Origin Policy Enforcement in Modern Browsers
|
|
- Marjory Copeland
- 7 years ago
- Views:
Transcription
1 Origin Policy Enforcement in Modern Browsers A Case Study in Same Origin Implementations Frederik Braun Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement August 23, / 25
2 Table of Contents 1 about:me 2 Motivation Ambient Authentication The Severity of a Same Origin Policy Bypass 3 The Same Origin Policy What is an Origin? What is the Same Origin Policy? Examples 4 Evaluation SOP Bypass: Firefox (2007) SOP Bypass: Flash (2010) SOP Bypass: Java 7 Update 5-X (2012) 5 Conclusion Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement August 23, / 25
3 Table of Contents 1 about:me 2 Motivation Ambient Authentication The Severity of a Same Origin Policy Bypass 3 The Same Origin Policy What is an Origin? What is the Same Origin Policy? Examples 4 Evaluation SOP Bypass: Firefox (2007) SOP Bypass: Flash (2010) SOP Bypass: Java 7 Update 5-X (2012) 5 Conclusion Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement August 23, / 25
4 Frederik Braun Dipl. Ing. in IT-Security at Ruhr-Uni Bochum (2012) this research! Security Engineer at Mozilla in Berlin likes to play CTFs (hi on twitter Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement August 23, / 25
5 Table of Contents 1 about:me 2 Motivation Ambient Authentication The Severity of a Same Origin Policy Bypass 3 The Same Origin Policy What is an Origin? What is the Same Origin Policy? Examples 4 Evaluation SOP Bypass: Firefox (2007) SOP Bypass: Flash (2010) SOP Bypass: Java 7 Update 5-X (2012) 5 Conclusion Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement August 23, / 25
6 Ambient Authentication Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement August 23, / 25
7 The Severity of a Same Origin Policy Bypass Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement August 23, / 25
8 Table of Contents 1 about:me 2 Motivation Ambient Authentication The Severity of a Same Origin Policy Bypass 3 The Same Origin Policy What is an Origin? What is the Same Origin Policy? Examples 4 Evaluation SOP Bypass: Firefox (2007) SOP Bypass: Flash (2010) SOP Bypass: Java 7 Update 5-X (2012) 5 Conclusion Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement August 23, / 25
9 What is an Origin? scheme hostname port origin Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement August 23, / 25
10 The Same Origin Policy (SOP) An origin (...) is often used as the scope of authority or privilege by user agents. Barth The same-origin policy is the most important mechanism we have to keep hostile web applications at bay, but it s also an imperfect one. Zalewski Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement August 23, / 25
11 Examples Compare for URL same-origin? Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement August 23, / 25
12 Examples Compare for URL same-origin? Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement August 23, / 25
13 Examples Compare for URL same-origin? Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement August 23, / 25
14 Examples Compare for URL same-origin? Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement August 23, / 25
15 Examples Compare for URL about:blank same-origin? Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement August 23, / 25
16 Examples Compare for URL about:blank same-origin? Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement August 23, / 25
17 Examples Compare for URL about:blank same-origin? Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement August 23, / 25
18 Examples Compare for URL about:blank same-origin? / a a Internet Explorer doesn t care about ports. Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement August 23, / 25
19 JavaScript Object Hierarchy window history document location frames frame (ebay) frame (amazon) Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement August 23, / 25
20 No Way Out? - Exceptions Cookies window.location setter window.name persists document.domain Internet Explorer Zones CORS JSONP... Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement August 23, / 25
21 SOP Wrap-Up Summary read access vendor specific JavaScript Engine (Object Capability) vs. DOM (Access Control) the SOP is highly inhomogenous no consistent reference implementation Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement August 23, / 25
22 Table of Contents 1 about:me 2 Motivation Ambient Authentication The Severity of a Same Origin Policy Bypass 3 The Same Origin Policy What is an Origin? What is the Same Origin Policy? Examples 4 Evaluation SOP Bypass: Firefox (2007) SOP Bypass: Flash (2010) SOP Bypass: Java 7 Update 5-X (2012) 5 Conclusion Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement August 23, / 25
23 All SOP Flaws are alike (CVE ) Browser harmless.com\x00.attacker.com Server B harmless.com JavaScript, UTF-16 Server A DNS, ASCIIZ attacker.com Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement August 23, / 25
24 All SOP Flaws are alike (CVE ) Browser Server B harmless.com Flash Plugin Server A HTTP API attacker.com Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement August 23, / 25
25 All SOP Flaws are alike (CVE TBA) Browser jar: Server B harmless.com Java URL Handler Server A HTTP API attacker.com Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement August 23, / 25
26 Demo Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement August 23, / 25
