Attacking with HTML5 presented at BlackHatAbuDhabi 2010

by Lavakumar Kuppan,


Summary : HTML5 is a set of powerful features aimed at moving the web applications closer to existing desktop applications in terms of user experience and features. HTML5 is no more just the technology of the future as many believe, it is available right now in almost all modern browsers. Though the widespread use of HTML5 by websites is still a few years away, the abuse of these features is already possible.
Web developers and users assume that just because their site does not implement any HTML5 features they are unaffected. Also a large section of the internet community believes that HTML5 is only about stunning graphics and video streaming. This talk will show how these assumptions are completely contrary to reality.
This presentation will show how existing 'HTML4' sites can be attacked using HTML5 features in a number of interesting ways. Then we look at how it is possible to use the browser to perform attacks that were once thought to require code execution outside the sandbox. Finally we look at an attack where the attacker is not interested in the victim's data or a shell on the machine but is instead after something that might perhaps even be legal to steal!