Monday, November 8, 2010

HTML5 goodness at BlackHat Abu Dhabi this week

Just three more days to go for my 'Attacking with HTML5' talk at BlackHat Abu Dhabi. In addition to covering some of the interesting HTML5 attacks already released during 2010 by myself and other researchers, it has two new sections - HTML5 based port scanning and HTML5 Botnets. I would be talking about a new way to perform JavaScript based port scans that gives very accurate results. How accurate? you can determine if the remote port is open/closed/filtered - that accurate. I am also going to release a tool called JSRecon that would perform port and network scans by using these techniques. Under HTML5 botnets I am going to talk about how you could send spam mails, perform a DDoS attack on a website and perform distributed cracking of hashes at incredible speeds - all using JavaScript. I am also going to release Ravan - a web based tool to perform distributed cracking of hashes in a legitimate way. I am pretty happy with the way Ravan has shaped up and am very excited to see how folks react to it. Initial reactions have been good. The whole point of the talk is that I am NOT bypassing any of the restrictions placed by the browser sandbox but instead am working well inside those restrictions - its just that the sandbox has got a whole lot looser :)

The tools and details would be online next week when I am back from Abu Dhabi. Stay tuned!

13 comments:

  1. Sounds like some interesting stuff, i'll be waiting for how it goes! good luck!

    ReplyDelete
  2. Thanks guys :)

    JS-Recon is already online. Ravan is going to be online next week!

    ReplyDelete
  3. @anon
    The slides and whitepaper would be online next week, after ClubHack is over.

    ReplyDelete
  4. never mind, found them

    ReplyDelete
  5. Sorry anon, I am making some updates to the slides hence the delay.
    The original version of the whitepaper and slides are at - http://blackhat.com/html/bh-ad-10/bh-ad-10-archives.html#Kuppan
    Once the updates are made I will put them up here.

    ReplyDelete
  6. Lava,

    Nice brief today thanks. How big of a threat is this to mobile banking apps? I would say huge, but mobile threats are already there.

    V/R,
    Don

    ReplyDelete
  7. @don

    That's a good question. HTML5 has much wider adoption in mobile browsers than in desktop browsers. I haven't analysed any HTML5 mobile apps yet so I wouldn't know for sure but they would be more affected by things mentioned here - http://www.andlabs.org/html5.html

    ReplyDelete
  8. Hay Lava:

    I want the following info from you
    I am currently working on Javascript obfuscators
    I found 3 good obfuscators

    Do u have any idea on JavaScript De-obfuscators ?
    Any hands on with that ?
    Also can u give me ur mobile number - in terms of Web Apps I have some questions for u

    Regards
    Raghu

    ReplyDelete
  9. @Raghu
    For JS obfuscation take a look at http://www.amazon.com/Web-Application-Obfuscation-WAFs-Evasion-Filters-alert/dp/1597496049.
    Probably the best resource available right now.

    You can mail me your other questions, my ID is in the 'About' section.

    ReplyDelete