Carlos Muñoz Application Security Engineer WhiteHat
|
|
|
- Colin Lloyd
- 10 years ago
- Views:
Transcription
1 Carlos Muñoz Application Security Engineer WhiteHat
2 Bypass: History Explanation: What Is Going On Process: Things To Look For Demos: alert(1) Done Live (hopefully) CSP: Content Security Policy End Notes: (Bonus Bypass?)
3 Late Friday, August 23 rd, 2013 Finishing Webapp Assessment Visiting site in different browsers, looking for browser-specific functionality
4 Previously found reflective XSS vulnerability Page reflects injection JavaScript block further up the page Is page rendered within iframe from specific page? ( self!= parent ) No? Redirect to page with iframe and remove injection
5 Page in iframe defined from URL/URI query string parameter Injection from URL/URI parameter value lands in iframe definition which then calls vulnerable page with injection and XSS executes on vulnerable page
6 Vuln initially found with Firefox Looked for browser-specific functionality Tested Internet Explorer last Decided to poke at the XSS vuln in Internet Explorer
7 Standard XSS training Hex entities decoded in attribute space param= value part of html tag Try an injection that doesn t look like <script>alert(1)</script> Encode a few characters, enter injection into Internet Explorer
8
9 Weekend: Built Deliberately Vulnerable PHP code to recreate bypass Reported to Microsoft: August 26 th, 2013 Case #15412 Response from Microsoft: October 4 th, 2013
10 Internet Explorer s XSS filter has a Trust model that determines which requests are subject to the filter Some requests are not trusted: subject to filter Some requests are trusted: not subject to filter Abuse that trust: Bypass the filter
11 Primary Request with injection is made Primary Request doesn t cause IMMEDIATE JavaScript code execution Primary Request is subject to the filter Secondary Request within the same domain is induced with data from the Primary Request Secondary Request does cause JavaScript code execution Secondary Request is trusted and not subject to the filter
12 Looking for functionality on site that will allow a secondary request onto the same domain Iframes, Frames Form submissions href attributes JavaScript Redirects Places where both <a> and </a> can be injected
13 Hiding data from Primary Request: Landing in Attribute space? Hexadecimal: &#xyy; - HTML Decimal: &#ZZ; - HTML Named Entity: &ww; - HTML URL/URI: %VV RFC Landing in JavaScript space? URL/URI: %VV RFC
14 Filter doesn t like. Periods <form> <frame> <iframe> Filter sometimes permits, sometimes doesn t: () [] {} Parenthesis, Square Brackets, Curly Brackets The word style Can use class instead (see demos)
![permits, sometimes doesn t: () [] {} Parenthesis,](/docs-images/44/15351058/images/page_14.jpg "Square Brackets, Curly Brackets The word style")
15
16 Content Security Policy A policy language used to declare a set of content restrictions for a web resource, and a mechanism for transmitting the policy from a server to a client where the policy is enforced. Content Security Policy Maybe no more XSS (if done correctly)??? What about Internet Explorer?
17 Only Internet Explorer 10 & 11 have any support for Content Security Policy Content Security Policy support in Internet Explorer 10 & 11 is limited Uses older X-Content-Security-Policy header instead of official Content-Security-Policy Source: Does Content Security Policy currently help? (no)
18 Microsoft s No Fix response: Two different reasons given: First Reason (given back in Oct 2013): Requires special functionality Not actually true everything used in bypass has been part of official HTML spec since at least 1998 Second Reason (given later, Dec 2013): Requires user interaction Partially true, but not fully true
19 Bonus Bypass: If webapp performs double-url/uri decoding, Internet Explorer s XSS filter doesn t catch it Demo (if time permits)
