This started out as a simple application to demonstrate web sockets, but has developed into a demonstration of some basic HTML5 features (web sockets, geolocation, localStorage).
The main purpose of this apllication is to demo in ILT. It includes no security features (such as AuthN/AuthZ) and some of the basic security features have been commented out for demonstration purposes (more secure lines are just above)
References from:
- http://html5sec.org/ - A Great Source of potential attack vectors
- https://www.owasp.org/index.php/HTML5_Security_Cheat_Sheet - A list of best practices and Guidelines for common HTML5 features
- http://juerkkil.iki.fi/2013/03/17/compromising-html5-websockets-with-an-xss-vulnerability/ - A good writeup by Jussi-Pekka Erkkilä about compromising HTML5 webSockets via XSS
- http://www.youtube.com/watch?v=WljJ5guzcLs - An exceptional even keeled talk by security expert Brad Hill on HTML5 security
- http://www.youtube.com/watch?v=0PrlVHzRvZ - An earlier webcast by Security Innovation on HTML5
- http://content-security-policy.com/ - A nice reference on CSP and individual directives and support by each browser
- http://www.sophos.com/en-us/security-news-trends/security-trends/html5-and-security.aspx - A good article on some of the security changes to be seen in HTML5
- http://www.cio.com/article/735373/How_to_Ensure_Privacy_in_the_Age_of_HTML5 - Privacy Concerns in HTML5
- http://www.cs.berkeley.edu/~devdatta/papers/LeastPrivileges.pdf - A very interesting paper referenced by Brad Hill in his talk about using HTML5 to help secure complex modern web applications
- http://www.amazon.com/Web-Application-Obfuscation-Evasion-Filters/dp/1597496049 - A great book on Web Application Obfuscation book written by some leaders in the field about why blacklist filtering doesn’t work
- Others
- Likely others that I can’t remember at the moment, apologies in advance for references I missed. HTML5 is a small world.