« Alex von Tunzelmann, Indian Summer | Main | hack.lu: MITMing a room full of security people »

hack.lu: Breaking and Securing Web Applications

At hack.lu, the best talk so far is Nitesh Dhanjani's talk Breaking and Securing Web applications.

Random notes below the fold.

  • cross-site scripting is an output validation problem
  • analysis tools are insufficient
  • hard to understand, hard to demonstrate ("alert" doesn't cut it); but see beef for a nice tool
  • If XSS vectors go through databases, particularly hard to find.
  • XSRF - confused deputy problem (but uses <img src="...>, i.e., HTTP GET, as example)
  • Yahoo! mobile as example
  • POST-based example for Yahoo! calendar, through JavaScript
  • Mitigation
    • Do not rely on referer header
    • do not rely on POST
    • use random tokens
    • should there be client-side protection? - well...
  • How do you assess XSRF? -- hard to distinguish important / unimportant operations
  • XSRF can be used by external attacker to turn browser into proxy to Intranet
  • Combine XSS and XSRF?
  • Targeting the Browser?
  • Flash crossdomain issue -- crossdomain.xml can now exist anywhere in the web root
  • application access control model?
  • Cross-domain requests in Flash: Look for cross-domain.xml in root of target site.
  • recent change: crossdomain.xml can sit about anywhere
  • consider if we have an upload/download area
  • extremely difficult for application owners
  • use XSS to drop crossdomain.xml in there ... whooops?
  • Remember Adobe's PDF plugin? (javascript in fragment identifiers) It's a purely client-side issue.
  • application security will continue to be extremely important

Posted by Thomas Roessler on October 20, 2007 7:15 AM |

TrackBack

TrackBack URL for this entry:
http://log.does-not-exist.org/mt/mt-tb.cgi/2099

Comments (2)

Benny K:
Actually, I found your presentation the best one on Hack.lu!! The content was certainly interesting but above all, the presentation itself was simple and very strong. You certainly avoided the "death by powerpoint" as I have seen in other presentations. I hope it will be online afterwards or if you would be so kind to send it to me. Best Regards, B.

Posted by Benny K | October 20, 2007 12:57 PM

Posted on October 20, 2007 12:57

tlr:
Thanks. The slides for the usability talk should be up on the hack.lu site soon. I had originally prepared that talk for the Hungarian Web Conference earlier this year; original slides. The access-control lightning talk slides are available from the W3C web server.

Posted by tlr | October 20, 2007 1:05 PM

Posted on October 20, 2007 13:05

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)

Search


About

This page contains a single entry from the blog posted on October 20, 2007 7:15 AM.

The previous post in this blog was Alex von Tunzelmann, Indian Summer.

The next post in this blog is hack.lu: MITMing a room full of security people.

Many more can be found on the main index page or by looking through the archives.

Subscribe to this blog's feed
[What is this?]
Creative Commons License
This weblog is licensed under a Creative Commons License.
Powered by
Movable Type 3.35