securitystreams.tv

REST for the Wicked

contact@securitystreams.tv — Tue, 15 Sep 2009 00:09:59 +0000

Let’s face it: SOAP sucks. Especially when it comes to Web 2.0 applications. Many high-profile web sites have come to this same conclusion: Amazon, MySpace, Yahoo, and others are abandoning SOAP in favor of REST. REST (Representational State Transfer), and particularly REST used in combination with JSON, is faster, more scalable, and easier to implement than SOAP. But, do all these benefits come at the cost of security?

REST can be especially susceptible to attacks like Cross-Site Request Forgery and JavaScript Hijacking; and worse, the usual remediation tactics that developers use to defend their apps against these attacks do not apply to REST services. In this presentation, I will demonstrate threats facing RESTful web services, myth-bust commonly proposed defense techniques, and provide appropriate development practices for defending REST.

Defensive Rewriting

contact@securitystreams.tv — Sun, 13 Sep 2009 19:39:06 +0000

Attacks like cross-site scripting (XSS), cross-site request forgery (XSRF), and open-redirect phishing are routinely propagated through malicious hyperlinks sent in e-mail messages. We could mitigate much of the risk of these vulnerabilities by frequently changing our URLs, not once every 200 years like Tim Berners-Lee suggests, but once every 10 minutes. Attackers would no longer be able to exploit application vulnerabilities by mass e-mailing poisoned hyperlinks because the links would be broken and invalid by the time the messages reached their intended victims.

This presentation will explore the possibilities of using various forms of URL rewriting techniques as defensive measures against XSS, XSRF and any other known or 0-day attack methods that use email as a propagation vector. I will release source and binaries for an ASP.NET rewriting module and will demonstrate source/pseudocode to accomplish the same functionality for other platforms.

OWASP Top 10

contact@securitystreams.tv — Fri, 11 Sep 2009 23:02:14 +0000

The purpose of this presentation is to discuss the OWASP Top 10 2007 list of common vulnerabilities so that organizations are able to have insights into these issues in order to understand potential consequences.

OWASP Top 10 [Executive Briefing]

contact@securitystreams.tv — Tue, 08 Sep 2009 07:50:48 +0000

Cross Domain Leakiness [Executive Briefing]

contact@securitystreams.tv — Tue, 08 Sep 2009 07:28:27 +0000

In this presentation, we’ll see that cross-domain issues are still relatively common in browsers. The cross-domain issues can be split into two groups. First, there are out-and-out bugs that can be fixed relatively easily. These bugs tend to be in the less common cross-domain functional areas, and are often introduced with new cross-domain capable features. Interesting examples of such bugs will be discussed, and some new examples released.

Secondly, there are cross-domain leakages resulting from how browsers generally work by design or intent. These are unfortunately hard to fix without breaking things, and the regrettable consequence is often that web app developers have to beware of an increasing list of dangers. We will look at some new pitfalls here in the areas of cross-domain CSS, scripting and cookie handling.

Finally, there will be an interesting diversion that takes “sidejacking” to the max — looking at what you really can do if you are an active man-in-the-middle attacker looking to attack a victim who is carefully using only SSL sessions.

Cross Domain Leakiness

contact@securitystreams.tv — Tue, 08 Sep 2009 06:57:52 +0000