Hacking with WebSockets

Presented at AppSec USA 2012, Oct. 25, 2012, 2 p.m. (45 minutes).

HTML5 isn't just for watching videos on your iPad. Its features may be the target of a security attack as much as they may be used to improve an attack. Vulnerabilities like XSS have been around since the web's beginning, but exploiting them has become increasingly sophisticated. HTML5 features like WebSockets are part of the framework for controlling browsers compromised by XSS. This presentation provides an overview of WebSockets: How they might increase the attack surface of a web site, their implications for privacy, and the potential security problems with protocols tunneled over them. Then it demonstrates how WebSockets can be used as an effective part of a hacking framework. It closes with recommendations for deploying WebSockets securely, applying security principles to web app design, and providing a tool for exploring WebSockets security.

Presenters:

• Vaagn Toukharian - Senior Software Engineer - Qualys
  Senior Software Engineer for Qualys's Web Application Scanner. Was involved with security industry since 1999. Experience includes work on Certification Authority systems, encryption devices, large CAD systems, Web scanners. Outside of work interests include IronMan triathlons and photography.

Links:

• Con Page
• Infocon Video

Similar Presentations:

• ToorCon San Diego 14 (2012) / Hacking with WebSockets
• DerbyCon 9.0 Finish Line (2019) / Old Tools, New Tricks: Hacking WebSockets
• Black Hat USA 2012 / Hacking with WebSockets