Artwork

Nội dung được cung cấp bởi Black Hat / CMP and Jeff Moss. Tất cả nội dung podcast bao gồm các tập, đồ họa và mô tả podcast đều được Black Hat / CMP and Jeff Moss hoặc đối tác nền tảng podcast của họ tải lên và cung cấp trực tiếp. Nếu bạn cho rằng ai đó đang sử dụng tác phẩm có bản quyền của bạn mà không có sự cho phép của bạn, bạn có thể làm theo quy trình được nêu ở đây https://vi.player.fm/legal.
Player FM - Ứng dụng Podcast
Chuyển sang chế độ ngoại tuyến với ứng dụng Player FM !

Arian J. Evans and Daniel Thompson: Building Self-Defending Web Applications: Secrets of Session Hacking and Protecting Software Sessions

21:51
 
Chia sẻ
 

Manage episode 155121469 series 1146744
Nội dung được cung cấp bởi Black Hat / CMP and Jeff Moss. Tất cả nội dung podcast bao gồm các tập, đồ họa và mô tả podcast đều được Black Hat / CMP and Jeff Moss hoặc đối tác nền tảng podcast của họ tải lên và cung cấp trực tiếp. Nếu bạn cho rằng ai đó đang sử dụng tác phẩm có bản quyền của bạn mà không có sự cho phép của bạn, bạn có thể làm theo quy trình được nêu ở đây https://vi.player.fm/legal.
Web applications are constantly under attack, and must defend themselves. Sadly, today, most cannot. There are several key elements to building self-defending software but only a few are focused on today, including input validation, output encoding, and error handling. Strong Session Handing and effective Authorization mechanisms are almost completely ignored in web application software development. Many of the threats are well known, but the techniques for building applications that can defend themselves against the known threat landscape are still ignored due to lack of documentation, lack of sample code, and lack of awareness of the threats and attack methods. This ignorance is dangerous; The landscape has changed. In April 2005 alone, zero-day scripted session attacks were discovered in the wild for eBay and other high-profile web applications that you use. Session and Authorization attacks are real, mature, and increasing in frequency of use in the wild. They are also misunderstood or ignored by most of the development and web application security community. This presentation will: * Summarize and categorize what State, Session, and Authorization attacks are. * Provide you with a simple, effective Taxonomy for understanding the threats. * Provide you with an entirely new understanding of Cross-Site Scripting (XSS). * Disclose new Session and Authorization attacks released in recent months. * Show you how to attack your intranet from the Internet using Your browser without You knowing. * Unveil the Paraegis Project which will provide free web app security code for .NET, J2EE, and Flash frameworks. * Paraegis will include functional code elements for DAT generation and stopping automated scanners/scripts. * Paraegis will show you how to reduce the attack surface of XSS from "all people all the time" to "one person one time" resulting in XSS vulnerabilities being virtually unexploitable. The techniques presented are simple, innovative, realistically usable, and predominantly missing in today's webapp designs. The Paraegis Project will release code that will not only demonstrate this, but that you will be able to use in your applications for free. Arian Evans has spent the last seven years pondering information security and disliking long bios. His focus has been on intrusion detection and application security. He currently works for FishNet Security researching and developing new methodologies for evaluating the security posture of applications and databases, in addition to helping FishNet clients design, deploy, and defend their applications. Arian works with clients worldwide for FishNet Security, and has worked with the Center for Internet Security, FBI, and various client organizations on web application-related hacking incident response. Arian contributes to the information security community in the form of vulnerability research and advisories, writing courseware and teaching classes on how to build secure web applications, and questioning everything. He frequently breaks things, and sometimes figures out how to put them back together again. Daniel Thompson is the lead interface developer for Secure Passage, a software company specializing in network device change management. His interest in computer graphics and visual design started over fifteen years ago while searching for an efficient way to create fake documents. Currently Daniel works with Java, C# and ActionScript to create secure, dependable, distributed applications. He targest .JSP, ASP.NET and the Macromedia Flash Player for delivery to the browser and Eclipse SWT and Microsoft WindowsForms for delivery to the desktop. In his spare time he works on data visualization and generative graphics, as well as the occasional game. Dan became interested in information security when Arian Evans started reading his email.
  continue reading

