HTML5 isn't just for watching videos on your iPad. Its features may be the target of a security attack as much as they may be used to improve an attack. Vulnerabilities like XSS have been around since the web's beginning, but exploiting them has become increasingly sophisticated. HTML5 features like WebSockets are part of the framework for controlling browsers compromised by XSS.
This presentation provides an overview of WebSockets. How they might increase the attack surface of a web site, their implications for privacy, and the potential security problems with protocols tunneled over them. Then it demonstrates how WebSockets can be used as an effective part of a hacking framework.
It closes with recommendations for deploying WebSockets securely, applying security principles to web app design, and providing a tool for exploring WebSockets security.
Sergey Shekyan is a Senior Software Engineer for Qualys, where he is focused on development of the company's on demand web application scanning service. With more than 10 years of experience in software design, development, testing and documentation, Sergey has contributed key product enhancements and software modules to various companies. Prior to Qualys, he designed and implemented a web-based system for general aviation pilots. As a senior software engineer for Navis, he contributed to projects involving development of container terminal operating systems (TOS) simulation software. He also designed and developed data analysis software modules for Virage Logic, a provider of semiconductor IP for the design of complex integrated circuits. Prior to working at Virage Logic, he developed manufacturing test program generation software for Credence Systems Corporation. Sergey holds both Masters and BS Degrees in Computer Engineering from the State Engineering University of Armenia. Twitter: @sshekyan
Developer for Qualys's Web Application Scanner. Was involved with security industry since 1999. Experience includes work on Certification Authority systems, encryption devices, large CAD systems, Web scanners. Outside of work interests include Web Design, Photography, and Ironman Triathlons.