Name: Precision Timing - Attacking browser privacy with SVG and CSS
Start: 2013-08-22T11:50:00+0200
End: 2013-08-22T12:35:00+0200

Welcome to the full schedule of the OWASP AppSec Research EU 2013 conference days. You’ll find the schedule for the training days at http://trainings2013.appsec.eu

Back To Schedule

Precision Timing - Attacking browser privacy with SVG and CSS

Maybe you’ve heard it before - HTML 5 brings a whole slew of new features to web browsers, some of which can be a threat to security and privacy. But subtle interactions between the less explored corners of new browser features can have some unexpected and interesting side effects.

Traditionally, browser timing attacks involve cache or network timing. In this presentation, I’ll introduce a number of new techniques that perform timing attacks on graphics operations involving CSS and SVG to extract sensitive data from your browser. In my talk I will demonstrate cross-browser vulnerabilities against Chrome, Internet Explorer and Firefox that can be used to access your browsing history and read data from websites you’re logged into. I’ll also take a look at the difficulties involved in fixing these types of vulnerabilities.

Speakers

Paul Stone

Paul (@pdjstone) Stone's talk shows novel ways of extracting data across origin-borders using timing attacks - with SVG and other technologies. One might want to deploy additional HTTP headers after watching this outstanding presentation.

Thursday August 22, 2013 11:50am - 12:35pm CEST
Aussichtsreich Emporio

Hackpra Talk

OWASP AppSec Research 2013

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Paul Stone