27 Table of Contents 1 about:me 2 Motivation Ambient Authentication The Severity of a Same Origin Policy Bypass 3 The Same Origin Policy What is an Origin? What is the Same Origin Policy? Examples 4 Evaluation SOP Bypass: Firefox (2007) SOP Bypass: Flash (2010) SOP Bypass: Java 7 Update 5-X (2012) 5 Conclusion Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement August 23, / 25
28 Conclusion: Same Origin Policy an inconsistent policy vendor specific theoretically, it s a black list plugins late 2012: Java in nearly 70% of all browsers but only 0.2% of websites 2013: exploits, Click-To-Play,.. But: There are safe & well designed security models on the horizon Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement August 23, / 25
29 Future Work: Automation? Picture by Jason Huggins on flickr Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement August 23, / 25
30 This same origin policy is the dumbest thing ever.... All this protection serves to do is aggravate legitimate developers trying to get JavaScript to do the simplest of tasks. Somebody on stackoverflow.com Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement August 23, / 25
31 Thanks
32 References Barth, Adam. The web origin concept. December Q-Success. Usage of client-side programming languages for websites. side language/all. Last visited Michal Zalewski. The Tangled Web: A Guide to Securing Modern Web Applications. No Starch Press, November For all references please see full thesis on Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement August 23, / 25
Relax Everybody: HTML5 Is Securer Than You Think
Relax Everybody: HTML5 Is Securer Than You Think Martin Johns (@datenkeller) SAP AG Session ID: ADS-W08 Session Classification: Advanced Motivation For some reason, there is a preconception that HTML5
More informationA Server and Browser-Transparent CSRF Defense for Web 2.0 Applications. Slides by Connor Schnaith
A Server and Browser-Transparent CSRF Defense for Web 2.0 Applications Slides by Connor Schnaith Cross-Site Request Forgery One-click attack, session riding Recorded since 2001 Fourth out of top 25 most
More informationWeb Application Security
Web Application Security The OWASP Foundation Securing the application Input validation Authorization Session mgmt Config mgmt Authenticatio n Error handling Web server App server DB server Secure storage
More informationCross-Site Scripting
Cross-Site Scripting (XSS) Computer and Network Security Seminar Fabrice Bodmer (fabrice.bodmer@unifr.ch) UNIFR - Winter Semester 2006-2007 XSS: Table of contents What is Cross-Site Scripting (XSS)? Some
More informationBank Hacking Live! Ofer Maor CTO, Hacktics Ltd. ATC-4, 12 Jun 2006, 4:30PM
Bank Hacking Live! Ofer Maor CTO, Hacktics Ltd. ATC-4, 12 Jun 2006, 4:30PM Agenda Introduction to Application Hacking Demonstration of Attack Tool Common Web Application Attacks Live Bank Hacking Demonstration
More informationNext Generation Clickjacking
Next Generation Clickjacking New attacks against framed web pages Black Hat Europe, 14 th April 2010 Paul Stone paul.stone@contextis.co.uk Coming Up Quick Introduction to Clickjacking Four New Cross-Browser
More information(WAPT) Web Application Penetration Testing
(WAPT) Web Application Penetration Testing Module 0: Introduction 1. Introduction to the course. 2. How to get most out of the course 3. Resources you will need for the course 4. What is WAPT? Module 1:
More informationWeb-Application Security
Web-Application Security Kristian Beilke Arbeitsgruppe Sichere Identität Fachbereich Mathematik und Informatik Freie Universität Berlin 29. Juni 2011 Overview Web Applications SQL Injection XSS Bad Practice
More informationSecurity Model for the Client-Side Web Application Environments
Security Model for the Client-Side Web Application Environments May 24, 2007 Sachiko Yoshihama, Naohiko Uramoto, Satoshi Makino, Ai Ishida, Shinya Kawanaka, and Frederik De Keukelaere IBM Tokyo Research
More informationSESSION IDENTIFIER ARE FOR NOW, PASSWORDS ARE FOREVER
SESSION IDENTIFIER ARE FOR NOW, PASSWORDS ARE FOREVER XSS-BASED ABUSE OF BROWSER PASSWORD MANAGERS Ben Stock, Martin Johns, Sebastian Lekies Browser choices Full disclosure: Ben was an intern with Microsoft
More informationAbusing Insecure Features of Internet Explorer
Abusing Insecure Features of Internet Explorer WHITE PAPER February 2010 Jorge Luis Alvarez Medina Security Consultant jorge.alvarez@coresecurity.com Abusing Insecure Features of Internet Explorer Contents
More informationProtecting Browser State from Web Privacy Attacks. Collin Jackson, Andrew Bortz, Dan Boneh, John Mitchell Stanford University
Protecting Browser State from Web Privacy Attacks Collin Jackson, Andrew Bortz, Dan Boneh, John Mitchell Stanford University Context-aware Phishing Bank of America customers see: Wells Fargo customers
More informationHow to Hack Millions of Routers. Craig Heffner
How to Hack Millions of Routers Craig Heffner Administrivia My overarching objective with this talk is to increase security awareness and serve as a catalyst for positive change I developed this paper
More informationDetecting and Exploiting XSS with Xenotix XSS Exploit Framework
Detecting and Exploiting XSS with Xenotix XSS Exploit Framework ajin25@gmail.com keralacyberforce.in Introduction Cross Site Scripting or XSS vulnerabilities have been reported and exploited since 1990s.
