Modern iframe programming

Jun 11, 2011Download as KEY, PDF29 likes13,224 views

This document discusses using iframes for various purposes such as sandboxing code from different domains or versions, asynchronous script loading, and cross-domain communication. It describes how iframes can execute code in a clean JavaScript environment isolated from the parent window. It also explains techniques like postMessage for communication between frames and using iframes with JSONP or document.domain to enable cross-domain requests and property access. The document provides examples of libraries that sandbox code in iframes like Twitter's @anywhere widget and the hiro.js testing framework.

who invited this guy?

• name’s ben
• strange last name
• work at disqus
• hail from toronto

disqus?

• dis·cuss • dĭ-skŭs'
• third-party commenting platform
• served on a bajillion sites
• we use our fair share of iframes

frames

• introduced in netscape navigator
2.0 (1996)

• standardized in html 4
• frameset, frame, noframes
• ... but obsolete in html5 (!)

iframes

• introduced in internet explorer 4.0
(1997)

• “inline” frame
• not going anywhere (part of html5
spec)

“src-less” frames

• separate window, DOM environment
• property access from parent
• contents load independently

default objects

• undeﬁned
• window
• JSON
• #toString
• #indexOf

default objects

• they can be modiﬁed - by anyone
• often in incompatible ways
• painful for third-party scripts

sandboxing

• instead of taking objects/code out
of an iframe, put it inside

• execute in clean js environment
• no global state leak

twitter @anywhere

• twitter widget library
• supports multiple lib versions/
instances per page

• each version is sandboxed in a
separate iframe

dev.twitter.com/anywhere

hiro.js

• unit testing lib
• each test suite runs in a new iframe
• optional: seed global environment

http://hirojs.com

remember ...

• stuff inside an iframe loads
asynchronously

• Souders says so!
• still slower than other methods
(script append, xhr)

document.write

• sometimes necessary evil
• doesn’t work with async scripts
• “you’ll overwrite the whole page!”

doc.write w/ iframes

• tiny, synchronous outer script
(outer.js)

• outer.js doc.writes an iframe, and
loads inner.js from inside

• inner.js can doc.write all it wants;
iframe contents load async

google adsense

http://bit.ly/google-iframe-async

cross-domain ajax

• it doesn’t work
• affects subdomains too
• www.example.com can’t reach
api.example.com, or vice versa

JSONP

• script tag element bypasses
same-origin policy

• but restricted to GET requests
• also, difficult to cache

xd tunnels

• host page creates iframe that points
to url on target domain

• iframe can freely make xhr requests
• host page initiates requests through
iframe

xd tunnels

foo.com

bar.com/ xhr
tunnel.html
bar.com/api

another wall

• how does host page communicate
with iframe?

• same-origin policy prevents direct
access

• window messaging apis are the
solution

iframe messaging

• postMessage (HTML5)
• window.name
• url fragments
• ﬂash
• catch ‘em all: easyXDM

iframe messaging
= another talk

http://bit.ly/cross-domain-barrier

subdomain tunnel
• less complicated
• property access is possible!
• document.domain
• host and iframe must both declare
common document.domain, then
they can access each other’s props

downsides :(

• have to wait for tunnel to load
• extra requests, bandwidth
• is there a better way?

JSONPI
json + padding + iframes

(aka my awful attempt to coin something)

iframe POST
• create an iframe
• create a form
• set form’s target=”...” attribute to
point to iframe

• submit the form
• response loads in iframe body

JSONPI
• use iframe POST
• like jsonp: pass a callback fn
• in response body, set common
document.domain

• js running in iframe can execute
callback fn in parent window

thanks!

• @bentlegen
• we’re looking for js engineers!
disqus.com/jobs

• slides, sample code on github

HTML5 is great. Everyone thinks so. You just can't wait until the web has enough support for it, right? Well, there are plenty of tools you can use to make that dream a reality. Learn how to build on the HTML5 stack without looking behind your back the whole time. Modernizr provides the ideology behind doing this. Yepnope (Modernizr.load) provides the means for making it fast, and the polyfills do all the hard work to make your app consistent and beautiful... today.

Practical Phishing Automation with PhishLulz - KiwiCon XMichele Orru

This document introduces PhishLulz, a framework for automating phishing campaigns. It describes tools included in PhishLulz like FindResources.rb for discovering subdomains and MailBoxBug.rb for automating the extraction of emails from harvested webmail credentials. The document advocates for phishing as an effective technique due to human ignorance and technical weaknesses, and emphasizes the importance of speed once access is obtained. Use of PhishLulz is demonstrated to provide automated and reusable tools for many phases of phishing operations.

Biting into the forbidden fruit. Lessons from trusting Javascript crypto.Krzysztof Kotowicz

Krzysztof Kotowicz gave a talk at Hack in Paris in June 2014 about lessons learned from trusting JavaScript cryptography. He discussed the history of skepticism around JS crypto due to language weaknesses like implicit type coercion and lack of exceptions. He then analyzed real-world vulnerabilities in JS crypto libraries like Cryptocat that exploited these issues, as well as web-specific issues like cross-site scripting. Finally, he argued that while the JS language has flaws, developers can still implement crypto securely through practices like strict mode, type checking, and defense-in-depth against web vulnerabilities.

TxjsBrian LeRoux

Buried by time, dust and BeEFMichele Orru

Slides of my talk at RuxCon 2013: For those who do not listen Mayhem and black metal, the talk title might seem a bit weird, and I can't blame you. You know the boundaries of the Same Origin Policy, you know SQL injection and time-delays, you know BeEF. You also know that when sending cross-domain XHRs you can still monitor the timing of the response: you might want to infer on 0 or 1 bits depending if the response was delayed or not. This means it's possible to exploit every kind of SQL injection, blind or not blind, through an hooked browser, if you can inject a time-delay and monitor the response timing. You don't need a 0day or a particular SOP bypass to do this, and it works in every browser. The potential of being faster than a normal single-host multi-threaded SQLi dumper will be explored. Two experiments will be shown: WebWorkers as well as multiple synched hooked browsers, which split the workload communicating partial results to a central server. A pure JavaScript approach will be exclusively presented during this talk, including live demos. Such approach would work for both internet facing targets as well as applications available in the intranet of the hooked browser. The talk will finish discussing the implications of such an approach in terms of Incident Response and Forensics, showing evidence of a very small footprint.

Html5: Something wicked this way comes (Hack in Paris)Krzysztof Kotowicz

This document discusses several HTML5-based attacks that could be used to compromise a target named Bob. It describes using filejacking to access files on Bob's computer, poisoning Bob's app cache to gain persistent access, performing silent file uploads to plant incriminating evidence, using UI redressing to trick Bob into actions, and extracting sensitive information from Bob's employer's internal sites using drag-and-drop content extraction. The document provides proof-of-concept demos and notes limitations but emphasizes that HTML5 expands attack possibilities against unaware users. It concludes by encouraging developers to implement proper defenses like X-Frame-Options to prevent framing attacks.

Dark Fairytales from a Phisherman (Vol. II)Michele Orru

The document outlines techniques for automating phishing campaigns using tools like PhishingFrenzy and the Browser Exploitation Framework (BeEF). It describes how phishing is similar to fishing in that it involves preparing bait (in the form of phishing templates) and casting it out to catch victims. It then introduces PhishLulz, an automated phishing tool built on PhishingFrenzy and BeEF that can be run cheaply on Amazon EC2. It also discusses the new BeEF Autorun Rule Engine, which allows defining rules to trigger client-side attacks and modules based on conditions like the browser or OS of hooked victims. Examples are given of how this could be used

How to start developing apps for Firefox OSbenko

This document provides an overview of how to develop apps for Firefox OS. It discusses the core components of Firefox OS including Gonk, Gecko, and Gaia. Native apps are developed using HTML5, CSS3, and JavaScript. The document outlines the steps to create a simple "Hello World" app and discusses tools needed like the Firefox Nightly browser and B2G simulator. It also provides an example of developing a more advanced e-reader app that imports ePub books from the SD card and allows navigation of book contents.

Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEFMichele Orru

This document discusses using the Browser Exploitation Framework (BeEF) and inter-protocol exploitation techniques to gain control of victim browsers. It begins with an overview of traditional browser attack vectors and their limitations. It then introduces BeEF and how it can be used to hook victim browsers through XSS and control them remotely with JavaScript. The document proposes revitalizing inter-protocol exploitation techniques to bypass cross-domain restrictions and allow executing commands on the victim's machine. It presents the design of a new BeEF Bind shellcode that sets up a web server to accept commands and control a process like cmd.exe on the victim internally without needing an outbound connection.

Re-Introduction to Third-party Scriptingbenvinegar

Dark Fairytales from a PhishermanMichele Orru

The document outlines an automated phishing technique called PhishLulz that uses PhishingFrenzy and BeEF on an Amazon EC2 instance. It describes how the tool allows for low-cost, automated phishing campaigns with features like mass mailing templates, credential harvesting, and integrating client-side attacks via BeEF. An example phishing campaign is provided that successfully compromised a government network in Australia within a few hours at a total cost of around $10 using this technique.

Advanced Chrome extension exploitationKrzysztof Kotowicz

HanamiBob Firestone

The Same-Origin SagaBrendan Eich

This document discusses the history and evolution of the same-origin policy in web browsers. It describes how the same-origin policy was originally implemented in Netscape 2 in the 1990s to label code and data with their origin and restrict cross-origin interactions. Over time, browsers added features like document.domain to relax the policy and allow some cross-origin communication while preventing security issues. Modern browsers now use techniques like object capabilities, isolated compartments, and cross-compartment mediation to further strengthen isolation while still supporting cross-origin interactions on the web. The document raises the question of whether a cooperative approach could be taken to label and mediate cross-site script inclusions in a more nuanced way.

