"HTML5 Security" - Link- und Literaturverzeichnis

Dipl.-Inform. Carsten Eilers

"HTML5 Security" - Link- und Literaturverzeichnis

Kapitel 1: XSS, JavaScript & Co.

  1. Klein, Amit: "DOM Based Cross Site Scripting or XSS of the Third Kind"
  2. OWASP ESAPI for JavaScript
  3. Rootkits in your Web application
  4. XSS (Cross-Site-Scripting) Cheat Sheet
    New Version of the XSS Cheat Sheet
  5. HTML5 Security Cheat Sheet (auch auf Google Code)
  6. The W3C Markup Validation Service
  7. McArdle, Robert: "HTML5 Overview: A look at HTML5 Attack Scenarios" (PDF)
    McArdle, Robert: "HTML5 – The Good"
    McArdle, Robert: "HTML5 – The Bad"
  8. Grossman, Jeremiah: "I know who your name, where you work, and live" (Safari v4 & v5)
  9. Kuppan, Lavakumar: "Stealing entire Auto-Complete data in Google Chrome"
  10. Web Workers
  11. Kuppan, Lavakumar: "Performing DDoS attacks with HTML5 Cross Origin Requests & WebWorkers"
  12. McArdle, Robert: "HTML5 – The Ugly"
  13. HTML5: 4.8.2 The iframe element www.w3.org und www.whatwg.org
  14. Chromium Blog: Security in Depth: HTML5's @sandbox

Kapitel 2: Kommunikation in HTML5

  1. W3C: Cross Origin Resource Sharing
  2. HTML5 Security Cheatsheet: Cross Origin Request Security
  3. Carsten Eilers: "About Security #133: XSS-Angriffe (3): JavaScript Ping & Co."
    Carsten Eilers: "About Security #134: XSS-Angriffe (4): JavaScript Portscan"
    Carsten Eilers: "About Security #135: XSS-Angriffe (5): JavaScript Portscan vorbereiten"
  4. Attack and Defense Labs: Port Scanning with HTML5 and JS-Recon
  5. Attack and Defense Labs: JS-Recon
    JS-Recon – HTML5 based JavaScript Network Reconnaissance Tool
  6. Lavakumar Kuppan: "Attacking with HTML5"
  7. HTML5: 8.2.3 Posting Messages
  8. Web-Notifications
  9. RFC 6455 – The WebSocket Protocol
  10. The WebSocket API
  11. Adam Barth: "Experiment comparing Upgrade and CONNECT Handshakes"
  12. RFC 6454 – The Web Origin Concept

Kapitel 3: Lokale Speichermöglichkeiten

  1. Web Storage
  2. Web SQL Database
  3. HTML5 Security Cheatsheet: Web SQL Database Security
  4. OWASP ESAPI for JavaScript
  5. Kuppan, Lavakumar: "Chrome and Safari users open to stealth HTML5 AppCache attack"

Kapitel 4: Clickjacking

  1. Robert Hansen, Jeremiah Grossman: "Clickjacking"
  2. Guy Aharonovsky: "Malicious camera spying using ClickJacking"
  3. Guy Aharonovsky: "Camera ClickJacking – The Game"
  4. Elie Bursztein, Dan Boneh, Collin Jackson: Busting Frame Busting – a Study of Clickjacking Vulnerabilities on Popular Sites (PDF)
  5. Dr. Giles Hogben, Dr. Marnix Dekker (Hrsg.), European Network and Information Security Agency (ENISA): "A Security Analysis of Next Generation Web Standards"
  6. Eric Lawrence: "IE8 Security Part VII: ClickJacking Defenses"
  7. Eric Lawrence: "Combating ClickJacking With X-Frame Options"
  8. Mozilla Developer Network: The X-Frame Options Response Header
  9. Chromium Blog: Security in Depth: New Security Features
  10. About the Security Content of Safari 4.0
  11. Web Specifications Support in Opera Presto 2.6
  12. Giorgio Maone: "Hello ClearClick, Goodbye Clickjacking!"
  13. Graham Cluley: "Viral Clickjacking 'Like' worm hits Facebook Users"
  14. Richard Cohen: "Facebook Worm – Likejacking"
  15. Paul Stone: "Next Generation Clickjacking"
  16. Paul Stone: "Clickjacking Paper – Black Hat 2010"
  17. Paul Stone: "Clickjacking Tool"
  18. Rosario Valotta: "UI redressing Attacks"
  19. Rosario Valotta: "CookieJacking" und PDF
  20. Rosario Valotta: "CookieJacking FAQ"
  21. Jim Finkle: "Microsoft latest Security Risk: Cookiejacking"