Black Hat //Webcast 25

Attacking with HTML5
// Lavakumar Kuppan

thursday, december 16, 2010

1100 HRS PST/ 1400 HRS EST • FREE

Register now and receive $250 off of new Black Hat DC 2011 Registration see details below.

Register Now


Attacking with HTML5 - White Paper

Attacking with HTML5 - Presentation


HTML5 is a set of powerful features aimed at moving the web applications closer to existing desktop applications in terms of user experience and features. HTML5 is no more just the technology of the future as many believe; it is available right now in almost all modern browsers. Though the widespread use of HTML5 by websites is still a few years away, the abuse of these features is already possible.

Web developers and users assume that just because their site does not implement any HTML5 features they are unaffected. Also a large section of the internet community believes that HTML5 is only about stunning graphics and video streaming. This talk will show how these assumptions are completely contrary to reality.

This presentation will show how existing 'HTML4' sites can be attacked using HTML5 features in a number of interesting ways. Then we look at how it is possible to use the browser to perform attacks that were once thought to require code execution outside the sandbox. Finally we look at an attack where the attacker is not interested in the victim's data or a shell on the machine but is instead after something that might perhaps even be legal to steal!


Lavakumar Kuppan is a security researcher interested in identifying new types of vulnerabilities and attacks. His works are published on the Attack and Defense Labs website which he runs along with fellow researcher Manish Saindane. His recent works have been browser-related and he is particularly interested in emerging technologies like HTML5. He maintains an online HTML5 Security Guide and has contributed to the HTML5 Security CheatSheet project with articles on COR and Web SQL Database security. Lavakumar has spoken at multiple conferences including OWASP AppSec Asia and is also the author of tools like "Imposter" and "Shell of the Future."

sponsor guest:

Mike Shema, Sr. Security Engineer, Qualys, Inc. Author of Seven Deadliest Web Attacks and co-author of Hacking Exposed: Web Applications.

Mike Shema develops web application security solutions at Qualys, Inc. His current work is focused on an automated web assessment service. Mike previously worked as a security consultant and trainer for Foundstone where he conducted information security assessments across a range of industries and technologies. His security background ranges from network penetration testing, wireless security, code review, and web security. He is the co-author of Hacking Exposed: Web Applications, The Anti-Hacker Toolkit and the author of Hack Notes: Web Application Security. In addition to writing, Mike has presented at security conferences in the U.S., Europe, and Asia.


Qualys, Inc. is the leading provider of on demand IT security risk and compliance management solutions – delivered as a service. Qualys' Software-as-a-Service solutions are deployed in a matter of hours anywhere in the world, providing customers an immediate and continuous view of their security and compliance postures.

The QualysGuard® service is used today by more than 4,000 organizations in 85 countries, including 42 of the Fortune Global 100 and performs more than 500 million IP audits per year. Qualys has the largest vulnerability management deployment in the world at a Fortune Global 50 company.

Qualys has established strategic agreements with leading managed service providers and consulting organizations including BT, Etisalat, Fujitsu, IBM, I(TS)2, LAC, NTT, SecureWorks, Symantec, Tata Communications and TELUS. For more information, please visit: