.

HTML5 vulnerability assessment tool

<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Thu Aug 25, 2011 2:45 pm

HTML5 vulnerability assessment tool

Hey,

I have been thinking for a while about creating a tool that you can point at a web page and it would go through it to search for HTML5 vulnerabilities. I searched a bit a couldn't find a tool that would do something like that.

But I am sure some commercial vulnerability scanner would this and many more things. So do you know about web app scanner that do that?

Is it worth the effort of writing such a tool?

Thanks for your feedback.
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

dropper

User avatar

Newbie
Newbie

Posts: 3

Joined: Thu Aug 25, 2011 12:05 pm

Post Thu Aug 25, 2011 3:20 pm

Re: HTML5 vulnerability assessment tool

Hi,

Do you mean client (cross-domain information leakage, etc.) or server side vulnerabilities (like xss with HTML5 tags)?

In my mind at lot of the server-side vulnerabilities are just permutations of what is already known.  In my humble opinion, it would be fairly easy to patch already existing software to search for these vulnerabilities.  It is the client side issues, like SQLI on the client, that seem to be relatively new ground.

I would be interested in contributing code. I'm looking forward to seeing what everybody else turns up. 
<<

tturner

User avatar

Sr. Member
Sr. Member

Posts: 435

Joined: Thu Jun 26, 2008 4:50 pm

Post Thu Aug 25, 2011 4:05 pm

Re: HTML5 vulnerability assessment tool

are we talking vulnerabilities or "features"? :)
Certifications:
CISSP, CISA, GPEN, GWAPT, GAWN, GCIA, GCIH, GSEC, GSSP-JAVA, OPSE, CSWAE, CSTP, VCP

WIP: Vendor WAF stuff

http://sentinel24.com/blog @tonylturner http://bsidesorlando.org
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Fri Aug 26, 2011 9:29 am

Re: HTML5 vulnerability assessment tool

Yes, looking at "features"  :D

I was more looking at a tool doing code review. Having a tool looking at bad code and proposing fixes. Sothing like "instead of write this line this way, why don't you do that?".

To help the developers find possible vulnerabilities in their code before they release it in prod.

But this is probably not that useful...  :-\
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

rance

User avatar

Full Member
Full Member

Posts: 212

Joined: Thu Jan 03, 2008 5:24 pm

Location: Earth

Post Mon Aug 29, 2011 10:28 am

Re: HTML5 vulnerability assessment tool

H1t M0nk3y wrote:But this is probably not that useful...  :-\


Only because a developer probably wouldn't be caught dead using such a tool.    ;D
Poking at security since 1986.  +++ATH
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Mon Aug 29, 2011 10:50 am

Re: HTML5 vulnerability assessment tool

You're so right rance, developers don't know anything about security, yet alone security tools.

Ok, I will put my very little free time against something more useful.

Thanks for the replies guys
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

rance

User avatar

Full Member
Full Member

Posts: 212

Joined: Thu Jan 03, 2008 5:24 pm

Location: Earth

Post Mon Aug 29, 2011 11:01 am

Re: HTML5 vulnerability assessment tool

I'm behind ya on an HTML5 exploit tool, though! :)
Poking at security since 1986.  +++ATH
<<

dbest

Jr. Member
Jr. Member

Posts: 79

Joined: Thu Jun 23, 2011 1:14 pm

Post Sat Sep 03, 2011 12:54 pm

Re: HTML5 vulnerability assessment tool

While there is no harm in writing a tool to help developers check for weaknesses in their code, the use might be limited.
I would say, if you think that it will benefit at least a few people out there, why not go for it.

Also, an exploit would be cool too.
CISM, CEH, CISA, ISO 27001 LA

Return to Web Applications

Who is online

Users browsing this forum: No registered users and 1 guest

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software