"HTML5 Security" - Link- und Literaturverzeichnis
Dipl.-Inform. Carsten Eilers
"HTML5 Security" - Link- und Literaturverzeichnis
Kapitel 1: XSS, JavaScript & Co.
- Klein, Amit: "DOM Based Cross Site Scripting or XSS of the Third Kind"
- OWASP ESAPI for JavaScript
- Rootkits in your Web application
- XSS (Cross-Site-Scripting) Cheat Sheet
New Version of the XSS Cheat Sheet
- HTML5 Security Cheat Sheet
(auch auf Google Code)
- The W3C Markup Validation Service
- McArdle, Robert: "HTML5 Overview: A look at HTML5 Attack Scenarios"
(PDF)
McArdle, Robert: "HTML5 – The Good"
McArdle, Robert: "HTML5 – The Bad"
- Grossman, Jeremiah: "I know who your name, where you work, and live" (Safari v4 & v5)
- Kuppan, Lavakumar: "Stealing entire Auto-Complete data in Google Chrome"
- Web Workers
- Kuppan, Lavakumar: "Performing DDoS attacks with HTML5 Cross Origin Requests & WebWorkers"
- McArdle, Robert: "HTML5 – The Ugly"
- HTML5: 4.8.2 The iframe element
www.w3.org
und
www.whatwg.org
- Chromium Blog: Security in Depth: HTML5's @sandbox
Kapitel 2: Kommunikation in HTML5
- W3C: Cross Origin Resource Sharing
- HTML5 Security Cheatsheet: Cross Origin Request Security
- Carsten Eilers: "About Security #133: XSS-Angriffe (3): JavaScript Ping & Co."
Carsten Eilers: "About Security #134: XSS-Angriffe (4): JavaScript Portscan"
Carsten Eilers: "About Security #135: XSS-Angriffe (5): JavaScript Portscan vorbereiten"
- Attack and Defense Labs: Port Scanning with HTML5 and JS-Recon
- Attack and Defense Labs: JS-Recon
JS-Recon – HTML5 based JavaScript Network Reconnaissance Tool
- Lavakumar Kuppan: "Attacking with HTML5"
- HTML5: 8.2.3 Posting Messages
- Web-Notifications
- RFC 6455 – The WebSocket Protocol
- The WebSocket API
- Adam Barth: "Experiment comparing Upgrade and CONNECT Handshakes"
- RFC 6454 – The Web Origin Concept
Kapitel 3: Lokale Speichermöglichkeiten
- Web Storage
- Web SQL Database
- HTML5 Security Cheatsheet: Web SQL Database Security
- OWASP ESAPI for JavaScript
- Kuppan, Lavakumar: "Chrome and Safari users open to stealth HTML5 AppCache attack"
Kapitel 4: Clickjacking
- Robert Hansen, Jeremiah Grossman: "Clickjacking"
- Guy Aharonovsky: "Malicious camera spying using ClickJacking"
- Guy Aharonovsky: "Camera ClickJacking – The Game"
- Elie Bursztein, Dan Boneh, Collin Jackson: Busting Frame Busting – a Study of Clickjacking Vulnerabilities on Popular Sites
(PDF)
- Dr. Giles Hogben, Dr. Marnix Dekker (Hrsg.), European Network and Information Security Agency (ENISA):
"A Security Analysis of Next Generation Web Standards"
- Eric Lawrence: "IE8 Security Part VII: ClickJacking Defenses"
- Eric Lawrence: "Combating ClickJacking With X-Frame Options"
- Mozilla Developer Network: The X-Frame Options Response Header
- Chromium Blog: Security in Depth: New Security Features
- About the Security Content of Safari 4.0
- Web Specifications Support in Opera Presto 2.6
- Giorgio Maone: "Hello ClearClick, Goodbye Clickjacking!"
- Graham Cluley: "Viral Clickjacking 'Like' worm hits Facebook Users"
- Richard Cohen: "Facebook Worm – Likejacking"
- Paul Stone: "Next Generation Clickjacking"
- Paul Stone: "Clickjacking Paper – Black Hat 2010"
- Paul Stone: "Clickjacking Tool"
- Rosario Valotta: "UI redressing Attacks"
- Rosario Valotta: "CookieJacking"
und
PDF
- Rosario Valotta: "CookieJacking FAQ"
- Jim Finkle: "Microsoft latest Security Risk: Cookiejacking"
Zurück