20 The Playground Deliberately vulnerable pages Can be used for training on bypass
21 Links: xss-filter-design-philosophy-in-depth.aspx
22 Any Questions? Thank You ToorCon!
Bypassing Internet Explorer s XSS Filter
Bypassing Internet Explorer s XSS Filter Or: Oops, that s not supposed to happen. Carlos @RTWaysea About Me Mechanical Drafting Background Engine parts, Architectural fixtures, etc. Friend said Try This
Finding XSS in Real World
Finding XSS in Real World by Alexander Korznikov [email protected] 1 April 2015 Hi there, in this tutorial, I will try to explain how to find XSS in real world, using some interesting techniques. All
Cross Site Scripting (XSS) and PHP Security. Anthony Ferrara NYPHP and OWASP Security Series June 30, 2011
Cross Site Scripting (XSS) and PHP Security Anthony Ferrara NYPHP and OWASP Security Series June 30, 2011 What Is Cross Site Scripting? Injecting Scripts Into Otherwise Benign and Trusted Browser Rendered
Finding and Preventing Cross- Site Request Forgery. Tom Gallagher Security Test Lead, Microsoft
Finding and Preventing Cross- Site Request Forgery Tom Gallagher Security Test Lead, Microsoft Agenda Quick reminder of how HTML forms work How cross-site request forgery (CSRF) attack works Obstacles
SESSION IDENTIFIER ARE FOR NOW, PASSWORDS ARE FOREVER
SESSION IDENTIFIER ARE FOR NOW, PASSWORDS ARE FOREVER XSS-BASED ABUSE OF BROWSER PASSWORD MANAGERS Ben Stock, Martin Johns, Sebastian Lekies Browser choices Full disclosure: Ben was an intern with Microsoft
A Tale of the Weaknesses of Current Client-Side XSS Filtering
Call To Arms: A Tale of the Weaknesses of Current Client-Side XSS Filtering Martin Johns, Ben Stock, Sebastian Lekies About us Martin Johns, Ben Stock, Sebastian Lekies Security Researchers at SAP, Uni
XSS Lightsabre techniques. using Hackvertor
XSS Lightsabre techniques using Hackvertor What is Hackvertor? Tag based conversion tool Javascript property checker Javascript/HTML execution DOM browser Saves you writing code Free and no ads! Whoo hoo!
Web Application Attacks And WAF Evasion
Web Application Attacks And WAF Evasion Ahmed ALaa (EG-CERT) 19 March 2013 What Are We Going To Talk About? - introduction to web attacks - OWASP organization - OWASP frameworks - Crawling & info. gathering
Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011 Agenda Evolving Threats Operating System Application User Generated Content JPL s Application Security Program Securing
Project 2: Web Security Pitfalls
EECS 388 September 19, 2014 Intro to Computer Security Project 2: Web Security Pitfalls Project 2: Web Security Pitfalls This project is due on Thursday, October 9 at 6 p.m. and counts for 8% of your course
Detecting and Exploiting XSS with Xenotix XSS Exploit Framework
Detecting and Exploiting XSS with Xenotix XSS Exploit Framework [email protected] keralacyberforce.in Introduction Cross Site Scripting or XSS vulnerabilities have been reported and exploited since 1990s.
Check list for web developers
Check list for web developers Requirement Yes No Remarks 1. Input Validation 1.1) Have you done input validation for all the user inputs using white listing and/or sanitization? 1.2) Does the input validation
Next Generation Clickjacking
Next Generation Clickjacking New attacks against framed web pages Black Hat Europe, 14 th April 2010 Paul Stone [email protected] Coming Up Quick Introduction to Clickjacking Four New Cross-Browser
Webapps Vulnerability Report
Tuesday, May 1, 2012 Webapps Vulnerability Report Introduction This report provides detailed information of every vulnerability that was found and successfully exploited by CORE Impact Professional during
Recent Advances in Web Application Security
Recent Advances in Web Application Security Author: Neelay S Shah Principal Security Consultant Foundstone Professional Services Table of Contents Introduction 3 Content Security Policy 3 Best Practices
Introduction to Ingeniux Forms Builder. 90 minute Course CMSFB-V6 P.0-20080901
Introduction to Ingeniux Forms Builder 90 minute Course CMSFB-V6 P.0-20080901 Table of Contents COURSE OBJECTIVES... 1 Introducing Ingeniux Forms Builder... 3 Acquiring Ingeniux Forms Builder... 3 Installing
Sichere Webanwendungen mit Java
Sichere Webanwendungen mit Java Karlsruher IT- Sicherheitsinitiative 16.07.2015 Dominik Schadow bridgingit Patch fast Unsafe platform unsafe web application Now lets have a look at the developers OWASP
Protection, Usability and Improvements in Reflected XSS Filters
Protection, Usability and Improvements in Reflected XSS Filters Riccardo Pelizzi System Security Lab Department of Computer Science Stony Brook University May 2, 2012 1 / 19 Riccardo Pelizzi Improvements
Finding Your Way in Testing Jungle. A Learning Approach to Web Security Testing.
