Black Hat Europe
October 14-17, 2014
Amsterdam Rai, The Netherlands
8/13/2012
02:53 PM
Dark Reading
Dark Reading
Slideshows
50%
50%

Slide Show: Memorable Moments From Black Hat 2012

A look at some of the demos, hacks, awards, and parties at this year's Black Hat USA 2012 convention
Previous
7 of 15
Next


As HTML5 adoption ramps up, developers need to be mindful that the power of the tools in the HTML5 feature-set can be abused to great effect, Shreeraj Shah, founder and director of Blueinfy Solutions, warned at the show. His presentation detailed the top 10 HTML5 vulnerabilities, which were lumped into three main categories: XHR and tag vulnerabilities, thick feature vulnerabilities, and DOM vulnerabilities.

His talk on HTML5 was among several at Black Hat. Others included a discussion on ways to abuse HTML5 WebSockets and the demonstration of a technique that can be used against HTML5 browsers to deliver malicious firmware that could be used for mass router infections.

Photo Credit: Black Hat Events

Previous
7 of 15
Next
Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, January 2015
To find and fix exploits aimed directly at your business, stop waiting for alerts and become a proactive hunter.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-5437
Published: 2014-12-17
Multiple cross-site request forgery (CSRF) vulnerabilities in ARRIS Touchstone TG862G/CT Telephony Gateway with firmware 7.6.59S.CT and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) enable remote management via a request to remote_management.php,...

CVE-2014-5438
Published: 2014-12-17
Cross-site scripting (XSS) vulnerability in ARRIS Touchstone TG862G/CT Telephony Gateway with firmware 7.6.59S.CT and earlier allows remote authenticated users to inject arbitrary web script or HTML via the computer_name parameter to connected_devices_computers_edit.php.

CVE-2014-7285
Published: 2014-12-17
The management console on the Symantec Web Gateway (SWG) appliance before 5.2.2 allows remote authenticated users to execute arbitrary OS commands by injecting command strings into unspecified PHP scripts.

CVE-2014-7880
Published: 2014-12-17
Multiple unspecified vulnerabilities in the POP implementation in HP OpenVMS TCP/IP 5.7 before ECO5 allow remote attackers to cause a denial of service via unspecified vectors.

CVE-2014-8133
Published: 2014-12-17
arch/x86/kernel/tls.c in the Thread Local Storage (TLS) implementation in the Linux kernel through 3.18.1 allows local users to bypass the espfix protection mechanism, and consequently makes it easier for local users to bypass the ASLR protection mechanism, via a crafted application that makes a set...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.