given a new face to the threat model. There are various new
openings and entry points that lure an attacker to craft
variants for existing attack vectors and successfully abuse
the security. As show in Figure 3 the several components of
HTML 5 can be divided into four segments – presentation,
process/logic, network access and policies.
• Enhanced event model, tags, attributes and a thick set
of advanced features can cause the crafting of attack
vectors like ClickJacking and XSS
• DOM and browser threads can be abused with DOM
based XSS, redirects, widgets/mashup attacks
• Storage and WebSQL can be exploited by poisoning and
stealing the same
• WebSockets, XHR and other sockets can be abused too
• Same Origin Policy (SOP) can be attacked with CSRF
using various streams
Based on the above threat model and attack surface
synopsis the following are some interesting attack vectors.
16 HITB Magazine I JUNE 2011
TQ MEGAZINE HITB
No comments:
Post a Comment