Code for Startup MVP (Ruby on Rails) Session 1Henry S

This document provides an agenda and overview for a workshop on learning to code for startup MVPs using Ruby on Rails. The agenda covers reviewing a previous session, learning Ruby basics like syntax and semantics through practice, and introducing Rails models using ORM and SQL. It also provides instructions for setting up development environments on Windows, Mac, and Linux systems, installing Git for version control, and an overview of concepts covered in the previous session like the web architecture, Git/GitHub, Rails and Ruby, and deploying to Heroku.

Realtime web2012Timothy Fitz

The document discusses building real-time web applications. It addresses three hard problems: talking to the browser in real-time using techniques like polling, websockets, and flash sockets; handling high concurrency through non-blocking I/O; and scaling to support many users. It reviews common real-time frameworks like Twisted, Tornado, gevent, Node.js, and Erlang and recommends Twisted for Python and Node.js with Socket.IO for non-Python. It also discusses using Redis for a real-time backend pub/sub system and scaling strategies like adding frontend and backend nodes.

Introduction to WebSocketsSteve Agalloco

This document introduces WebSockets as a new technology for bidirectional communication between a browser and server. It discusses how WebSockets improve on older techniques like Ajax and Comet by allowing real-time data updates with less overhead. Example uses of WebSockets include chat applications, displaying stock prices, and collaboration tools. While browser support is still limited, libraries exist for many programming languages to create WebSocket servers.

Something wicked this way comes - CONFidenceKrzysztof Kotowicz

Krzysztof Kotowicz presented several HTML5 tricks that could be abused by attackers: - Filejacking allows reading files from a user's system using the directory upload feature in Chrome. Sensitive files were exposed from some users. - AppCache poisoning can be used in a man-in-the-middle attack to persist malicious payloads by tampering with a site's cache manifest file. - Silent file upload uses cross-origin resource sharing to upload fake files without user interaction, potentially enabling CSRF attacks. He warned that IFRAME sandboxing could facilitate clickjacking, and that drag-and-drop techniques risk exposing sensitive content across domains unless sites use X-

Blazor - An IntroductionJamieTaylor112

Blazor is a new web framework that allows web applications to be written in C# instead of JavaScript. It uses WebAssembly to run .NET code directly in the browser. Developers write Blazor apps using Razor components with HTML and C# code. At runtime, the Blazor runtime compiles the Razor components to WebAssembly, which generates the app's rendering tree and updates the DOM efficiently as the app runs. Blazor provides a way to build interactive client-side web UI using .NET instead of JavaScript.

Why Plone Will DieAndreas Jung

This document discusses reasons why the author believes Plone may decline or become a "CMS zombie" unless changes are made. Key points include: - Growing developer and integrator frustration due to legacy code, complexities, lack of documentation and APIs. - Difficult and unpredictable migrations between major Plone versions that introduce issues and costs. - Stagnating community and market as Plone relies on aging technologies like Zope and ZODB. The author argues Plone needs to remove legacy code, simplify architectures, introduce explicit APIs, support new databases and Python 3 to thrive in the future. A potential approach is starting from scratch with Pyramid and new components rather than continuing to build on aging foundations.

Ruby is dying. What languages are cool now?Michał Konarski

- Ruby is no longer considered a "cool" language according to the author, who examines several languages that are currently popular including Swift, Rust, Go, Elixir, Julia, and Dart. - Swift was created by Apple to replace Objective-C and adds modern features while removing the complexity of C. Rust was created to be safe, concurrent, and practical while combining high and low level capabilities. Go was created at Google to be understandable, productive, and scale well for networking and multiprocessing. Elixir builds on Erlang's concurrency model and adds a Ruby-like syntax. Julia targets scientific computing by combining speed and interactivity. Dart was created by Google to replace JavaScript but never gained

Defcon 20-zulla-improving-web-vulnerability-scanningzulla

This document summarizes a presentation about improving web vulnerability scanning. It discusses: 1. Current web vulnerability scanners are based on HTTP libraries and don't support JavaScript-rich applications well. Authenticated scanning is also challenging. 2. The presenter proposes replacing the HTTP library with a Webkit engine to gain full support for JavaScript, AJAX, redirects, and other modern web features. This would reduce code complexity. 3. Scaling the number of sites scanned requires distributing the workload across multiple processes to leverage multiprocessing. Handling authentication also requires strategies to identify login forms and confirm login status.

Rails development environment talkReuven Lerner

Cors kung fuAditya Balapure

- CORS (Cross-Origin Resource Sharing) allows resources on a web page to be requested from another domain outside the domain from which the first resource was served. - CORS uses additional HTTP headers to tell browsers to give a web application running at one origin access to selected resources from a different origin. - Developer mistakes can lead to security vulnerabilities like cross-site request forgery if CORS is not implemented correctly, such as specifying '*' for allowed origins, failing to validate origins, or not handling credentials properly.

High Performance Social PluginsStoyan Stefanov

Social plugins are third-party iframes that allow users to interact with social features like liking or sharing content. They can be plugged in two main ways: 1) by writing the iframe directly or 2) by loading third-party JavaScript that generates the iframe. The third-party JavaScript should be loaded asynchronously to avoid blocking the page load. Once loaded, the social plugin needs to show up quickly with a single request, resize itself if needed, and handle user interactions like likes in a lazy manner by preloading JavaScript but not evaluating it until an interaction occurs.

