.com
+8
curietech.ai
+8
curietech.ai
+8
Test & documentation automation: Auto-generate MUnit test cases, sample data, and detailed docs from code
curietech.ai
+5
curietech.ai
+5
medium.com
+5
Why Now?
Achieve 10× productivity gains, slashing development time from hours to minutes
curietech.ai
+3
curietech.ai
+3
medium.com
+3
Maintain high accuracy with code quality matching or exceeding manual efforts
curietech.ai
+2
curietech.ai
+2
curietech.ai
+2
Ideal for developers, architects, and teams wanting to scale MuleSoft projects with AI efficiency
Conclusion:
CurieTech AI transforms MuleSoft development into an AI-accelerated workflow—letting you focus on innovation, not repetition.
"How to survive Black Friday: preparing e-commerce for a peak season", Yurii ...
"How to survive Black Friday: preparing e-commerce for a peak season", Yurii ...Fwdays We will explore how e-commerce projects prepare for the busiest time of the year, which key aspects to focus on, and what to expect. We’ll share our experience in setting up auto-scaling, load balancing, and discuss the loads that Silpo handles, as well as the solutions that help us navigate this season without failures.
UserCon Belgium: Honey, VMware increased my bill
UserCon Belgium: Honey, VMware increased my billstijn40 VMware’s pricing changes have forced organizations to rethink their datacenter cost management strategies. While FinOps is commonly associated with cloud environments, the FinOps Foundation has recently expanded its framework to include Scopes—and Datacenter is now officially part of the equation. In this session, we’ll map the FinOps Framework to a VMware-based datacenter, focusing on cost visibility, optimization, and automation. You’ll learn how to track costs more effectively, rightsize workloads, optimize licensing, and drive efficiency—all without migrating to the cloud. We’ll also explore how to align IT teams, finance, and leadership around cost-aware decision-making for on-prem environments. If your VMware bill keeps increasing and you need a new approach to cost management, this session is for you!
CapCut Pro Crack For PC Latest Version {Fully Unlocked} 2025
CapCut Pro Crack For PC Latest Version {Fully Unlocked} 2025pcprocore 👉𝗡𝗼𝘁𝗲:𝗖𝗼𝗽𝘆 𝗹𝗶𝗻𝗸 & 𝗽𝗮𝘀𝘁𝗲 𝗶𝗻𝘁𝗼 𝗚𝗼𝗼𝗴𝗹𝗲 𝗻𝗲𝘄 𝘁𝗮𝗯> https://pcprocore.com/ 👈◀
CapCut Pro Crack is a powerful tool that has taken the digital world by storm, offering users a fully unlocked experience that unleashes their creativity. With its user-friendly interface and advanced features, it’s no wonder why aspiring videographers are turning to this software for their projects.
A Constitutional Quagmire - Ethical Minefields of AI, Cyber, and Privacy.pdf
A Constitutional Quagmire - Ethical Minefields of AI, Cyber, and Privacy.pdfPriyanka Aash A Constitutional Quagmire - Ethical Minefields of AI, Cyber, and Privacy
Securing Account Lifecycles in the Age of Deepfakes.pptx
Securing Account Lifecycles in the Age of Deepfakes.pptxFIDO Alliance Securing Account Lifecycles in the Age of Deepfakes
Oh, the Possibilities - Balancing Innovation and Risk with Generative AI.pdf
Oh, the Possibilities - Balancing Innovation and Risk with Generative AI.pdfPriyanka Aash Oh, the Possibilities - Balancing Innovation and Risk with Generative AI
Tech-ASan: Two-stage check for Address Sanitizer - Yixuan Cao.pdf
Tech-ASan: Two-stage check for Address Sanitizer - Yixuan Cao.pdfcaoyixuan2019 A presentation at Internetware 2025.
Cracking the Code - Unveiling Synergies Between Open Source Security and AI.pdf
Cracking the Code - Unveiling Synergies Between Open Source Security and AI.pdfPriyanka Aash Cracking the Code - Unveiling Synergies Between Open Source Security and AI
You are not excused! How to avoid security blind spots on the way to production
You are not excused! How to avoid security blind spots on the way to productionMichele Leroux Bustamante We live in an ever evolving landscape for cyber threats creating security risk for your production systems. Mitigating these risks requires participation throughout all stages from development through production delivery - and by every role including architects, developers QA and DevOps engineers, product owners and leadership. No one is excused! This session will cover examples of common mistakes or missed opportunities that can lead to vulnerabilities in production - and ways to do better throughout the development lifecycle.
Using the SQLExecutor for Data Quality Management: aka One man's love for the...
