110 likes | 244 Views
Happy Hacking HTML5!. Group members: Dongyang Zhang Wei Liu Weizhou He Yutong Wei Yuxin Zhu. 1. Introduction of HTML. HTML is the standard markup language used to create web pages
E N D
HappyHacking HTML5! Group members: Dongyang Zhang Wei Liu Weizhou He Yutong Wei Yuxin Zhu
1. Introduction of HTML • HTML is the standard markup language used to create web pages • HTML is written in the form of HTML elements consisting of tags enclosed in angle brackets • HTML elements form the building blocks of all websites. HTML allows images and objects to be embedded and can be used to create interactive form
2. Something about HTML5 • HTML5 adds many new syntactic features. These include the new <video>, <audio> and <canvas> elements, as well as the integration of scalable vector graphics (SVG) content (replacing generic <object> tags), and MathML for mathematical formulas • We can check out whether there is <!DOCTYPE html> in the source code to distinguish HTML5 from HTML4
3. HTML5 common attack method • CORS attack • Cross-origin resource sharing (CORS) defines a way in which the browser and the server can interact to determine whether allow the cross-origin request • The browser sends the request with an original HTTP header which could be faked • The third party could be hacked • …
(2)WebStorage attack • The API of LocalStorage are provided by Javascript, so attackers can steal information through XSS. For example users’ token and information. • Attackers can also steal information from scanning the global variables. • Web app bug If Web App has XSS bugs, it’s very easy to leak the local database.
(3) Webworkerattack • Botnet Include DDos attack, sending junk mail, network sniffing. • PostMessage problem Webworkercannot access to DOM, it can only communicate with host through postMessageAPI. So if postMessage can receive information from any source, the current webpage could be attacked easily. Moreover, postmessage doesn’t pass the server, if there doesn’t have a verification, it may become a injection point of XSS.
(4) WebSQL attack • SQL injection Similar to the local database, attackers can attack database through SQL injection point.
(5) ClickJacking attack • Click Jacking Make the webpage seem to be safe and trap users to click the content on the website in order to steal users’ private information. • Cookie Jacking When users dragging the mouse, users’ information will be sent from one area to another area.
4. What are we going to do • We will have a better understanding about common leaks and bugs in the website background program • Estimate website’s security level with the leaks and bugs (such as Twiki:p) • Try to provide some suggestion to improve website’s security • Finally provide a security report
5. Reference (1) http://blog.csdn.net/hfahe/article/details/7961618 (2) http://blog.csdn.net/hfahe/article/details/7961566 (3) http://blog.csdn.net/hfahe/article/details/8049414 (4) http://blog.csdn.net/hfahe/article/details/8104263 (5) http://blog.csdn.net/hfahe/article/details/8138728 (6) http://en.wikipedia.org/wiki/Web_SQL_Database (7) http://en.wikipedia.org/wiki/XSS