AppSec Europe 2014 has ended
Welcome to the full schedule of the OWASP AppSec Research EU 2014 conference days
Back To Schedule
Wednesday, June 25 • 14:40 - 15:30
Relax everybody, HTML5 is much securer than you think

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Many, many conferences nowadays come with "HTML5 is insecure" or "Hacking with HTML5" talks. This has lead to a general perception that HTML5 itself (whatever the term actually stands for) is insecure and, thus, should be avoided for security reasons. This is highly unfortunate, as the current generation of new Web APIs expose a level of security sophistication, which is unparalleled in the Web's history. In fact, new browser features such as CORS or PostMessage allow, for the first time, to securely realize usecases which, up to now, required the programmers to resort to insecure programming practices. 

In this talk, we will systematically explore security relevant HTML5 APIs. To do so, we discuss their respective security architecture and, more importantly, show how they compare to currently established techniques which were designed to realize similar use cases. 

Plainly speaking you can consider this talk as a "information security deathmatch - HTML5 vs. its alternative" (spoiler: HTML5 wins). 

More specifically, the talk will cover: 

# Client-side cross-domain communication: 

- CORS (HTML5) vs. JSONP and/or crossdomain.xml 

# Client-side persistence 

- LocalStorage (HTML5) vs. Cookie-hacks 

# In-browser communication 

- PostMessage (HTML5) vs. 
-- hash-identifier passing and/or 
-- window.name setting and/or 
-- domain relaxation 

# ClickJacking protection 

- X-Frames-Options (HTML5) vs. JavaScript framebusters 

# Bonus track: The browser's new security capabilities 

A quick overview of new browser features that can be used to secure Web sites: 

- Content Security Policies 
- Sandboxed iFrames 
- Strict-transport Security 

The session's content is based on the experiences and lessons learned of a international academic research project on modern Web security (WebSand, http://websand.eu) of which the speaker is the technical lead. All given details will be backed with empirical data (when applicable). Furthermore, all discussed technologies can be accompanied with proof-of-concept code or practical demonstrations (if time permits). 

avatar for Martin Johns

Martin Johns

Research Expert, SAP SE
Dr. Martin Johns is a Research Expert in the Product Security Research unit within SAP SE, where he leads the Web application security team. Furthermore, he serves on the board of the German OWASP chapter. Before joining SAP, Martin studied Mathematics and Computer Science at the... Read More →

Sebastian Lekies

Sebastian Lekies is a PhD candidate at SAP and the University of Bochum. His main field of research is Web application security.  Thereby, he mainly focuses on client-side Web attacks such as Cross-Site Scripting, ClickJacking, DNS-Rebinding, Cross-Site Request Forgery, etc.  He... Read More →

Wednesday June 25, 2014 14:40 - 15:30 BST

Attendees (0)