Hi! > 1.ClickJacking& Phishing by mixing layers and iframe We can code grep plugin to detect such flaws. Logic is very simple - if response is text_or_html and hasn't X-Frame-Options header then we can consider that such response is vulnerable to framing -> ClickJacking [0]. I know about frame breaking scripts but, imho, currently this header is the best solution.
> 2.CSRF and leveraging CORS to bypasses SOP (demo) ? > 3.Attacking WebSQL and client side SQL injection To detect WebSQL injection we need at least built-in JavaScript engine. > 4.Stealing information from Storage and Global variables It is result of XSS attack which we can detect. > 5.HTML5 tag abuse and XSS ? > 6.HTML5 and DOM based XSS and redirects We have domXSS plugin. It is not very smart but it can find some sorts of DOM based XSS flaws. > 7.DOM injections and Hijacking with HTML 5 > 8.Abusing thick client features > 9.Using WebSockets for stealth attacks > 10.Abusing WebWorker functionality The most part of these is post exploitation of XSS attack, isn't it? BTW, you can read also translation of my paper about HTML5 risks [1] [0] https://www.owasp.org/index.php/Clickjacking [1] http://translate.google.com/translate?sl=ru&tl=en&u=http://oxdef.info/papers/html5/index.html&act=url > this is what I am asking for ! > On Sun, Mar 18, 2012 at 9:53 PM, Andres > Riancho<[email protected]>wrote: > >> 孙松柏, >> >> On Sun, Mar 18, 2012 at 4:26 AM, 孙松柏<[email protected]> wrote: >>> hi everyone >>> >>> I recently notice that HTML5 has a lot of new features and bring a lot of >>> vulnerability! >> >> Could you please name the HTML5 vulnerability you want w3af to identify? >> >>> My question is : is there a module or some modules that w3af can detect >> that >>> ? >>> -- >>> FIT1-213 >>> Department of Computer Science >>> Tsinghua University, Beijing, 100084 >>> http://about.me/anakin/bio >>> >>> >> ------------------------------------------------------------------------------ >>> This SF email is sponsosred by: >>> Try Windows Azure free for 90 days Click Here >>> http://p.sf.net/sfu/sfd2d-msazure >>> _______________________________________________ >>> W3af-users mailing list >>> [email protected] >>> https://lists.sourceforge.net/lists/listinfo/w3af-users >>> >> >> >> >> -- >> Andrés Riancho >> Director of Web Security at Rapid7 LLC >> Founder at Bonsai Information Security >> Project Leader at w3af >> > > > > > > ------------------------------------------------------------------------------ > This SF email is sponsosred by: > Try Windows Azure free for 90 days Click Here > http://p.sf.net/sfu/sfd2d-msazure > > > > _______________________________________________ > W3af-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/w3af-users -- Taras http://oxdef.info ------------------------------------------------------------------------------ This SF email is sponsosred by: Try Windows Azure free for 90 days Click Here http://p.sf.net/sfu/sfd2d-msazure _______________________________________________ W3af-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/w3af-users
