XSS & CSRF with HTML5 – attack, exploit, and defense

Always happy to blog about our previous Hacker Hotshot speakers, we notice that Shreeraj Shah presented a talk titled: “XSS & CSRF with HTML5 – Attack, Exploit, and Defense.” Shreeraj previously spoke at one of our events September 13th 2012: HTML5 Next Generation Attacks.

In his latest presentation, Sheeraj outlined how XSS and CSRF can be interwoven within the HTML5 framework. Of interest, we have another great speaker lined up today who will be talking about XSS! Adam Bladwin will be outlining “Blind XSS” in which, amongst other things, he will explain what blind cross-site scripting (XSS) is, how to use and prevent ‘blind XSS’ in penetration testing or application testing, and an introduction to xss.io.

Sheeraj spoke about CSRF – so what’s the difference with CSRF and XSS?
CSRF, Cross-site request forgery, also referred to as a ‘one-click attack’ or ‘session riding’ is a malicious exploit of a website in which unauthorized commands are sent from a user of a website that the victim trusts. The fundamental difference between CSRF and XSS is that cross-site scripting (XSS), is designed to exploit the trust the user has for a particular site whilst CSRF aims to exploit the trust that a website has in the visitor’s browser. So, the key difference is within the victims browser.

Sheeraj also spoke about XHR2 – something we must confess we don’t know a great deal about – but it seems to be connected to his research with HTML5 and CSRF.

If you are interested to learn more, here’s the link and congratulations to Sheeraj!