Lo4liankei

Java is an object-oriented language with a vast library of predefined objects and operations that makes it platform independent and suitable for web programming. It has advantages over C++ in being more secure. The Java Virtual Machine allows .class files containing bytecodes to run on any system, providing platform independence. A basic HelloWorld program is shown to print text using built-in String and println functions.

Progressive Downloads and Rendering - take #2Stoyan Stefanov

Breaking The Cross Domain BarrierAlex Sexton

If you had to rank the best and worst moments of your JavaScript life, you’d probably rank reading “The Good Parts” up towards the top, and deep down at the bottom of the list would be the day that you found out that you couldn’t make cross-domain requests in the browser. This talk covers the hacks, tips, and tricks to leave the Same Origin Policy in the dust. So grab a cookie, pad your JSON, and learn how to communicate properly.

TEDx Manchester: AI & The Future of WorkVolker Hirsch

Build Features, Not AppsNatasha Murashev

More Related Content

What's hot (19)

Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEFMichele Orru

Re-Introduction to Third-party Scriptingbenvinegar

Dark Fairytales from a PhishermanMichele Orru

Advanced Chrome extension exploitationKrzysztof Kotowicz

HanamiBob Firestone

The Same-Origin SagaBrendan Eich

Code for Startup MVP (Ruby on Rails) Session 1Henry S

Realtime web2012Timothy Fitz

Introduction to WebSocketsSteve Agalloco

Something wicked this way comes - CONFidenceKrzysztof Kotowicz

Blazor - An IntroductionJamieTaylor112

Why Plone Will DieAndreas Jung

Ruby is dying. What languages are cool now?Michał Konarski

Defcon 20-zulla-improving-web-vulnerability-scanningzulla

Rails development environment talkReuven Lerner

Cors kung fuAditya Balapure

High Performance Social PluginsStoyan Stefanov

Lo4liankei

Progressive Downloads and Rendering - take #2Stoyan Stefanov

Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEFMichele Orru

Re-Introduction to Third-party Scriptingbenvinegar

Dark Fairytales from a PhishermanMichele Orru

Advanced Chrome extension exploitationKrzysztof Kotowicz

HanamiBob Firestone

The Same-Origin SagaBrendan Eich

Code for Startup MVP (Ruby on Rails) Session 1Henry S

Realtime web2012Timothy Fitz

Introduction to WebSocketsSteve Agalloco

Something wicked this way comes - CONFidenceKrzysztof Kotowicz

Blazor - An IntroductionJamieTaylor112

Why Plone Will DieAndreas Jung

Ruby is dying. What languages are cool now?Michał Konarski

Defcon 20-zulla-improving-web-vulnerability-scanningzulla

Rails development environment talkReuven Lerner

Cors kung fuAditya Balapure

High Performance Social PluginsStoyan Stefanov

Lo4liankei

Progressive Downloads and Rendering - take #2Stoyan Stefanov

Viewers also liked (9)

Breaking The Cross Domain BarrierAlex Sexton

TEDx Manchester: AI & The Future of WorkVolker Hirsch

Build Features, Not AppsNatasha Murashev

Cross Domain Web Mashups with JQuery and Google App EngineAndy McKay

This document discusses cross-domain mashups using jQuery and Google App Engine. It describes common techniques for dealing with the same-origin policy, including proxies, JSONP, and building sample applications that mashup Twitter data, geotagged tweets, and maps. Examples include parsing RSS feeds from Twitter into JSONP and displaying tweets on a map based on their geotagged locations. The document concludes by noting issues with trust, failures, and limitations for enterprise use.

Google guava - almost everything you need to knowTomasz Dziurko

How to Embed a PowerPoint Presentation Using SlideShareJoie Ocon

Design Beautiful REST + JSON APIsStormpath

Les Hazlewood, Stormpath co-founder and CTO and the Apache Shiro PMC Chair demonstrates how to design a beautiful REST + JSON API. Includes the principles of RESTful design, how REST differs from XML, tips for increasing adoption of your API, and security concerns. Presentation video: https://www.youtube.com/watch?v=5WXYw4J4QOU More info: http://www.stormpath.com/blog/designing-rest-json-apis Further reading: http://www.stormpath.com/blog Sign up for Stormpath: https://api.stormpath.com/register Stormpath is a user management and authentication service for developers. By offloading user management and authentication to Stormpath, developers can bring applications to market faster, reduce development costs, and protect their users. Easy and secure, the flexible cloud service can manage millions of users with a scalable pricing model.