Finding Your Way in Testing Jungle A Learning Approach to Web Security Testing. Research Questions Why is it important to improve website security? What techniques are already in place to test security?
Hack-proof Your Drupal App. Key Habits of Secure Drupal Coding
Hack-proof Your Drupal App Key Habits of Secure Drupal Coding DrupalCamp CT 2010 My Modules Introductions Erich Beyrent http://twitter.com/ebeyrent http://drupal.org/user/23897 Permissions API Search Lucene
Universal XSS via IE8s XSS Filters
Universal XSS via IE8s XSS Filters the sordid tale of a wayward hash sign slides: http://p42.us/ie8xss/ About Us Eduardo Vela Nava aka sirdarckcat http://sirdarckcat.net http://twitter.com/sirdarckcat
Acunetix Website Audit. 5 November, 2014. Developer Report. Generated by Acunetix WVS Reporter (v8.0 Build 20120808)
Acunetix Website Audit 5 November, 2014 Developer Report Generated by Acunetix WVS Reporter (v8.0 Build 20120808) Scan of http://filesbi.go.id:80/ Scan details Scan information Starttime 05/11/2014 14:44:06
CTF Web Security Training. Engin Kirda [email protected]
CTF Web Security Training Engin Kirda [email protected] Web Security Why It is Important Easiest way to compromise hosts, networks and users Widely deployed ( payload No Logs! (POST Request Difficult to defend
Overview. How It Works
Overview Email is a great way to communicate with your alumni and donors. It s agile, it can be interactive, and it has lower overhead than print mail. Our constituents are also becoming more and more
Security starts in the head(er)
Security starts in the head(er) JavaOne 2014 Dominik Schadow bridgingit Policies are independent of framework and language response.addheader(! "Policy name",! "Policy value"! ); User agent must understand
Relax Everybody: HTML5 Is Securer Than You Think
Relax Everybody: HTML5 Is Securer Than You Think Martin Johns (@datenkeller) SAP AG Session ID: ADS-W08 Session Classification: Advanced Motivation For some reason, there is a preconception that HTML5
Web-Application Security
Web-Application Security Kristian Beilke Arbeitsgruppe Sichere Identität Fachbereich Mathematik und Informatik Freie Universität Berlin 29. Juni 2011 Overview Web Applications SQL Injection XSS Bad Practice
Cross-Site Scripting
Cross-Site Scripting (XSS) Computer and Network Security Seminar Fabrice Bodmer ([email protected]) UNIFR - Winter Semester 2006-2007 XSS: Table of contents What is Cross-Site Scripting (XSS)? Some
Web Application Security. Vulnerabilities, Weakness and Countermeasures. Massimo Cotelli CISSP. Secure
Vulnerabilities, Weakness and Countermeasures Massimo Cotelli CISSP Secure : Goal of This Talk Security awareness purpose Know the Web Application vulnerabilities Understand the impacts and consequences
Weird New Tricks for Browser Fingerprinting. yan (@bcrypt) ToorCon 2015
Weird New Tricks for Browser Fingerprinting yan (@bcrypt) ToorCon 2015 real pic of me also work on these things EFF staff photo, 2015 BETTER TRACKING METHODS Tracking web users is all the rage Show ads!
XSS PROTECTION CHEATSHEET FOR DEVELOPERS V1.0. Author of OWASP Xenotix XSS Exploit Framework opensecurity.in
THE ULTIMATE XSS PROTECTION CHEATSHEET FOR DEVELOPERS V1.0 Ajin Abraham Author of OWASP Xenotix XSS Exploit Framework opensecurity.in The quick guide for developers to protect their web applications from
Secure development and the SDLC. Presented By Jerry Hoff @jerryhoff
Secure development and the SDLC Presented By Jerry Hoff @jerryhoff Agenda Part 1: The Big Picture Part 2: Web Attacks Part 3: Secure Development Part 4: Organizational Defense Part 1: The Big Picture Non
AJAX Storage: A Look at Flash Cookies and Internet Explorer Persistence
AJAX Storage: A Look at Flash Cookies and Internet Explorer Persistence Corey Benninger The AJAX Storage Dilemna AJAX (Asynchronous JavaScript and XML) applications are constantly looking for ways to increase
We automatically generate the HTML for this as seen below. Provide the above components for the teaser.txt file.
