Presentation is loading. Please wait.

Presentation is loading. Please wait.

Happy Hacking HTML5! Group members: Dongyang Zhang Wei Liu Weizhou He Yutong Wei Yuxin Zhu.

Similar presentations


Presentation on theme: "Happy Hacking HTML5! Group members: Dongyang Zhang Wei Liu Weizhou He Yutong Wei Yuxin Zhu."— Presentation transcript:

1 Happy Hacking HTML5! Group members: Dongyang Zhang Wei Liu Weizhou He Yutong Wei Yuxin Zhu

2 1. Introduction of HTML HTML is the standard markup language used to create web pages HTML is written in the form of HTML elements consisting of tags enclosed in angle brackets HTML elements form the building blocks of all websites. HTML allows images and objects to be embedded and can be used to create interactive form

3 2. Something about HTML5 HTML5 adds many new syntactic features. These include the new, and elements, as well as the integration of scalable vector graphics (SVG) content (replacing generic tags), and MathML for mathematical formulas We can check out whether there is in the source code to distinguish HTML5 from HTML4

4 3. HTML5 common attack method (1)CORS attack Cross-origin resource sharing (CORS) defines a way in which the browser and the server can interact to determine whether allow the cross- origin request The browser sends the request with an original HTTP header which could be faked The third party could be hacked …

5 (2) WebStorage attack The API of LocalStorage are provided by Javascript, so attackers can steal information through XSS. For example users’ token and information. Attackers can also steal information from scanning the global variables. Web app bug If Web App has XSS bugs, it’s very easy to leak the local database.

6 (3) Webworker attack Botnet Include DDos attack, sending junk mail, network sniffing. PostMessage problem Webworker cannot access to DOM, it can only communicate with host through postMessageAPI. So if postMessage can receive information from any source, the current webpage could be attacked easily. Moreover, postmessage doesn’t pass the server, if there doesn’t have a verification, it may become a injection point of XSS.

7 (4) WebSQL attack SQL injection Similar to the local database, attackers can attack database through SQL injection point.

8 (5) ClickJacking attack Click Jacking Make the webpage seem to be safe and trap users to click the content on the website in order to steal users’ private information. Cookie Jacking When users dragging the mouse, users’ information will be sent from one area to another area.

9 4. What are we going to do We will have a better understanding about common leaks and bugs in the website background program Estimate website’s security level with the leaks and bugs (such as Twiki :p) Try to provide some suggestion to improve website’s security Finally provide a security report

10 5. Reference (1) http://blog.csdn.net/hfahe/article/details/7961618 (2) http://blog.csdn.net/hfahe/article/details/7961566 (3) http://blog.csdn.net/hfahe/article/details/8049414 (4) http://blog.csdn.net/hfahe/article/details/8104263 (5) http://blog.csdn.net/hfahe/article/details/8138728 (6) http://en.wikipedia.org/wiki/Web_SQL_Databasehttp://en.wikipedia.org/wiki/Web_SQL_Database (7) http://en.wikipedia.org/wiki/XSShttp://en.wikipedia.org/wiki/XSS

11 THANK YOU!


Download ppt "Happy Hacking HTML5! Group members: Dongyang Zhang Wei Liu Weizhou He Yutong Wei Yuxin Zhu."

Similar presentations


Ads by Google