3 Things Every Sales Team Needs to Be Thinking About in 2017Drift

How to Become a Thought Leader in Your NicheLeslie Samuel

Breaking The Cross Domain BarrierAlex Sexton

TEDx Manchester: AI & The Future of WorkVolker Hirsch

Build Features, Not AppsNatasha Murashev

Cross Domain Web Mashups with JQuery and Google App EngineAndy McKay

Google guava - almost everything you need to knowTomasz Dziurko

How to Embed a PowerPoint Presentation Using SlideShareJoie Ocon

Design Beautiful REST + JSON APIsStormpath

3 Things Every Sales Team Needs to Be Thinking About in 2017Drift

How to Become a Thought Leader in Your NicheLeslie Samuel

Similar to Modern iframe programming (20)

Krzysztof kotowicz. something wicked this way comesYury Chemerkin

Krzysztof Kotowicz presented several ways that HTML5 and user interaction could be abused by attackers: - Filejacking allows uploading files from a user's system without consent by tricking them into selecting a folder. Sensitive files were taken from actual victims. - AppCache poisoning can be used to persist malicious payloads on a user's system by tampering with application manifest files during a man-in-the-middle attack. - Silent file upload constructs arbitrary files in JavaScript and uploads them to a victim site using cross-origin resource sharing if CSRF is possible. This was demonstrated against a real website. - IFRAME sandboxing and drag-and-drop

External JavaScript Widget Development Best Practices (updated) (v.1.1) Volkan Özçelik

The document discusses best practices for developing JavaScript widgets. It covers challenges like versioning, cross-domain restrictions, cookies, security, and performance. Versioning can be handled through URL parameters or initializing with a version number. Cross-domain issues can be addressed using techniques like CORS, postMessage, or JSONP. Security requires sanitizing inputs, whitelisting domains, and handling risks like XSS and CSRF. Performance involves minimizing payload size and network requests.

External JavaScript Widget Development Best PracticesVolkan Özçelik

Java scriptwidgetdevelopmentjstanbul2012Volkan Özçelik

This document discusses best practices for developing JavaScript widgets. It begins by introducing widgets and their types, then discusses challenges like versioning, cross-domain restrictions, shared environments, and security. It provides recommendations for handling these challenges, such as using cache-revalidating scripts for versioning, cross-domain messaging for communication, and sanitization for security. The document concludes by addressing widget performance, emphasizing minimizing payload size, lazy loading, and yielding to avoid blocking.

Html5 securityKrishna T

The document discusses security considerations for HTML5. It notes that while HTML5 specifications are not inherently flawed, bad code can introduce new vulnerabilities. It outlines several attack vectors like XSS, history tampering, web storage manipulation, and clickjacking. It also discusses mitigations like script isolation, cross-document messaging, sandboxing, and CORS, noting their limitations. The document aims to raise awareness of the expanded client-side attack surface in HTML5.

Jinx - Malware 2.0Itzik Kotler

Browsers nowadays are competing with operating systems as the next application development platform. The rapid development of Web 2.0 keeps pushing browser developers into implementing advanced features that allow the creation of interactive multimedia applications. This sets the grounds for a new fertile environment in which a new breed of malware can come to life. Malware that is OS and architecture independent, as covert as a cutting edge rootkit but at the same time implemented through a series of API\'s and a generous variety of high-level OOP languages simplifying the task

Front end for back end developersWojciech Bednarski

The document discusses various web developer tools including: - Firebug for inspecting and editing HTML, CSS, debugging JavaScript, and monitoring network activity. - YSlow for optimizing web page performance by reducing HTTP requests, compressing components, optimizing caching, and minimizing payload size. - Page Speed by Google for optimizing caching, minimizing round trips, reducing request overhead and payload size, and optimizing browser rendering. - Web Developer extension for adding developer tools to Firefox and Chrome browsers. It also mentions validators for HTML, CSS, and JavaScript and the importance of performance optimization like minimizing HTTP requests to reduce page load time.

20120306 dublin jsRichard Rodger

The document discusses how JavaScript can be used from the user interface on mobile and web apps through to the server and database using techniques like Node.js. It provides examples of how Node.js allows for high performance server-side JavaScript and how MongoDB can be used as a database. The document outlines lessons learned around challenges of multi-platform development and benefits of outsourcing databases and other services.

Html5: something wicked this way comesKrzysztof Kotowicz

Html5: something wicked this way comes - HackPraKrzysztof Kotowicz

Video recording of the talk: https://connect.ruhr-uni-bochum.de/p3g2butmrt4/ HTML5 is quickly gaining media attention and popularity among browser vendors and web developers. Having tremendous features, together with its sister specifications like Drag & Drop API, File API or Geolocation it allows developers to build rich web applications that easily blend with desktop & mobile environments. The talk will be focused on finding the weakest link and combining several recent attack techniques to turn a security vulnerability into a successful exploit. We'll show how to build a successful advanced UI-Redressing attack (also known as clickjacking), presenting the latest findings in this field, including malicious games and quizes. We'll work on file upload functionalities in current web applications and see how attackers might use HTML5 APIs for their advantage. Putting all these building blocks together will enable us to launch an attack and exploit even the otherwise unexploitable vulnerabilities.