Creative Specs Gmail Sponsored Promotions Overview The GSP creative asset will be a ZIP folder, containing four components: 1. Teaser text file 2. Teaser logo image 3. HTML file with the fully expanded
A Tale of the Weaknesses of Current Client-side XSS Filtering
A Tale of the Weaknesses of Current Client-side XSS Filtering Sebastian Lekies (@sebastianlekies), Ben Stock (@kcotsneb) and Martin Johns (@datenkeller) Attention hackers! These slides are preliminary!
The Risks of Client-Side Data Storage From cookie to database
The Risks of Client-Side Data Storage From cookie to database GOVCERT.NL Symposium - 15 November 2010 Agenda Client-Side Data Storage (CSDS): What it is Why it s used How it s implemented Demo SecurSearch
Web Application Worms & Browser Insecurity
Web Application Worms & Browser Insecurity Mike Shema Welcome Background Hacking Exposed: Web Applications The Anti-Hacker Toolkit Hack Notes: Web Security Currently working at Qualys
Protecting Web Applications and Users
Protecting Web Applications and Users Technical guidance for improving web application security through implementing web browser based mitigations. Defence Signals Directorate February 2012 Contents 1
A Server and Browser-Transparent CSRF Defense for Web 2.0 Applications. Slides by Connor Schnaith
A Server and Browser-Transparent CSRF Defense for Web 2.0 Applications Slides by Connor Schnaith Cross-Site Request Forgery One-click attack, session riding Recorded since 2001 Fourth out of top 25 most
HTML5. Eoin Keary CTO BCC Risk Advisory. www.bccriskadvisory.com www.edgescan.com
HTML5 Eoin Keary CTO BCC Risk Advisory www.bccriskadvisory.com www.edgescan.com Where are we going? WebSockets HTML5 AngularJS HTML5 Sinks WebSockets: Full duplex communications between client or server
Abusing HTML5. DEF CON 19 Ming Chow Lecturer, Department of Computer Science TuCs University Medford, MA 02155 [email protected]
Abusing HTML5 DEF CON 19 Ming Chow Lecturer, Department of Computer Science TuCs University Medford, MA 02155 [email protected] What is HTML5? The next major revision of HTML. To replace XHTML? Yes Close
Revisiting SQL Injection Will we ever get it right? Michael Sutton, Security Evangelist
Revisiting SQL Injection Will we ever get it right? Michael Sutton, Security Evangelist Overview Background What it is? How are we doing? Web 2.0 SQL injection meets AJAX Fuggle SQL Injection meets Google
CMP3002 Advanced Web Technology
CMP3002 Advanced Web Technology Assignment 1: Web Security Audit A web security audit on a proposed eshop website By Adam Wright Table of Contents Table of Contents... 2 Table of Tables... 2 Introduction...
Phishing by data URI
Phishing by data URI Henning Klevjer [email protected] October 22, 2012 1 Abstract Historically, phishing web pages have been hosted by web servers that are either compromised or owned by the attacker.
Web Application Security
Web Application Security The OWASP Foundation Securing the application Input validation Authorization Session mgmt Config mgmt Authenticatio n Error handling Web server App server DB server Secure storage
Web Application Guidelines
Web Application Guidelines Web applications have become one of the most important topics in the security field. This is for several reasons: It can be simple for anyone to create working code without security
EVALUATING COMMERCIAL WEB APPLICATION SECURITY. By Aaron Parke
EVALUATING COMMERCIAL WEB APPLICATION SECURITY By Aaron Parke Outline Project background What and why? Targeted sites Testing process Burp s findings Technical talk My findings and thoughts Questions Project
The Image that called me
The Image that called me Active Content Injection with SVG Files A presentation by Mario Heiderich, 2011 Introduction Mario Heiderich Researcher and PhD student at the Ruhr- University, Bochum Security
Intrusion detection for web applications
Intrusion detection for web applications Intrusion detection for web applications Łukasz Pilorz Application Security Team, Allegro.pl Reasons for using IDS solutions known weaknesses and vulnerabilities
Bypassing Web Application Firewalls (WAFs) Ing. Pavol Lupták, CISSP, CEH Lead Security Consultant
Bypassing Web Application Firewalls (WAFs) Ing. Pavol Lupták, CISSP, CEH Lead Security Consultant Nethemba All About Security Highly experienced certified IT security experts (CISSP, C EH, SCSecA) Core
Module 6 Web Page Concept and Design: Getting a Web Page Up and Running
Module 6 Web Page Concept and Design: Getting a Web Page Up and Running Lesson 3 Creating Web Pages Using HTML UNESCO EIPICT M6. LESSON 3 1 Rationale Librarians need to learn how to plan, design and create
Full URLs, specified in RFC 3986 have up to eight parts. scheme://login:password@address:port/path/to/resource?query_string#fragment
Outline Recap Secure Programming Lecture 11: Web Application Security II David Aspinall 3rd March 2014 Overview Basics: URLs Output Filtering and XSS Object references Programming web applications securely
Bug Report. Date: March 19, 2011 Reporter: Chris Jarabek ([email protected])
Bug Report Date: March 19, 2011 Reporter: Chris Jarabek ([email protected]) Software: Kimai Version: 0.9.1.1205 Website: http://www.kimai.org Description: Kimai is a web based time-tracking application.
Security Research Advisory IBM inotes 9 Active Content Filtering Bypass
Security Research Advisory IBM inotes 9 Active Content Filtering Bypass Table of Contents SUMMARY 3 VULNERABILITY DETAILS 3 TECHNICAL DETAILS 4 LEGAL NOTICES 7 Active Content Filtering Bypass Advisory
Performance Report for: http://singaporestockstrading.com/ Report generated: Friday, April 24, 2015, 7:29 AM -0700 (via API)
The web should be fast. Executive Summary Performance Report for: http://singaporestockstrading.com/ Report generated: Friday, April, 5, : AM - (via API) Test Region: Vancouver, Canada Using: Firefox (Desktop)
Preparing for the Cross Site Request Forgery Defense
Preparing for the Cross Site Request Forgery Defense Chuck Willis [email protected] Black Hat DC 2008 February 20, 2008 About Me Principal Consultant with MANDIANT in Alexandria, VA Full spectrum
The Prevalence of Flash Vulnerabilities on the Web
TECHNICAL BRIEF FLASH FLOODING The Prevalence of Flash Vulnerabilities on the Web Adobe Flash Player is a cross-platform, browser plugin that provides uncompromised viewing of expressive applications,
(WAPT) Web Application Penetration Testing
(WAPT) Web Application Penetration Testing Module 0: Introduction 1. Introduction to the course. 2. How to get most out of the course 3. Resources you will need for the course 4. What is WAPT? Module 1:
Detect and Sanitise Encoded Cross-Site Scripting and SQL Injection Attack Strings Using a Hash Map
Detect and Sanitise Encoded Cross-Site Scripting and SQL Injection Attack Strings Using a Hash Map Erwin Adi and Irene Salomo School of Computer Science BINUS International BINUS University, Indonesia
DIPLOMA IN WEBDEVELOPMENT
DIPLOMA IN WEBDEVELOPMENT Prerequisite skills Basic programming knowledge on C Language or Core Java is must. # Module 1 Basics and introduction to HTML Basic HTML training. Different HTML elements, tags
Criteria for web application security check. Version 2015.1
Criteria for web application security check Version 2015.1 i Content Introduction... iii ISC- P- 001 ISC- P- 001.1 ISC- P- 001.2 ISC- P- 001.3 ISC- P- 001.4 ISC- P- 001.5 ISC- P- 001.6 ISC- P- 001.7 ISC-
Cross Site Scripting Prevention
Project Report CS 649 : Network Security Cross Site Scripting Prevention Under Guidance of Prof. Bernard Menezes Submitted By Neelamadhav (09305045) Raju Chinthala (09305056) Kiran Akipogu (09305074) Vijaya
Malicious Websites uncover vulnerabilities (browser, plugins, webapp, server), initiate attack steal sensitive information, install malware, compromise victim s machine Malicious Websites uncover vulnerabilities
E-Commerce: Designing And Creating An Online Store
E-Commerce: Designing And Creating An Online Store Introduction About Steve Green Ministries Solo Performance Artist for 19 Years. Released over 26 Records, Several Kids Movies, and Books. My History With
Integrating Luceo with your Website Using iframes. Version 4.1 Jan 15, 2013
Integrating Luceo with your Website Using iframes Version 4.1 Jan 15, 2013 Table of Contents Table of Contents... 2 Preface... 3 Confidential Information... 3 Intellectual Property... 3 Quick Start Guide...