More informationRTC-Web Security Considerations
RTC-Web Security Considerations IETF 80 Eric Rescorla ekr@rtfm.com IETF 80 RTC-Web Security Issues 1 The Browser Threat Model Core Web Security Guarantee: users can safely visit arbitrary web sites and
More informationDNS REBINDING DENIS BARANOV, POSITIVE TECHNOLOGIES
DNS REBINDING DENIS BARANOV, POSITIVE TECHNOLOGIES TABLE OF CONTENTS 1 Bypassing The Restrictions 3 2 Putting It into Practice 5 3 Actual Load 7 4 Detection Of The Application Version 5 Guessing A/The
More informationAdvanced XSS. Nicolas Golubovic
Advanced XSS Nicolas Golubovic Image courtesy of chanpipat / FreeDigitalPhotos.net Today's menu 1. Starter: reboiled XSS 2. Course: spicy blacklists & filters 3. Course: sweet content sniffing 4. Course:
More informationSubspace: Secure Cross-Domain Communication for Web Mashups
Subspace: Secure Cross-Domain Communication for Web Mashups Collin Jackson Stanford University collinj@cs.stanford.edu Helen J. Wang Microsoft Research helenw@microsoft.com ABSTRACT Combining data and
More informationWeb Tracking for You. Gregory Fleischer
Web Tracking for You Gregory Fleischer 1 INTRODUCTION 2 Me Gregory Fleischer Senior Security Consultant at FishNet Security 3 Disclaimer Why do you hate? 4 Reasons For Tracking TradiFonal reasons for tracking
More informationApplication Security Testing. Erez Metula (CISSP), Founder Application Security Expert ErezMetula@AppSec.co.il
Application Security Testing Erez Metula (CISSP), Founder Application Security Expert ErezMetula@AppSec.co.il Agenda The most common security vulnerabilities you should test for Understanding the problems
More informationI. Supported Browsers. II. Internet Browser Settings
NC E-Procurement works best in specific Internet browsing applications supported by the Ariba Buyer software. As well, there are certain browser settings that must be enabled in order for all pieces of
More informationHow to Hack Millions of Routers. Craig Heffner, Seismic LLC
How to Hack Millions of Routers Craig Heffner, Seismic LLC SOHO Router Security? Common Attack Techniques Cross Site Request Forgery No trust relationship between browser and router Can t forge Basic Authentication
More informationWhat about MongoDB? can req.body.input 0; var date = new Date(); do {curdate = new Date();} while(curdate-date<10000)
Security What about MongoDB? Even though MongoDB doesn t use SQL, it can be vulnerable to injection attacks db.collection.find( {active: true, $where: function() { return obj.credits - obj.debits < req.body.input;
More informationReal World Web Service Testing For Web Hackers
Real World Web Service Testing For Web Hackers TOM ESTON» Senior Security Consultant SecureState» Web Application / Network Penetration Tester» Founder of SocialMediaSecurity.com» Previous Security Research
More informationCreating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011 Agenda Evolving Threats Operating System Application User Generated Content JPL s Application Security Program Securing
More informationA Tale of the Weaknesses of Current Client-Side XSS Filtering
Call To Arms: A Tale of the Weaknesses of Current Client-Side XSS Filtering Martin Johns, Ben Stock, Sebastian Lekies About us Martin Johns, Ben Stock, Sebastian Lekies Security Researchers at SAP, Uni
More informationArcGIS Server Security Threats & Best Practices 2014. David Cordes Michael Young
ArcGIS Server Security Threats & Best Practices 2014 David Cordes Michael Young Agenda Introduction Threats Best practice - ArcGIS Server settings - Infrastructure settings - Processes Summary Introduction
More informationSubspace: Secure Cross-Domain Communication for Web Mashups
Subspace: Secure Cross-Domain Communication for Web Mashups Collin Jackson Stanford University collinj@cs.stanford.edu Helen J. Wang Microsoft Research helenw@microsoft.com ABSTRACT Combining data and
More informationChapter 12: Advanced topic Web 2.0
Chapter 12: Advanced topic Web 2.0 Contents Web 2.0 DOM AJAX RIA Web 2.0 "Web 2.0" refers to the second generation of web development and web design that facilities information sharing, interoperability,
More informationWeb Application Worms & Browser Insecurity
Web Application Worms & Browser Insecurity Mike Shema Welcome Background Hacking Exposed: Web Applications The Anti-Hacker Toolkit Hack Notes: Web Security Currently working at Qualys
More informationReliable Mitigation of DOM-based XSS
Intro XSS Implementation Evaluation Q&A Reliable Mitigation of DOM-based XSS Tobias Mueller 2014-09-07 1 / 39 Intro XSS Implementation Evaluation Q&A About me The results Motivation about:me MSc. cand.
More informationCougarTrack Troubleshooting - Internet Explorer 8
CougarTrack Troubleshooting - Internet Explorer 8 If you are having difficulty accessing pages in CougarTrack, please read through the following information and make any applicable changes to your computer.
More informationThe Importance of Patching Non-Microsoft Applications
The Importance of Patching Non-Microsoft Applications Technical WHITE PAPER The Importance of Patching Non-Microsoft Applications In the past, organizations patched only Microsoft operating systems. As
More informationSecure Coding SSL, SOAP and REST. Astha Singhal Product Security Engineer salesforce.com
Secure Coding SSL, SOAP and REST Astha Singhal Product Security Engineer salesforce.com Safe Harbor Safe harbor statement under the Private Securities Litigation Reform Act of 1995: This presentation may
More informationHTML Form Widgets. Review: HTML Forms. Review: CGI Programs
HTML Form Widgets Review: HTML Forms HTML forms are used to create web pages that accept user input Forms allow the user to communicate information back to the web server Forms allow web servers to generate
More informationAttacks on Clients: Dynamic Content & XSS
Software and Web Security 2 Attacks on Clients: Dynamic Content & XSS (Section 7.1.3 on JavaScript; 7.2.4 on Media content; 7.2.6 on XSS) sws2 1 Recap from last lecture Attacks on web server: attacker/client
More informationWeb Same-Origin-Policy Exploration Lab
Laboratory for Computer Security Education 1 Web Same-Origin-Policy Exploration Lab (Web Application: Collabtive) Copyright c 2006-2011 Wenliang Du, Syracuse University. The development of this document
More informationAbout Me. #ccceu. @shapeblue. Software Architect with ShapeBlue Specialise in. 3 rd party integrations and features in CloudStack
Software Architect with ShapeBlue Specialise in. 3 rd party integrations and features in CloudStack About Me KVM, API, DB, Upgrades, SystemVM, Build system, various subsystems Contributor and Committer
More informationInfor Xtreme Browser References
Infor Xtreme Browser References This document describes the list of supported browsers, browser recommendations and known issues. Contents Infor Xtreme Browser References... 1 Browsers Supported... 2 Browser
More informationAn introduction to creating Web 2.0 applications in Rational Application Developer Version 8.0
An introduction to creating Web 2.0 applications in Rational Application Developer Version 8.0 September 2010 Copyright IBM Corporation 2010. 1 Overview Rational Application Developer, Version 8.0, contains
More informationComputer Networks. Lecture 7: Application layer: FTP and HTTP. Marcin Bieńkowski. Institute of Computer Science University of Wrocław
Computer Networks Lecture 7: Application layer: FTP and Marcin Bieńkowski Institute of Computer Science University of Wrocław Computer networks (II UWr) Lecture 7 1 / 23 Reminder: Internet reference model
More informationA RESTful Web Service for Whois. Andy Newton Chief Engineer, ARIN
A RESTful Web Service for Whois Andy Newton Chief Engineer, ARIN My Background on Whois Prototyped an LDAP alternative to Whois (RFC 3663) Principal author of CRISP (IRIS) documents RFC 3707, RFC 3981,
More informationIf you see "Skip installation of the current version and test the currently installed version of Java" then select that hyperlink.
Workstation, Browser, Java, Connections, Proxy Servers, & Firewall Information March 2, 2015 Contents I. Workstation and Browser Configurations A. Internet Explorer B. Mozilla Firefox C. Google Chrome
More informationPwning Intranets with HTML5
Javier Marcos de Prado Juan Galiana Lara Pwning Intranets with HTML5 2009 IBM Corporation Agenda How our attack works? How we discover what is in your network? What does your infrastructure tell us for
More informationReading an email sent with Voltage SecureMail. Using the Voltage SecureMail Zero Download Messenger (ZDM)
Reading an email sent with Voltage SecureMail Using the Voltage SecureMail Zero Download Messenger (ZDM) SecureMail is an email protection service developed by Voltage Security, Inc. that provides email
More informationCriteria for web application security check. Version 2015.1
Criteria for web application security check Version 2015.1 i Content Introduction... iii ISC- P- 001 ISC- P- 001.1 ISC- P- 001.2 ISC- P- 001.3 ISC- P- 001.4 ISC- P- 001.5 ISC- P- 001.6 ISC- P- 001.7 ISC-
More informationUsing EMC Unisphere in a Web Browsing Environment: Browser and Security Settings to Improve the Experience
Using EMC Unisphere in a Web Browsing Environment: Browser and Security Settings to Improve the Experience Applied Technology Abstract The Web-based approach to system management taken by EMC Unisphere
More informationPLATO Learning Environment System and Configuration Requirements for workstations. October 27th, 2008
PLATO Learning Environment System and Configuration Requirements for workstations October 27th, 2008 Windows 2000 Professional with SP4 Windows XP Professional with SP2 Windows XP Home Edition with SP2
More informationPLATO Learning Environment System and Configuration Requirements. for workstations. April 14, 2008
PLATO Learning Environment System and Configuration Requirements Version 1.1 (for use with Academic Systems Algebra only) for workstations April 14, 2008 Windows 2000 Professional with SP4 Windows XP Professional
More informationICE Trade Vault. Public User & Technology Guide June 6, 2014
ICE Trade Vault Public User & Technology Guide June 6, 2014 This material may not be reproduced or redistributed in whole or in part without the express, prior written consent of IntercontinentalExchange,
More informationInstructions for Configuring Your Browser Settings and Online Security FAQ s. ios8 Settings for iphone and ipad app
Instructions for Configuring Your Browser Settings and Online Security FAQ s ios8 Settings for iphone and ipad app General Settings The following browser settings and plug-ins are required to properly
More informationHacking Web Apps. Detecting and Preventing Web Application Security Problems. Jorge Blanco Alcover. Mike Shema. Technical Editor SYNGRESS
Hacking Web Apps Detecting and Preventing Web Application Security Problems Mike Shema Technical Editor Jorge Blanco Alcover AMSTERDAM BOSTON HEIDELBERG LONDON NEW YORK OXFORD PARIS SAN DIEGO SAN FRANCISCO
More informationSelenium WebDriver. Gianluca Carbone. Selenium WebDriver 1
Selenium WebDriver Gianluca Carbone Selenium WebDriver 1 Contents What is Selenium? History WebDriver High-Level Architectures Architectural themes Non Functional quality Layers & Javascript Design issues
More informationNoSQL, But Even Less Security Bryan Sullivan, Senior Security Researcher, Adobe Secure Software Engineering Team
NoSQL, But Even Less Security Bryan Sullivan, Senior Security Researcher, Adobe Secure Software Engineering Team Agenda Eventual Consistency REST APIs and CSRF NoSQL Injection SSJS Injection NoSQL databases
More informationPreparing for the Cross Site Request Forgery Defense
Preparing for the Cross Site Request Forgery Defense Chuck Willis chuck.willis@mandiant.com Black Hat DC 2008 February 20, 2008 About Me Principal Consultant with MANDIANT in Alexandria, VA Full spectrum
More informationMO 25. Aug. 2008, 17:00 UHR RICH INTERNET APPLICATIONS MEHR BISS FÜR WEBANWENDUNGEN
082 MO 25. Aug. 2008, 17:00 UHR 0 RICH INTERNET APPLICATIONS MEHR BISS FÜR WEBANWENDUNGEN 1 Rich Internet Applications - Definition «Rich Internet Applications (RIAs) are web applications that have the
More informationHtmlUnit: An Efficient Approach to Testing Web Applications
HtmlUnit: An Efficient Approach to Testing Web Applications Marc Guillemot Independent Consultant mguillemot@yahoo.fr Daniel Gredler Sr. Software Developer DHL Global Mail daniel.gredler@gmail.com Your
More informationDrupal Performance Tuning
Drupal Performance Tuning By Jeremy Zerr Website: http://www.jeremyzerr.com @jrzerr http://www.linkedin.com/in/jrzerr Overview Basics of Web App Systems Architecture General Web
More informationHow to access Answering Islam if your ISP blocks it
How to access Answering Islam if your ISP blocks it Some ISPs will block IP addresses of servers they find inappropriate. This might mean for you that you cannot access Answering Islam. In this case you
More informationEclipse Web Tools Platform. Naci Dai (Eteration), WTP JST Lead
Eclipse Web Tools Platform Naci Dai (Eteration), WTP JST Lead 2007 by Naci Dai and Eteration A.S. ; made available under the EPL v1.0 Istanbul April 30, 2007 Outline WTP Organization JSF Overview and Demo
More informationM86 Web Filter USER GUIDE for M86 Mobile Security Client. Software Version: 5.0.00 Document Version: 02.01.12
M86 Web Filter USER GUIDE for M86 Mobile Security Client Software Version: 5.0.00 Document Version: 02.01.12 M86 WEB FILTER USER GUIDE FOR M86 MOBILE SECURITY CLIENT 2012 M86 Security All rights reserved.
More informationAdding Value to Automated Web Scans. Burp Suite and Beyond
Adding Value to Automated Web Scans Burp Suite and Beyond Automated Scanning vs Manual Tes;ng Manual Tes;ng Tools/Suites At MSU - QualysGuard WAS & Burp Suite Automated Scanning - iden;fy acack surface
More informationBreaking the Security Myths of Extended Validation SSL Certificates
Breaking the Security Myths of Extended Validation SSL Certificates Alexander Sotirov phreedom.org Mike Zusman intrepidusgroup.com Introduction SSL certificate authorities have been thoroughly broken in
More informationCross-site site Scripting Attacks on Android WebView
IJCSN International Journal of Computer Science and Network, Vol 2, Issue 2, April 2013 1 Cross-site site Scripting Attacks on Android WebView 1 Bhavani A B 1 Hyderabad, Andhra Pradesh-500050, India Abstract
More informationWPAD TECHNOLOGY WEAKNESSES. Sergey Rublev Expert in information security, "Positive Technologies" (srublev@ptsecurity.ru)
WPAD TECHNOLOGY WEAKNESSES Sergey Rublev Expert in information security, "Positive Technologies" (srublev@ptsecurity.ru) MOSCOW 2009 CONTENTS 1 INTRODUCTION... 3 2 WPAD REVIEW... 4 2.1 PROXY AUTO CONFIGURATION
More informationCloudy with a chance of 0-day
Cloudy with a chance of 0-day November 12, 2009 Jon Rose Trustwave jrose@trustwave.com The Foundation http://www.owasp.org Jon Rose Trustwave SpiderLabs Phoenix DC AppSec 09! Tom Leavey Trustwave SpiderLabs
More informationDeveloping ASP.NET MVC 4 Web Applications MOC 20486
Developing ASP.NET MVC 4 Web Applications MOC 20486 Course Outline Module 1: Exploring ASP.NET MVC 4 The goal of this module is to outline to the students the components of the Microsoft Web Technologies
More informationIntegrating Web Application Security into the IT Curriculum
Integrating Web Application Security into the IT Curriculum James Walden Northern Kentucky University Topics 1. 2. 3. 4. Why should we teach web application security? What material do we need to cover?