BP-9 Share Customization Best PracticesAlfresco Software

Crossing Origins by Crossing Formatsinternot

This document discusses cross-origin attacks using polyglot files that can be interpreted in multiple formats. Specifically, it examines: 1) Syntax injection attacks where fragments of PDF syntax are injected into HTML pages hosted on vulnerable sites, allowing extraction of sensitive data from the original domain. 2) Content smuggling attacks where an attacker uploads a polyglot file in a benign format (e.g. PDF) that also contains malicious content to a vulnerable site, then embeds it to exploit visitors through content reinterpretation. 3) The potential for these attacks using PDF, which has powerful interactive capabilities, error-tolerant parsing, and ability to issue cross-origin requests like CSRF with cookies

Krzysztof Kotowicz - Hacking HTML5DefconRussia

The document provides instructions for setting up a lab environment to practice HTML5 hacking techniques. It includes details on installing VirtualBox and shared folders, as well as IP addresses to use for the "localvictim" and "evil" servers. The remainder of the document outlines a plan to cover various HTML5-related attacks, including bypassing the same-origin policy, exploiting XSS vectors in HTML5, attacking with cross-origin resource sharing and web messaging, targeting client-side storage, and using web sockets. Disclaimers are provided about the practical nature of the workshops and limited time.

20120802 timisoaraRichard Rodger

Node.js is a JavaScript runtime built on Chrome's V8 JavaScript engine that allows for writing server-side code in JavaScript. It has a single-threaded, event-driven architecture that makes it efficient for data-intensive real-time applications. Some key advantages of Node.js include using JavaScript for both client-side and server-side code, high performance due to event-driven and non-blocking model, and rich ecosystem of third-party modules. Mobile web apps can be built with Node.js by using HTML5 features and JavaScript on the server and client sides.

ARTDM 171, Week 2: A Brief History + Web BasicsGilbert Guerrero

This document provides an overview of topics for an ARTDM 171 week 2 class, including: - Homework assignments due including reading chapters in textbooks and posting a blog comment. - An introduction to HTML, the core markup language of the web, how it formats text and includes images and hyperlinks. - Other topics covered include the HTTP protocol, XML, CSS, JavaScript, AJAX, and a brief history of the internet and how it was developed with military origins for robust communication. - The final homework assigned is to build a first web page in Dreamweaver with specific formatting and design elements.

High Voltage - Building Static Sites With Wordpress-Managed ContentNicolle Morton

WordPress evolved from a simple blog platform into a full-fledged content management system. It is now evolving beyond that into an application development framework. It is a new era for WordPress. One that partly made possible by the WP-API plugin. The plugin bolts a REST API on top of the WordPress platform, allowing for integration of WordPress with other systems. WP-API can be leveraged in many ways. For example, there is a lot of excitement around using WordPress as a backend for single page web apps and mobile apps. But the possibilities don’t end there. In this talk, we will explore the use of WP-API to integrate WordPress-managed content with static site generators. Static site generators and flat-file CMSs have been growing in popularity over the past few years, due largely to developer productivity, reliability, security, performance and ease-of-deployment. They are a compelling alternative but compromises must be made to realize the benefits. It doesn’t have to be an either-or decision. We will explore strategies for using WordPress as a collaborative writing room – similar to proprietary alternatives like Prismic.io and Contentful. And we will explore strategies for building static sites using that content. Presented at WordCamp Hamilton 2015 - By Nick Kenyeres - Director of Technology at Wise & Hammer Inc.

Expert guide for PHPSteve Fort

Building Client-Side Attacks with HTML5 FeaturesConviso Application Security

Palestra ministrada no OWASP Floripa Day - Florianópolis - SC | A palestra tem como objetivo mostrar os conceitos e funcionamento de algumas funcionalidades que foram adicionadas ao HTML5, levando em consideração os aspectos de segurança do client-side. Para as funcionalidades destacadas, foram criados cenários de ataques visando ilustrar a obtenção de informações sensíves armazenadas no browser ou até mesmo usar o browser da vítima para lançar ataques contra outros sistemas. Através da exploração das funcionalidades existentes no HTML5, técnicas de exploração como XSS e CSRF, tornam-se mais poderosas e eficientes, sendo possível em alguns casos contornar algumas restrições do Same Origin Policiy (SOP).

Web technologies for desktop development @ berlinjs appsDarko Kukovec

This document discusses using web technologies like HTML5, CSS, and JavaScript for desktop application development using frameworks like node-webkit. Node-webkit allows creating desktop apps with web technologies by wrapping them in a native application shell using Chromium and node.js. It summarizes several frameworks for hybrid desktop apps including Adobe Air, QT, Chrome Apps, and node-webkit. Node-webkit is highlighted as a good option because it allows leveraging existing web development skills and has good support for native desktop capabilities and debugging tools. Examples are given of companies using node-webkit for kiosk apps, desktop programs, and hardware integration.

Hacking iBooks and ePub3 with JavaScript!Jim McKeeth

This document provides an overview of adding JavaScript interactivity to iBooks and EPUB files, including: - Examples of using JavaScript widgets in iBooks through tools like Dashcode and Tumult Hype. - Details on creating JavaScript widgets from scratch for iBooks by including the required files and properties. - An explanation of the EPUB 3.0 standard which enables JavaScript, and guidelines for progressive enhancement and fallbacks. - A demonstration of cracking the DRM on iBooks files and creating fully interactive EPUB files from scratch using spine-level JavaScript according to the EPUB specifications.

