Abusing HTML5

Presented at DEF CON 19 (2011), Aug. 6, 2011, 3 p.m. (50 minutes)

The spike of i{Phone, Pod Touch, Pad}, Android, and other mobile devices that do not support Flash has spurred the growth and interest in HTML5, even though the standard is still evolving. The power of HTML5 allows developers to create almost full-fledged web applications, not just structured content. HTML5's new features has increased the attack surface. It has been demonstrated that the HTML5 offline application cache can be abused. In addition, the support for client-side storage will open up the opportunity for SQL injection attack on client machines. There has been chatter regarding the new attack opportunities that the <audio>, <video&gt, and <canvas> tags will present, considering they require JavaScript and image-related functions such as SVG. This presentation will demonstrate the issues of HTML5 and how they can be abused and mitigated with good-old techniques. This presentation will also delve into the writing malicious web pages with web workers, abusing cross-origin JavaScript requests, how not to do cross-document messaging, and abusing geolocation.

Presenters:

• Ming Chow - Lecturer, Tufts University Department of Computer Science
  Ming Chow is a Lecturer at the Tufts University Department of Computer Science. His areas of interests are computer security, game development, web application security, and Computer Science in Education. He was also a web application developer for ten years at Harvard University for University Operations Services. Ming co-edited a special issue of IEEE Security & Privacy on securing online games with Gary McGraw of Cigital, Inc. published in May 2009. Ming is a frequent guest speaker and have spoke at numerous organizations, including the New England Chapter of the High Technology Crime Investigation Association (HTCIA-NE), the Greater Boston Chapter of the Association of Certified Fraud Examiners (ACFE), the Massachusetts Office of the Attorney General (AGO), and OWASP. Ming mentored a team of students from Tufts to the Microsoft Imagine Cup Game Design Competition US Finals in 2010. Finally, Ming is a SANS GIAC Certified Incident Handler (GCIH). Twitter: tufts_cs_mchow

Links:

• https://defcon.org/html/defcon-19/dc-19-speakers.html#Chow
• https://infocon.org/cons/DEF CON/DEF CON 19/DEF CON 19 video and slides/DEF CON 19 - Ming Chow - Abusing HTML5 - Video and Slides.mp4 (Video and Slides)
• https://www.youtube.com/watch?v=2pvwQ1Och9o

Similar Presentations:

• DerbyCon 2.0 Reunion (2012) / SH5ARK ATTACK- taking a byte out of HTML5!
• Black Hat USA 2012 / HTML5 Top 10 Threats - Stealth Attacks and Silent Exploits
• DeepSec 2013 „Secrets, Failures, and Visions“ / Relax Everybody: HTML5 Is Securer Than You Think