How To Use Mugeda Content
Using Mugeda Content The Mugeda Team www.mugeda.com May 19, 2013 How to Use Created Content Three basic methods Direct export Publish to Mugeda CDN Upload to your own or 3 rd party server Direct Export
MWR InfoSecurity Security Advisory. pfsense DHCP Script Injection Vulnerability. 25 th July 2008. Contents
Contents MWR InfoSecurity Security Advisory pfsense DHCP Script Injection Vulnerability 25 th July 2008 2008-07-25 Page 1 of 10 Contents Contents 1 Detailed Vulnerability Description... 5 1.1 Technical
Cracking the Perimeter via Web Application Hacking. Zach Grace, CISSP, CEH [email protected] January 17, 2014 2014 Mega Conference
Cracking the Perimeter via Web Application Hacking Zach Grace, CISSP, CEH [email protected] January 17, 2014 2014 Mega Conference About 403 Labs 403 Labs is a full-service information security and compliance
Customising Your Mobile Payment Pages
Corporate Gateway Customising Your Mobile Payment Pages V2.0 May 2014 Use this guide to: Understand how to customise your payment pages for mobile and tablet devices XML Direct Integration Guide > Contents
BASELINE SECURITY TEST PLAN FOR EDUCATIONAL WEB AND MOBILE APPLICATIONS
BASELINE SECURITY TEST PLAN FOR EDUCATIONAL WEB AND MOBILE APPLICATIONS Published by Tony Porterfield Feb 1, 2015. Overview The intent of this test plan is to evaluate a baseline set of data security practices
Short notes on webpage programming languages
Short notes on webpage programming languages What is HTML? HTML is a language for describing web pages. HTML stands for Hyper Text Markup Language HTML is a markup language A markup language is a set of
HTTPParameter Pollution. ChrysostomosDaniel
HTTPParameter Pollution ChrysostomosDaniel Introduction Nowadays, many components from web applications are commonly run on the user s computer (such as Javascript), and not just on the application s provider
Lesson Review Answers
Lesson Review Answers-1 Lesson Review Answers Lesson 1 Review 1. User-friendly Web page interfaces, such as a pleasing layout and easy navigation, are considered what type of issues? Front-end issues.
MWR InfoSecurity Security Advisory. BT Home Hub SSID Script Injection Vulnerability. 10 th May 2010. Contents
Contents MWR InfoSecurity Security Advisory BT Home Hub SSID Script Injection Vulnerability 10 th May 2010 2010-05-10 Page 1 of 8 Contents Contents 1 Detailed Vulnerability Description... 5 1.1 Technical
Hack Yourself First. Troy Hunt @troyhunt troyhunt.com [email protected]
Hack Yourself First Troy Hunt @troyhunt troyhunt.com [email protected] We re gonna turn you into lean, mean hacking machines! Because if we don t, these kids are going to hack you Jake Davies, 19 (and
Administrator s Guide
SEO Toolkit 1.3.0 for Sitecore CMS 6.5 Administrator s Guide Rev: 2011-06-07 SEO Toolkit 1.3.0 for Sitecore CMS 6.5 Administrator s Guide How to use the Search Engine Optimization Toolkit to optimize your
Hack Proof Your Webapps
Hack Proof Your Webapps About ERM About the speaker Web Application Security Expert Enterprise Risk Management, Inc. Background Web Development and System Administration Florida International University
THE CLIENT SPEC SHEET
THE CLIENT SPEC SHEET Establishing clear guidelines for HTML production during the initiation of a web project redesign will help to answer questions and avoid backtracking once the production phase has
Tableau Server Trusted Authentication
Tableau Server Trusted Authentication When you embed Tableau Server views into webpages, everyone who visits the page must be a licensed user on Tableau Server. When users visit the page they will be prompted
OWASP TOP 10 ILIA ALSHANETSKY @ILIAA HTTPS://JOIND.IN/15741