Krzysztof kotowicz. something wicked this way comesYury Chemerkin

External JavaScript Widget Development Best Practices (updated) (v.1.1) Volkan Özçelik

External JavaScript Widget Development Best PracticesVolkan Özçelik

Java scriptwidgetdevelopmentjstanbul2012Volkan Özçelik

Html5 securityKrishna T

Jinx - Malware 2.0Itzik Kotler

Front end for back end developersWojciech Bednarski

20120306 dublin jsRichard Rodger

Html5: something wicked this way comesKrzysztof Kotowicz

Html5: something wicked this way comes - HackPraKrzysztof Kotowicz

BP-9 Share Customization Best PracticesAlfresco Software

Crossing Origins by Crossing Formatsinternot

Krzysztof Kotowicz - Hacking HTML5DefconRussia

20120802 timisoaraRichard Rodger

ARTDM 171, Week 2: A Brief History + Web BasicsGilbert Guerrero

High Voltage - Building Static Sites With Wordpress-Managed ContentNicolle Morton

Expert guide for PHPSteve Fort

Building Client-Side Attacks with HTML5 FeaturesConviso Application Security

Web technologies for desktop development @ berlinjs appsDarko Kukovec

Hacking iBooks and ePub3 with JavaScript!Jim McKeeth

Recently uploaded (20)

AI and Data Privacy in 2025: Global TrendsInData Labs

In this infographic, we explore how businesses can implement effective governance frameworks to address AI data privacy. Understanding it is crucial for developing effective strategies that ensure compliance, safeguard customer trust, and leverage AI responsibly. Equip yourself with insights that can drive informed decision-making and position your organization for success in the future of data privacy. This infographic contains: -AI and data privacy: Key findings -Statistics on AI data privacy in the today’s world -Tips on how to overcome data privacy challenges -Benefits of AI data security investments. Keep up-to-date on how AI is reshaping privacy standards and what this entails for both individuals and organizations.

Role of Data Annotation Services in AI-Powered ManufacturingAndrew Leo

Linux Support for SMARC: How Toradex Empowers Embedded DevelopersToradex

Toradex brings robust Linux support to SMARC (Smart Mobility Architecture), ensuring high performance and long-term reliability for embedded applications. Here’s how: • Optimized Torizon OS & Yocto Support – Toradex provides Torizon OS, a Debian-based easy-to-use platform, and Yocto BSPs for customized Linux images on SMARC modules. • Seamless Integration with i.MX 8M Plus and i.MX 95 – Toradex SMARC solutions leverage NXP’s i.MX 8 M Plus and i.MX 95 SoCs, delivering power efficiency and AI-ready performance. • Secure and Reliable – With Secure Boot, over-the-air (OTA) updates, and LTS kernel support, Toradex ensures industrial-grade security and longevity. • Containerized Workflows for AI & IoT – Support for Docker, ROS, and real-time Linux enables scalable AI, ML, and IoT applications. • Strong Ecosystem & Developer Support – Toradex offers comprehensive documentation, developer tools, and dedicated support, accelerating time-to-market. With Toradex’s Linux support for SMARC, developers get a scalable, secure, and high-performance solution for industrial, medical, and AI-driven applications. Do you have a specific project or application in mind where you're considering SMARC? We can help with Free Compatibility Check and help you with quick time-to-market For more information: https://www.toradex.com/computer-on-modules/smarc-arm-family

Drupalcamp Finland – Measuring Front-end Energy ConsumptionExove

How Can I use the AI Hype in my Business Context?Daniel Lehner

𝙄𝙨 𝘼𝙄 𝙟𝙪𝙨𝙩 𝙝𝙮𝙥𝙚? 𝙊𝙧 𝙞𝙨 𝙞𝙩 𝙩𝙝𝙚 𝙜𝙖𝙢𝙚 𝙘𝙝𝙖𝙣𝙜𝙚𝙧 𝙮𝙤𝙪𝙧 𝙗𝙪𝙨𝙞𝙣𝙚𝙨𝙨 𝙣𝙚𝙚𝙙𝙨? Everyone’s talking about AI but is anyone really using it to create real value? Most companies want to leverage AI. Few know 𝗵𝗼𝘄. ✅ What exactly should you ask to find real AI opportunities? ✅ Which AI techniques actually fit your business? ✅ Is your data even ready for AI? If you’re not sure, you’re not alone. This is a condensed version of the slides I presented at a Linkedin webinar for Tecnovy on 28.04.2025.

AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...Alan Dix

Talk at the final event of Data Fusion Dynamics: A Collaborative UK-Saudi Initiative in Cybersecurity and Artificial Intelligence funded by the British Council UK-Saudi Challenge Fund 2024, Cardiff Metropolitan University, 29th April 2025 https://alandix.com/academic/talks/CMet2025-AI-Changes-Everything/ Is AI just another technology, or does it fundamentally change the way we live and think? Every technology has a direct impact with micro-ethical consequences, some good, some bad. However more profound are the ways in which some technologies reshape the very fabric of society with macro-ethical impacts. The invention of the stirrup revolutionised mounted combat, but as a side effect gave rise to the feudal system, which still shapes politics today. The internal combustion engine offers personal freedom and creates pollution, but has also transformed the nature of urban planning and international trade. When we look at AI the micro-ethical issues, such as bias, are most obvious, but the macro-ethical challenges may be greater. At a micro-ethical level AI has the potential to deepen social, ethnic and gender bias, issues I have warned about since the early 1990s! It is also being used increasingly on the battlefield. However, it also offers amazing opportunities in health and educations, as the recent Nobel prizes for the developers of AlphaFold illustrate. More radically, the need to encode ethics acts as a mirror to surface essential ethical problems and conflicts. At the macro-ethical level, by the early 2000s digital technology had already begun to undermine sovereignty (e.g. gambling), market economics (through network effects and emergent monopolies), and the very meaning of money. Modern AI is the child of big data, big computation and ultimately big business, intensifying the inherent tendency of digital technology to concentrate power. AI is already unravelling the fundamentals of the social, political and economic world around us, but this is a world that needs radical reimagining to overcome the global environmental and human challenges that confront us. Our challenge is whether to let the threads fall as they may, or to use them to weave a better future.

Cyber Awareness overview for 2025 month of securityriccardosl1

TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...TrustArc

Most consumers believe they’re making informed decisions about their personal data—adjusting privacy settings, blocking trackers, and opting out where they can. However, our new research reveals that while awareness is high, taking meaningful action is still lacking. On the corporate side, many organizations report strong policies for managing third-party data and consumer consent yet fall short when it comes to consistency, accountability and transparency. This session will explore the research findings from TrustArc’s Privacy Pulse Survey, examining consumer attitudes toward personal data collection and practical suggestions for corporate practices around purchasing third-party data. Attendees will learn: - Consumer awareness around data brokers and what consumers are doing to limit data collection - How businesses assess third-party vendors and their consent management operations - Where business preparedness needs improvement - What these trends mean for the future of privacy governance and public trust This discussion is essential for privacy, risk, and compliance professionals who want to ground their strategies in current data and prepare for what’s next in the privacy landscape.

SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdfPrecisely

Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...Aqusag Technologies

Technology Trends in 2025: AI and Big Data AnalyticsInData Labs

At InData Labs, we have been keeping an ear to the ground, looking out for AI-enabled digital transformation trends coming our way in 2025. Our report will provide a look into the technology landscape of the future, including: -Artificial Intelligence Market Overview -Strategies for AI Adoption in 2025 -Anticipated drivers of AI adoption and transformative technologies -Benefits of AI and Big data for your business -Tips on how to prepare your business for innovation -AI and data privacy: Strategies for securing data privacy in AI models, etc. Download your free copy nowand implement the key findings to improve your business.

Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...Noah Loul

Artificial intelligence is changing how businesses operate. Companies are using AI agents to automate tasks, reduce time spent on repetitive work, and focus more on high-value activities. Noah Loul, an AI strategist and entrepreneur, has helped dozens of companies streamline their operations using smart automation. He believes AI agents aren't just tools—they're workers that take on repeatable tasks so your human team can focus on what matters. If you want to reduce time waste and increase output, AI agents are the next move.

Big Data Analytics Quick Research Guide by Arthur MorganArthur Morgan

This is a Quick Research Guide (QRG). QRGs include the following: - A brief, high-level overview of the QRG topic. - A milestone timeline for the QRG topic. - Links to various free online resource materials to provide a deeper dive into the QRG topic. - Conclusion and a recommendation for at least two books available in the SJPL system on the QRG topic. QRGs planned for the series: - Artificial Intelligence QRG - Quantum Computing QRG - Big Data Analytics QRG - Spacecraft Guidance, Navigation & Control QRG (coming 2026) - UK Home Computing & The Birth of ARM QRG (coming 2027) Any questions or comments? - Please contact Arthur Morgan at [email protected]. 100% human made.

Heap, Types of Heap, Insertion and DeletionJaydeep Kale

TrsLabs - Fintech Product & Business ConsultingTrs Labs

Hybrid Growth Mandate Model with TrsLabs Strategic Investments, Inorganic Growth, Business Model Pivoting are critical activities that business don't do/change everyday. In cases like this, it may benefit your business to choose a temporary external consultant. An unbiased plan driven by clearcut deliverables, market dynamics and without the influence of your internal office equations empower business leaders to make right choices. Getting things done within a budget within a timeframe is key to Growing Business - No matter whether you are a start-up or a big company Talk to us & Unlock the competitive advantage

tecnologias de las primeras civilizaciones.pdffjgm517

Cybersecurity Identity and Access Solutions using Azure ADVICTOR MAESTRE RAMIREZ

Splunk Security Update | Public Sector Summit Germany 2025Splunk

Quantum Computing Quick Research Guide by Arthur MorganArthur Morgan

Semantic Cultivators : The Critical Future Role to Enable AIartmondano