Abusing HTML5 permissions on browsers

Seminar Project


Introduction

The “clickjacking” attack provides an evil page or a way to trick into performing undesired actions such as deleting or posting a message on another website by clicking on a concealed link. Moreover, This attack can trick users to expose their credentials while they believe they are typing their sensitive information, but are instead of typing into an invisible frame controlled by the attacker. This can be achieved by a carefully crafted combination of stylesheets, iframes, and text boxes. This vulnerability has been found on many popular websites including Twitter, Facebook, Gmail, Paypal, and other sites.

Problem

Frequently, websites which are designed insecurely are the main targets of this attack. However, HTML5 permissions on browsers have this potential to be abused by deceiving users into clicking and allowing a specific API. For instance, if a user unintentionally allows a browser to access his webcam or microphone, this would cause an enormous privacy concern.

Steps

  • A literature review of previous vulnerabilities
  • Testing different browsers on desktop, tablet, and mobile
  • Extracting different features of each browser
  • Constructing a simple javascript scenario and adjusting it for different browsers.



Contact

Mohammadreza Hazhirpasand


Last changed by scg on 13 September 2018