Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright © 2007 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.

Published byPhilippa Payne Modified over 8 years ago

Similar presentations

Presentation on theme: "Copyright © 2007 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike."— Presentation transcript:

1 Copyright © 2007 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike 2.5 License. To view this license, visit http://creativecommons.org/licenses/by-sa/2.5/ The OWASP Foundation 6 th OWASP AppSec Conference Milan - May 2007 http://www.owasp.org/ Advanced Web Hacking Petko D. Petkov Senior IT Security Consultant pdp@gnucitizen.org

2 6 th OWASP AppSec Conference – Milan – May 2007 2 Powered by...

3 6 th OWASP AppSec Conference – Milan – May 2007 3 Clarifications!!!  Not everything is in the slides!  The subject is quite big!  Talk to me after the presentation!  Check the references!

4 6 th OWASP AppSec Conference – Milan – May 2007 4 Topics to Discuss  Introduction  Web Security since 2005  The State of JavaScript Hacking  Main  Web Security 2007  Web Exploits  Security Mashups  Worms and Bots

5 6 th OWASP AppSec Conference – Milan – May 2007 5 Web Security since 2005  They have always been with us  XSS  CSRF  Browser Port Scanners  CSS History Stealers  Application State Scanners  Inter-protocol Communication Techniques  Same Origin Policy Unification Techniques  JIKTO – browser based security scanner

6 6 th OWASP AppSec Conference – Milan – May 2007 6 The State of JavaScript Hacking  JavaScript is a GLUE Technology  Web Pages  Adobe Products  WSCRIPT and CSCRIPT  Mobile Devices  One Language to Rule Them All  Cross-site scripting  Cross-zone scripting

7 6 th OWASP AppSec Conference – Milan – May 2007 7 Web Security 2007  Web Exploits  Security Mashups  Worms and Botnets

8 6 th OWASP AppSec Conference – Milan – May 2007 8 Web Exploits  The need for web exploits  for testing purposes  for demonstration purposes  non-exploitative web app testing does not exist  How to test for SQL Injection without exploiting the application?  How to test for Cross-site scripting without exploiting the application?  My name is O‘Neill.

9 6 th OWASP AppSec Conference – Milan – May 2007 9 Web Exploits  Hundreds of them available online already!  Milw0rm  Full-disclosure  Who is going to unify them?  Exploit Environments  Metasploit –good but limiting  The Browser –probably what we want

10 6 th OWASP AppSec Conference – Milan – May 2007 10 Web Exploits  The browser as exploit development framework

11 6 th OWASP AppSec Conference – Milan – May 2007 11 Web Exploits  Pragmatics  Code  Semantics  Database  Services  All together  Mashup

12 6 th OWASP AppSec Conference – Milan – May 2007 12 Security Mashups  A Mashup is…  a website or application that combines content from more than one source into an integrated experience. Wikipedia  largely based on online services and APIs.  a way to circumvent various browser limitations.

13 6 th OWASP AppSec Conference – Milan – May 2007 13 Security Mashups  Technology  XML – it all started with that  XMLRPC – unifies the data structure  SOAP – defines the transportation mechanism  JSON – plays nice with browsers  Benefits  Distributed Knowledge  Distributed Processing Power

14 6 th OWASP AppSec Conference – Milan – May 2007 14 Security Mashups  A Security Mashup is…  a way to create largely distributed testing infrastructures.  a mechanism for instantly accruing dynamic knowledge.  a mechanism that has a lot of potential for bad purposes.  a way to bypass the Same Origin Policies to an extent.

15 6 th OWASP AppSec Conference – Milan – May 2007 15 Security Mashups  Origin Unification with Proxies

16 6 th OWASP AppSec Conference – Milan – May 2007 16 Security Mashups  Origin Unification with Services  we are interested in the data not the data retrieving mechanism

17 6 th OWASP AppSec Conference – Milan – May 2007 17 Security Mashups  APIs  Google  AJAX Search API – search API  AJAX Feed API – RSS feed API  Yahoo  Pipes – mashup power tool  Dapper  Dapper – screen scraping tool

18 6 th OWASP AppSec Conference – Milan – May 2007 18 Security Mashups  Services  DIGG  DIGG – user powered content  TinyURL  TinyURL – URL/data storage service

19 6 th OWASP AppSec Conference – Milan – May 2007 19 Security Mashups  Yahoo Pipes TinyURL FS