Using the SQLExecutor for Data Quality Management: aka One man's love for the...Safe Software The SQLExecutor is one of FME’s most powerful and flexible transformers. Pivvot maintains a robust internal metadata hierarchy used to support ingestion and curation of thousands of external data sources that must be managed for quality before entering our platform. By using the SQLExecutor, Pivvot can efficiently detect problems and perform analysis before data is extracted from our staging environment, removing the need for rollbacks or cycles waisted on a failed job. This presentation will walk through three distinct examples of how Pivvot uses the SQLExecutor to engage its metadata hierarchy and integrate with its Data Quality Management workflows efficiently and within the source postgres database. Spatial Validation –Validating spatial prerequisites before entering a production environment. Reference Data Validation - Dynamically validate domain-ed columns across any table and multiple columns per table. Practical De-duplication - Removing identical or near-identical well point locations from two distinct source datasets in the same table.
Enhance GitHub Copilot using MCP - Enterprise version.pdf
Enhance GitHub Copilot using MCP - Enterprise version.pdfNilesh Gule Slide deck related to the GitHub Copilot Bootcamp in Melbourne on 17 June 2025
"Database isolation: how we deal with hundreds of direct connections to the d...
"Database isolation: how we deal with hundreds of direct connections to the d...Fwdays What can go wrong if you allow each service to access the database directly? In a startup, this seems like a quick and easy solution, but as the system scales, problems appear that no one could have guessed.
In my talk, I'll share Solidgate's experience in transforming its architecture: from the chaos of direct connections to a service-based data access model. I will talk about the transition stages, bottlenecks, and how isolation affected infrastructure support. I will honestly show what worked and what didn't. In short, we will analyze the controversy of this talk.
Smarter Aviation Data Management: Lessons from Swedavia Airports and Sweco
Smarter Aviation Data Management: Lessons from Swedavia Airports and SwecoSafe Software Managing airport and airspace data is no small task, especially when you’re expected to deliver it in AIXM format without spending a fortune on specialized tools. But what if there was a smarter, more affordable way?
Join us for a behind-the-scenes look at how Sweco partnered with Swedavia, the Swedish airport operator, to solve this challenge using FME and Esri.
Learn how they built automated workflows to manage periodic updates, merge airspace data, and support data extracts – all while meeting strict government reporting requirements to the Civil Aviation Administration of Sweden.
Even better? Swedavia built custom services and applications that use the FME Flow REST API to trigger jobs and retrieve results – streamlining tasks like securing the quality of new surveyor data, creating permdelta and baseline representations in the AIS schema, and generating AIXM extracts from their AIS data.
To conclude, FME expert Dean Hintz will walk through a GeoBorders reading workflow and highlight recent enhancements to FME’s AIXM (Aeronautical Information Exchange Model) processing and interpretation capabilities.
Discover how airports like Swedavia are harnessing the power of FME to simplify aviation data management, and how you can too.
The Future of Product Management in AI ERA.pdf
The Future of Product Management in AI ERA.pdfAlyona Owens Hi, I’m Aly Owens, I have a special pleasure to stand here as over a decade ago I graduated from CityU as an international student with an MBA program. I enjoyed the diversity of the school, ability to work and study, the network that came with being here, and of course the price tag for students here has always been more affordable than most around.
Since then I have worked for major corporations like T-Mobile and Microsoft and many more, and I have founded a startup. I've also been teaching product management to ensure my students save time and money to get to the same level as me faster avoiding popular mistakes. Today as I’ve transitioned to teaching and focusing on the startup, I hear everybody being concerned about Ai stealing their jobs… We’ll talk about it shortly.
But before that, I want to take you back to 1997. One of my favorite movies is “Fifth Element”. It wowed me with futuristic predictions when I was a kid and I’m impressed by the number of these predictions that have already come true. Self-driving cars, video calls and smart TV, personalized ads and identity scanning. Sci-fi movies and books gave us many ideas and some are being implemented as we speak. But we often get ahead of ourselves:
Flying cars,Colonized planets, Human-like AI: not yet, Time travel, Mind-machine neural interfaces for everyone: Only in experimental stages (e.g. Neuralink).
Cyberpunk dystopias: Some vibes (neon signs + inequality + surveillance), but not total dystopia (thankfully).
On the bright side, we predict that the working hours should drop as Ai becomes our helper and there shouldn’t be a need to work 8 hours/day. Nobody knows for sure but we can require that from legislation. Instead of waiting to see what the government and billionaires come up with, I say we should design our own future.
So, we as humans, when we don’t know something - fear takes over. The same thing happened during the industrial revolution. In the Industrial Era, machines didn’t steal jobs—they transformed them but people were scared about their jobs. The AI era is making similar changes except it feels like robots will take the center stage instead of a human. First off, even when it comes to the hottest space in the military - drones, Ai does a fraction of work. AI algorithms enable real-time decision-making, obstacle avoidance, and mission optimization making drones far more autonomous and capable than traditional remote-controlled aircraft. Key technologies include computer vision for object detection, GPS-enhanced navigation, and neural networks for learning and adaptation. But guess what? There are only 2 companies right now that utilize Ai in drones to make autonomous decisions - Skydio and DJI.
