Slide 1
Slide 1
Slide 1
Slide 1
Slide 1
Slide 1

ONLINE REGISTRATION NOW OPEN

           

THERE WILL ONLY BE A MAXIMUM OF 1010 SEATS SOLD - BE SURE TO REGISTER EARLY!!!

For up to the minute updates on HITB2012KUL, please follow our @hitbsecconf Twitter stream or join our Facebook Group

SHREERAJ SHAH (Founder, Blueinfy)

PRESENTATION TITLE: XSS & CSRF strike back – Powered by HTML5

PRESENTATION ABSTRACT: 

HTML5 has empowered browser with a number of new features and functionalities. Browsers with this new architecture include features like XMLHttpRequest Object (L2), Local Storage, File System APIs, WebSQL, WebSocket, File APIs and many more. The browser is emerging as a platform like a little operating system and expanded its attack surface significantly. Applications developed in this new architecture are exposed to an interesting set of vulnerabilities and exploits. Both traditional vulnerabilities like CSRF and XSS strike back and powered by HTML5. In this paper we will cover following new attack vectors and variants of XSS and CSRF.

  • HTML5 driven CSRF with XMLHttpRequest (Level 2)

  • CSRF with two way attack stream

  • Cross Site Response Extraction attacks using CSRF

  • Cross Origing Resource Sharing (CORS) policy hacking and CSRF injections

  • DOM based XSS with HTML5 applications

  • Exploiting HTML5 tags, attributes and events

  • DOM variable extraction with XSS

  • Exploiting Storage, File System and WebSQL with HTML5 XSS

  • Layered XSS and making it sticky with HTML5 based iframe sandbox

  • Jacking with HTML5 tags and features

In this session we will cover new methodology and tools along with some real life cases and demonstration. At the end we will cover some interesting defense methodologies to secure your HTML5 applications.

ABOUT SHREERAJ SHAH

Shreeraj Shah, (B.E., MSCS, MBA, CSSLP) is the founder of Blueinfy, a company that provides application security services. Prior to founding Blueinfy, he was founder and board member at Net Square. He also worked with Foundstone (McAfee), Chase Manhattan Bank and IBM in security space. He is also the author of popular books like Web 2.0 Security, Hacking Web Services and Web Hacking: Attacks and Defense. In addition, he has published several advisories, tools, and whitepapers, and has presented at numerous conferences including RSA, AusCERT, InfosecWorld (Misti), HackInTheBox, Blackhat, OSCON, Bellua, Syscan, ISACA etc. His articles are regularly published on Securityfocus, InformIT, DevX, O’reilly, HNS. His work has been quoted on BBC, Dark Reading, Bank Technology as an expert.

EVENT ORGANIZER

SUPPORTED AND ENDORSED BY

GOLD SPONSORS

SILVER SPONSOR

HACKWEEKDAY SPONSOR

TITANIUM SPONSOR (POST CONFERENCE RECEPTION + SPEAKER RECEPTION)

ALCO_PWN SPONSOR (POST CONFERENCE RECEPTION)

CTF SPONSOR

CTF PRIZE SPONSOR

CTF MANAGED BY

VIDEO RECORDING SPONSOR

NETWORK EQUIPMENT SPONSOR

INTERNET CONNECTIVITY SPONSOR

ADDITIONAL SUPPORT BY

SUPPORTING MEDIA

FRIENDS OF HITB

Copyright © 2012 Hack In The Box | http://www.hackinthebox.org