More information2009-12-26 PST_WEBZINE_0X04. How to solve XSS and mix user's HTML/JavaScript code with your content with just one script
ACS - Active Content Signatures By Eduardo Vela Nava ACS - Active Content Signatures How to solve XSS and mix user's HTML/JavaScript code with your content with just one script Eduardo Vela Nava (sirdarckcat@gmail.com)
More informationPLATO Learning Environment 2.0 System and Configuration Requirements. Dec 1, 2009
PLATO Learning Environment 2.0 System and Configuration Requirements Dec 1, 2009 Table of Contents About this document... 3 Document Change Log... 4 System & Configuration Requirements... 5 Workstation
More informationSecure Programming Lecture 12: Web Application Security III
Secure Programming Lecture 12: Web Application Security III David Aspinall 6th March 2014 Outline Overview Recent failures More on authorization Redirects Sensitive data Cross-site Request Forgery (CSRF)
More informationOutline. CIW Web Design Specialist. Course Content
CIW Web Design Specialist Description The Web Design Specialist course (formerly titled Design Methodology and Technology) teaches you how to design and publish Web sites. General topics include Web Site
More information4 - TexShare and HARLiC CARDS http://www.pvamu.edu/pages/3693.asp ( Online Application Form) 5 REMOTE ACCESS TO DATABASES
The Library will email articles if they are in electronic format already. Patrons must complete a Distance Education Materials Request Form in order to receive articles. Please note, however, that we will
More informationThe Risks of Client-Side Data Storage From cookie to database
The Risks of Client-Side Data Storage From cookie to database GOVCERT.NL Symposium - 15 November 2010 Agenda Client-Side Data Storage (CSDS): What it is Why it s used How it s implemented Demo SecurSearch
More informationBlackbox Reversing of XSS Filters
Blackbox Reversing of XSS Filters Alexander Sotirov alex@sotirov.net Introduction Web applications are the future Reversing web apps blackbox reversing very different environment and tools Cross-site scripting
More informationThe Multi-Principal OS Construction of the Gazelle Web Browser
The Multi-Principal OS Construction of the Gazelle Web Browser Helen J. Wang, Chris Grier, Alexander Moshchuk, Samuel T. King, Piali Choudhury, Herman Venter Microsoft Research, University of Illinois
More informationStill Aren't Doing. Frank Kim
Ten Things Web Developers Still Aren't Doing Frank Kim Think Security Consulting Background Frank Kim Consultant, Think Security Consulting Security in the SDLC SANS Author & Instructor DEV541 Secure Coding
More informationhttp://alice.teaparty.wonderland.com:23054/dormouse/bio.htm
Client/Server paradigm As we know, the World Wide Web is accessed thru the use of a Web Browser, more technically known as a Web Client. 1 A Web Client makes requests of a Web Server 2, which is software
More informationDeveloping ASP.NET MVC 4 Web Applications Course 20486A; 5 Days, Instructor-led
Developing ASP.NET MVC 4 Web Applications Course 20486A; 5 Days, Instructor-led Course Description In this course, students will learn to develop advanced ASP.NET MVC applications using.net Framework 4.5
More informationBypassing NoScript Security Suite Using Cross-Site Scripting and MITM Attacks
Bypassing NoScript Security Suite March 2016 Mazin Ahmed mazin@mazinahmed.net @mazen160 Table of Contents Abstract... 3 Introduction... 3 Research... 4 Solution... 7 Recommendations... 7 Notes... 7 Disclosure
More informationSurvey on JavaScript Security Policies and their Enforcement Mechanisms in a Web Browser
Survey on JavaScript Security Policies and their Enforcement Mechanisms in a Web Browser Nataliia Bielova INRIA Rennes Bretagne Atlantique Campus universitaire de Beaulieu 35042 Rennes Cedex, France Email:
More informationWeb applications. Web security: web basics. HTTP requests. URLs. GET request. Myrto Arapinis School of Informatics University of Edinburgh
Web applications Web security: web basics Myrto Arapinis School of Informatics University of Edinburgh HTTP March 19, 2015 Client Server Database (HTML, JavaScript) (PHP) (SQL) 1 / 24 2 / 24 URLs HTTP
More informationSpectrum Technology Platform
Spectrum Technology Platform Version 8.0.0 SP2 RIA Getting Started Guide Information in this document is subject to change without notice and does not represent a commitment on the part of the vendor or
More informationTechnical Readiness Requirements
Technical Readiness Requirements CITY UNIVERSITY OF NEW YORK ERP PROJECT Author: Andrew H. Waxman IT Systems Manager, CUNYFirst Production Support Document Name: Document Revision Version: 4.4 Document