You are not excused! How to avoid security blind spots on the way to production
You are not excused! How to avoid security blind spots on the way to productionMichele Leroux Bustamante
Ad
Secure web messaging in HTML5
- 1. Secure Web Messaging in HTML5 Krishna Chaitanya T Microsoft MVP, Internet Explorer @novogeek MUGH Developer Day 29th Jan, 2012
- 2. Agenda Web 2.0 Communicatio HTML5 Security A quick overview of n How the new Web Solved problems & new needs of Web 2.0 Messaging API helps new concerns Traditional data era Case study of few Mashups exchange & drawbacks Quick overview: Why there is a need for a new Reduced scope for XSS JavaScript, Ajax, specification for web based Improved trust model Understanding their Browser Sandbox, SOP, messaging, technical limitations Frames, Navigation Newer security concerns policies, Fragment Counter measures Identifier
- 3. A mashup with widgets PageFlakes.com
- 4. An interactive mashup HousingMaps.com
- 5. Embedding Remote JS Assumption - script is from trusted source No isolation of origins Runs in the context of window “A mashup is a self-inflicted XSS Has complete access to DOM attack” -Douglas Crockford, Can read & export your data Inventor of JSON No user involvement needed
- 6. Same Origin Policy Browser has to isolate different origins Origin = protocol://host:port Ex: http://bing.com, http://localhost:81/, https://icicibank.com Privileges within origin Full network access Read/Write access to DOM Storage Embedded scripts have privileges of imported page, NOT source server AJAX calls to cross domains fail due to SOP.
- 7. Demo Same Origin Policy in action!
- 8. Isolation with Frames Different security contexts for different origins Brings modularity but less interactive than embedding JS No standard communication mechanism Comply with SOP - Run remote code safely <!-- This is allowed --> <iframe src="sameDomainPage.html"> </iframe> alert(frames[0].contentDocument.body); //works fine <!-- This is **NOT** allowed --> <iframe src="http://crossDomain.com"> </iframe> alert(frames[0].contentDocument.body); //throws error
- 9. Frame Navigation Beware! Frames can be navigated to different origins! Frame-Frame relationships Can script in Frame A modify DOM of Frame B? Can Script in Frame A “navigate” or change the origin of Frame B? Frame navigation is NOT the same as SOP - often mistaken! <iframe src=“http://crossDomain.com"> </iframe> <!-- This is **NOT** allowed --> alert(frames[0].src); //throws error – SOP restriction <!-- This is allowed --> alert(frames[0].src=“http://bing.com”); //works fine - frame navigation
- 10. Cross-Window Attack! awglogin window.open("https://attacker.com/", "awglogin"); Courtesy: Stanford Web Security Lab
- 11. Same-Window attack! top.frames[1].location = "http://www.attacker.com/..."; top.frames[2].location = "http://www.attacker.com/..."; ... Courtesy: Stanford Web Security Lab
- 14. Fragment Identifier Messaging Work around before HTML5 Limited data, no acknowledgements. Navigation doesn’t reload page Not a secure channel. //Sender.html function send(){ iframe.src=“http://localhost/receiver.html#data”; } //Receiver.html window.onload=function(){ data=window.location.hash; }
- 15. HTML5 Post Message API Cross-origin client side communication Network-like channel between frames Securely abstracts multiple principals Frames can now integrate widgets with improved trust
- 16. HTML5 Post Message API Syntax: otherwindow.postMessage(message, targetOrigin); targetOrigin can be a trusted source or wild card *“*”+ //Posting message to a cross domain partner. frames[0].postMessage(“Hello Partner!”, "http://localhost:81/"); //Retrieving message from the sender window.onmessage = function (e) { if (e.origin == 'http://localhost') { //sanitize and accept data } };
- 17. Few security considerations Do not configure target origin to “*”. Sensitive data can be leaked to unknown widgets Always check for sender’s origin Client side DoS attacks can be launched Always validate data before use. Do not consume data directly with eval() or innerHTML Follow best practices of DOM based XSS prevention Eavesdropping with framing attacks! In spite of above checks, data can still be lost Ex: Recursive Mashup attack Follow frame busting techniques
- 18. Demo Playing with HTML5 Post Message API Bonus (if time permits) – Recursive Mashup Attack!
- 19. References & Reading “Secure Frame Communication in Browsers”-Adam Barth, Collin Jackson, John Mitchell-Stanford Web Security Research Lab W3C HTML5 Web Messaging Specification - http://dev.w3.org/html5/postmsg/#authors Dive into HTML5 – http://diveintohtml5.info IE9 Guide for Developers - http://msdn.microsoft.com/en- us/ie/hh410106.aspx
- 20. Thank You! http://novogeek.com | @novogeek http://mugh.net