20 6 th OWASP AppSec Conference – Milan – May 2007 20 Security Mashups  Yahoo Pipes Google Proxy

21 6 th OWASP AppSec Conference – Milan – May 2007 21 Security Mashups  JIKTO in a lot less lines of code  function handleData(d) { for (var i d.items) ypipeProxy(target + d.items[i]); } function handleYPipeProxy(d) { // read the data from here }  JavaScript on demand (aka JSON) in YPipes  http://pipes.yahoo.com/pipes/pipe.run?_ id=nvTyLSDv2xGkB7MlJhOy0Q&_run=1&_render =json&_callback=handleYPipeProxy&url=htt p%3A//example.com

22 6 th OWASP AppSec Conference – Milan – May 2007 22 Security Mashups  JavaScript Spider  quite stable  function spider(url, callback, conf) { var conf = (conf != undefined)?conf:{}; conf.pipe = (conf.pipe != undefined)?conf.pipe:'lruY6uXk2xGdxK66l7okhQ'; conf.depth = (conf.depth != undefined)?conf.depth:3; function walkJSON(j, c) { if (typeof(c) != 'function') { return; …

23 6 th OWASP AppSec Conference – Milan – May 2007 23 Security Mashups  Malicious code and security testing tools

24 6 th OWASP AppSec Conference – Milan – May 2007 24 Security Mashups  Possibilities are endless!  Time for a demo!

25 6 th OWASP AppSec Conference – Milan – May 2007 25 Worms and Bots  No hosting required  Totally distributed  Dynamically managed  Impossible to fight against  Do you have any ideas?  How shall we handle this problem?

26 6 th OWASP AppSec Conference – Milan – May 2007 26 Worms and Bots  Worms and Bots look like normal Web applications  JavaScript malware is too dynamic to be handled by signatures

27 6 th OWASP AppSec Conference – Milan – May 2007 27 Worms and Bots  Controlling Botnets through DIGG

28 6 th OWASP AppSec Conference – Milan – May 2007 28 Worms and Bots  Where does this leave us?  Even experts can’t tell.  What shell we do?  Improve community awareness.  Will we see 2NG Sammy?  It is inevitable.  How to protect against?  Be very conscious with your Web Activities.

29 6 th OWASP AppSec Conference – Milan – May 2007 29 References  GNUCITIZEN  http://www.gnucitizen.org  http://www.gnucitizen.org/projects/6th-owasp- conference  Yahoo Pipes  http://pipes.yahoo.com  Google APIs  http://code.google.com  Dapper  http://www.dapper.net

30 6 th OWASP AppSec Conference – Milan – May 2007 30 Questions?  Win a book.  Share your thoughts.

Download ppt "Copyright © 2007 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike."

Similar presentations

The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.

The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
Copyright © 2006 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.

The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
Copyright © 2007 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
Copyright © 2005 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
Copyright © 2007 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.

The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
WEB 2.0. What we are speaking about… Transformation of WEB, the WEB 2.0 –New generation of websites… –Importance of Open Data… –Importance of Users… –Web.

WEB 2.0. What we are speaking about… Transformation of WEB, the WEB 2.0 –New generation of websites… –Importance of Open Data… –Importance of Users… –Web.
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.

The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
Copyright © 2008 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
ITCS 6010 DATA INTEGRATION Krishna Kant Sri Harsha Pokala Vamsi Krishna Jamulapati.

ITCS 6010 DATA INTEGRATION Krishna Kant Sri Harsha Pokala Vamsi Krishna Jamulapati.
Cloud Computing Lecture #7 Introduction to Ajax Jimmy Lin The iSchool University of Maryland Wednesday, October 15, 2008 This work is licensed under a.

Cloud Computing Lecture #7 Introduction to Ajax Jimmy Lin The iSchool University of Maryland Wednesday, October 15, 2008 This work is licensed under a.
Does Ajax suck? CS575 Spring 2007 Chanwit Suebsureekul.

Does Ajax suck? CS575 Spring 2007 Chanwit Suebsureekul.
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.

The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
When Good Services Go Wild: Reassembling Web Services for Unintended Purposes Feng Lu, Jiaqi Zhang, Stefan Savage UC San Diego.

When Good Services Go Wild: Reassembling Web Services for Unintended Purposes Feng Lu, Jiaqi Zhang, Stefan Savage UC San Diego.
Copyright © 2007 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
Copyright © 2006 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
Copyright © 2006 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.

Similar presentations

Ads by Google