More informationHacking Intranet Websites from the Outside (Take 2) Fun With & Without JavaScript Malware
Hacking Intranet Websites from the Outside (Take 2) Fun With & Without JavaScript Malware July 2007 Jeremiah Grossman Founder and CTO, WhiteHat Security A WhiteHat Security Whitepaper 3003 Bunker Hill
More informationAJAX Storage: A Look at Flash Cookies and Internet Explorer Persistence
AJAX Storage: A Look at Flash Cookies and Internet Explorer Persistence Corey Benninger The AJAX Storage Dilemna AJAX (Asynchronous JavaScript and XML) applications are constantly looking for ways to increase
More informationClient-side Web Engineering From HTML to AJAX
Client-side Web Engineering From HTML to AJAX SWE 642, Spring 2008 Nick Duan 1 What is Client-side Engineering? The concepts, tools and techniques for creating standard web browser and browser extensions
More informationBypassing Browser Memory Protections in Windows Vista
Bypassing Browser Memory Protections in Windows Vista Mark Dowd & Alexander Sotirov markdowd@au1.ibm.com alex@sotirov.net Setting back browser security by 10 years Part I: Introduction Thesis Introduction
More informationRelease Notes. Platform Compatibility. Supported Operating Systems and Browsers: AMC. WorkPlace
Secure Remote Access SonicWALL Aventail E-Class SRA EX-Series 10.5.6 Platform Compatibility The SonicWALL Aventail E-Class SRA EX-Series 10.5.6 release is supported on the following SonicWALL appliances:
More informationTechnical Help Manual
Technical Help Manual This reference is written to provide assistance for customers who experience difficulties in using www.mathletics.com.au. While the vast majority of our customers encounter no issues,
More informationHacking cookies in modern web applications and browsers
Hacking cookies in modern web applications and browsers Dawid Czagan About me Founder and CEO at Silesia Security Lab Bug hunter: security bugs found in Google, Yahoo, Mozilla, Microsoft, Twitter, Blackberry,...
More informationSECURE APPLICATION DEVELOPMENT CODING POLICY OCIO-6013-09 TABLE OF CONTENTS
OFFICE OF THE CHIEF INFORMATION OFFICER OCIO-6013-09 Date of Issuance: May 22, 2009 Effective Date: May 22, 2009 Review Date: TABLE OF CONTENTS Section I. PURPOSE II. AUTHORITY III. SCOPE IV. DEFINITIONS
More informationProtecting Web Applications and Users
Protecting Web Applications and Users Technical guidance for improving web application security through implementing web browser based mitigations. Defence Signals Directorate February 2012 Contents 1
More informationBreaking the Myths of Extended Validation SSL Certificates
BlackHat Briefings, 2009 Breaking the Myths of Extended Validation SSL Certificates Alexander Sotirov phmsecurity.com Mike Zusman intrepidusgroup.com Introduction Chosen-prefix MD5 collisions allowed us
More informationChapter 1 Web Application (In)security 1
Introduction xxiii Chapter 1 Web Application (In)security 1 The Evolution of Web Applications 2 Common Web Application Functions 4 Benefits of Web Applications 5 Web Application Security 6 "This Site Is
More informationWeb Design Specialist
UKWDA Training: CIW Web Design Series Web Design Specialist Course Description CIW Web Design Specialist is for those who want to develop the skills to specialise in website design and builds upon existing
More informationSystem Requirements and Technical Prerequisites for SAP SuccessFactors HCM Suite
System Requirements and Technical Prerequisites for SAP SuccessFactors HCM Suite SAP SuccessFactors HCM Suite is a fully web-based offering. You will need an Internet connection and a system that meets
More informationSecure Web Application Coding Team Introductory Meeting December 1, 2005 1:00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda
Secure Web Application Coding Team Introductory Meeting December 1, 2005 1:00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda 1. Introductions for new members (5 minutes) 2. Name of group 3. Current
More informationWeb Application Exploits
Monday, November 10, 2014 Resources: see final slide CS342 Computer Security Department of Computer Science Wellesley College Web Evolution o Static content: Server serves web pages created by people.
More informationDrive-by Enumeration of Web Filtering Solutions
An NCC Group Publication Drive-by Enumeration of Web Filtering Solutions Prepared by: Ben Williams Contents 1 List of Figures and Tables... 3 2 Introduction... 4 3 An Overview of Common Web Filtering Solutions...
More information