Friday, 12 October 2012

'Using the HTML5 Fullscreen API for Phishing Attacks', OWASP MIA and 'We need SAST technology for browsing the web safely'

Really nice article from Feross Aboukhadijeh on the Phishing potential of HTML5 FullScreen features:

You can read it at Using the HTML5 Fullscreen API for Phishing Attacks

Note that on Chrome in OSx it will show this alert

... if you're not in Full Screen already. But in a lot of cases that will be easy to dismiss (specially with users used to click that 'Allow' button). See note below on using SAST technology to deal with this.

What is interesting about this story is that is also shows how developers DO care about security. There is a thread about it on Hackers News and on Reddit and I found this article via the CodeProject's Daily New email:


But where's OWASP on this thread?

  • both Hackers News and on Reddit have no mention for OWASP (just search the page)
  • Feross article also has no mention of OWASP
  • A quick search for Feross' name and OWASP didn't show anything 
  • Nothing on OWASP's website (which means that he has not presented at an OWASP conference or chapter)

So is Feross involved at all with OWASP? I can't find it.

As one of the guys who created one of the best ClickJacking examples HOW TO: Spy on the Webcams of Your Website Visitors (and only 22 years old), he is clearly part of the new generation of AppSec Security experts.

But if OWASP is not able to attract him and create environments / ecosystems for Feross (and other new stars), that means that we (OWASP) are starting to be irrelevant for the new Generation :(

And that is a fundamental problem with OWASP. We should be measuring OWASP's success by its community and relevance. But it is much harder  to measure 'What could had happened' than 'what is happening'. This (amongst others) is why I proposed a new model for OWASP so that OWASP can reinvent itself and find ways to add value to Feross (and its community).

We need SAST technology for browsing the web safely

So how to do solve this? Unless we start to have SAST-like Technology on browsers (which allow us to write context-sensitive rules that know the difference between YouTube and Feross' website) I don't think we will find a good solution (it's just patches and hacks)