OWASP TOP 10 ILIA ALSHANETSKY @ILIAA HTTPS://JOIND.IN/15741 ME, MYSELF & I PHP Core Developer Author of Guide to PHP Security Security Aficionado THE CONUNDRUM USABILITY SECURITY YOU CAN HAVE ONE ;-) OPEN
1. Introduction. 2. Web Application. 3. Components. 4. Common Vulnerabilities. 5. Improving security in Web applications
1. Introduction 2. Web Application 3. Components 4. Common Vulnerabilities 5. Improving security in Web applications 2 What does World Wide Web security mean? Webmasters=> confidence that their site won
Esigate Module Documentation
PORTAL FACTORY 1.0 Esigate Module Documentation Rooted in Open Source CMS, Jahia s Digital Industrialization paradigm is about streamlining Enterprise digital projects across channels to truly control
Analysis of Browser Defenses against XSS Attack Vectors
Analysis of Browser Defenses against XSS Attack Vectors Shital Dhamal Department of Computer Engineering Lokmanya Tilak College of Engineering Koparkhairne,Navi Mumbai,Maharashtra,India Manisha Mathur
UI Redressing and Clickjacking. About click fraud and data theft
: About click fraud and data theft Marcus Niemietz [email protected] Ruhr-University Bochum Chair for Network and Data Security 25th of November 2011 Short and crisp details about me Studying IT-Security/Information
Cyber Security Workshop Encryption Reference Manual
Cyber Security Workshop Encryption Reference Manual May 2015 Basic Concepts in Encoding and Encryption Binary Encoding Examples Encryption Cipher Examples 1 P a g e Encoding Concepts Binary Encoding Basics
TCP/IP Networking, Part 2: Web-Based Control
TCP/IP Networking, Part 2: Web-Based Control Microchip TCP/IP Stack HTTP2 Module 2007 Microchip Technology Incorporated. All Rights Reserved. Building Embedded Web Applications Slide 1 Welcome to the next
Web Application Security: Exercise Development Approaches
Web Application Security: Exercise Development Approaches James Walden [email protected] Approaches 1. Write your own web application Students evaluate and fix your code. 2. Students write a web application
By Glenn Fleishman. WebSpy. Form and function
Form and function The simplest and really the only method to get information from a visitor to a Web site is via an HTML form. Form tags appeared early in the HTML spec, and closely mirror or exactly duplicate
Security Test s i t ng Eileen Donlon CMSC 737 Spring 2008
Security Testing Eileen Donlon CMSC 737 Spring 2008 Testing for Security Functional tests Testing that role based security functions correctly Vulnerability scanning and penetration tests Testing whether
Auditing WebObjects applications. Ilja van Sprundel <[email protected]>
Auditing WebObjects applications Ilja van Sprundel Who am I? Ilja van sprundel IOActive netric blogs.23.nu/ilja Agenda Why? Escaping data Introduction Deployment issues WebObjects?
Using a Malicious Proxy to Pilfer Data & Wreak Havoc. Edward J. Zaborowski [email protected]
Using a Malicious Proxy to Pilfer Data & Wreak Havoc Edward J. Zaborowski [email protected] Abstract...3 Malicious Web Proxy...3 Becoming the Proxy...3 ARP Spoofing...3 Static Configuration...3 Web Proxy
Uploaded images filter evasion for carrying out XSS attacks
February 25, 2007 Uploaded images filter evasion for carrying out XSS attacks Digitаl Security Research Group (DSecRG) Alexander Polyakov [email protected] http://dsecrg.ru Table of contents Introduction...3
The Top Web Application Attacks: Are you vulnerable?
QM07 The Top Web Application Attacks: Are you vulnerable? John Burroughs, CISSP Sr Security Architect, Watchfire Solutions [email protected] Agenda Current State of Web Application Security Understanding