61 tập

Artwork
iconChia sẻ
 
Manage episode 155121469 series 1146744
Nội dung được cung cấp bởi Black Hat / CMP and Jeff Moss. Tất cả nội dung podcast bao gồm các tập, đồ họa và mô tả podcast đều được Black Hat / CMP and Jeff Moss hoặc đối tác nền tảng podcast của họ tải lên và cung cấp trực tiếp. Nếu bạn cho rằng ai đó đang sử dụng tác phẩm có bản quyền của bạn mà không có sự cho phép của bạn, bạn có thể làm theo quy trình được nêu ở đây https://vi.player.fm/legal.
Web applications are constantly under attack, and must defend themselves. Sadly, today, most cannot. There are several key elements to building self-defending software but only a few are focused on today, including input validation, output encoding, and error handling. Strong Session Handing and effective Authorization mechanisms are almost completely ignored in web application software development. Many of the threats are well known, but the techniques for building applications that can defend themselves against the known threat landscape are still ignored due to lack of documentation, lack of sample code, and lack of awareness of the threats and attack methods. This ignorance is dangerous; The landscape has changed. In April 2005 alone, zero-day scripted session attacks were discovered in the wild for eBay and other high-profile web applications that you use. Session and Authorization attacks are real, mature, and increasing in frequency of use in the wild. They are also misunderstood or ignored by most of the development and web application security community. This presentation will: * Summarize and categorize what State, Session, and Authorization attacks are. * Provide you with a simple, effective Taxonomy for understanding the threats. * Provide you with an entirely new understanding of Cross-Site Scripting (XSS). * Disclose new Session and Authorization attacks released in recent months. * Show you how to attack your intranet from the Internet using Your browser without You knowing. * Unveil the Paraegis Project which will provide free web app security code for .NET, J2EE, and Flash frameworks. * Paraegis will include functional code elements for DAT generation and stopping automated scanners/scripts. * Paraegis will show you how to reduce the attack surface of XSS from "all people all the time" to "one person one time" resulting in XSS vulnerabilities being virtually unexploitable. The techniques presented are simple, innovative, realistically usable, and predominantly missing in today's webapp designs. The Paraegis Project will release code that will not only demonstrate this, but that you will be able to use in your applications for free. Arian Evans has spent the last seven years pondering information security and disliking long bios. His focus has been on intrusion detection and application security. He currently works for FishNet Security researching and developing new methodologies for evaluating the security posture of applications and databases, in addition to helping FishNet clients design, deploy, and defend their applications. Arian works with clients worldwide for FishNet Security, and has worked with the Center for Internet Security, FBI, and various client organizations on web application-related hacking incident response. Arian contributes to the information security community in the form of vulnerability research and advisories, writing courseware and teaching classes on how to build secure web applications, and questioning everything. He frequently breaks things, and sometimes figures out how to put them back together again. Daniel Thompson is the lead interface developer for Secure Passage, a software company specializing in network device change management. His interest in computer graphics and visual design started over fifteen years ago while searching for an efficient way to create fake documents. Currently Daniel works with Java, C# and ActionScript to create secure, dependable, distributed applications. He targest .JSP, ASP.NET and the Macromedia Flash Player for delivery to the browser and Eclipse SWT and Microsoft WindowsForms for delivery to the desktop. In his spare time he works on data visualization and generative graphics, as well as the occasional game. Dan became interested in information security when Arian Evans started reading his email.
  continue reading

61 tập

Tất cả các tập

×
 
Loading …

Chào mừng bạn đến với Player FM!

Player FM đang quét trang web để tìm các podcast chất lượng cao cho bạn thưởng thức ngay bây giờ. Đây là ứng dụng podcast tốt nhất và hoạt động trên Android, iPhone và web. Đăng ký để đồng bộ các theo dõi trên tất cả thiết bị.

 

Hướng dẫn sử dụng nhanh