Enviar pesquisa
Carregar
Advanced applications-architecture-threats
•
1 gostou
•
2,788 visualizações
B
Blueinfy Solutions
Seguir
This presentation covers advanced architectures and threats
Leia menos
Leia mais
Tecnologia
Denunciar
Compartilhar
Denunciar
Compartilhar
1 de 18
Recomendados
Securing SDLC and Software ...
Secure SDLC for Software
Secure SDLC for Software
Shreeraj Shah
This preso covers Web Services Security in detail.
Web Services Hacking and Security
Web Services Hacking and Security
Blueinfy Solutions
Browsers are escalating their feature set to accommodate new specifications like HTML 5, XHR Level 2 and DOM Level 3. It is forming the backbone of next generation applications running on mobile, PDA devices or desktops. The blend of DOM (Remote Execution stack) , XHR L2 (Sockets for injections) and HTML5 (Exploit delivery platform) is becoming an easy victim for attackers and worms. We have already witnessed these types of attacks on popular sites like Twitter, Facebook and Yahoo. It is of the essence to understand attack surface and vectors to protect next generation applications. We have an enormous expansion of attack surface after inclusion of features like audio/video tags, drag/drop APIs, CSS-Opacity, localstorage, web workers, DOM selectors, Mouse gesturing, native JSON, Cross Site access controls, offline browsing, etc. This extension of attack surface and exposure of server side APIs allow attacker to perform following lethal attacks and abuses. XHR abuse with attacking Cross Site access controls using level 2 calls JSON manipulations and poisoning DOM API injections and script executions Abusing HTML5 tag structure and attributes Localstorage manipulation and foreign site access Attacking client side sandbox architectures DOM scrubbing and logical abuse Browser hijacking and exploitation through advanced DOM features One-way CSRF and abusing vulnerable sites DOM event injections and controlling (Clickjacking) Hacking widgets, mashups and social networking sites Abusing client side Web 2.0 and RIA libraries We will be covering the above attacks and their variants in detail along with some real life cases and demonstrations. It is also important to understand methods of discovering these types of vulnerabilities across the application base. We will see some new scanning tools and approaches to identify some of these key issues.
Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)
Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)
Shreeraj Shah
This preso covers application layer fuzzing.
Application fuzzing
Application fuzzing
Blueinfy Solutions
All about HTML5 Security.
HTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
HTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
Shreeraj Shah
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
Shreeraj Shah
Mobile Security Review
Mobile security chess board - attacks & defense
Mobile security chess board - attacks & defense
Blueinfy Solutions
XSS and CSRF with HTML5
XSS and CSRF with HTML5
Shreeraj Shah
Recomendados
Securing SDLC and Software ...
Secure SDLC for Software
Secure SDLC for Software
Shreeraj Shah
This preso covers Web Services Security in detail.
Web Services Hacking and Security
Web Services Hacking and Security
Blueinfy Solutions
Browsers are escalating their feature set to accommodate new specifications like HTML 5, XHR Level 2 and DOM Level 3. It is forming the backbone of next generation applications running on mobile, PDA devices or desktops. The blend of DOM (Remote Execution stack) , XHR L2 (Sockets for injections) and HTML5 (Exploit delivery platform) is becoming an easy victim for attackers and worms. We have already witnessed these types of attacks on popular sites like Twitter, Facebook and Yahoo. It is of the essence to understand attack surface and vectors to protect next generation applications. We have an enormous expansion of attack surface after inclusion of features like audio/video tags, drag/drop APIs, CSS-Opacity, localstorage, web workers, DOM selectors, Mouse gesturing, native JSON, Cross Site access controls, offline browsing, etc. This extension of attack surface and exposure of server side APIs allow attacker to perform following lethal attacks and abuses. XHR abuse with attacking Cross Site access controls using level 2 calls JSON manipulations and poisoning DOM API injections and script executions Abusing HTML5 tag structure and attributes Localstorage manipulation and foreign site access Attacking client side sandbox architectures DOM scrubbing and logical abuse Browser hijacking and exploitation through advanced DOM features One-way CSRF and abusing vulnerable sites DOM event injections and controlling (Clickjacking) Hacking widgets, mashups and social networking sites Abusing client side Web 2.0 and RIA libraries We will be covering the above attacks and their variants in detail along with some real life cases and demonstrations. It is also important to understand methods of discovering these types of vulnerabilities across the application base. We will see some new scanning tools and approaches to identify some of these key issues.
Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)
Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)
Shreeraj Shah
This preso covers application layer fuzzing.
Application fuzzing
Application fuzzing
Blueinfy Solutions
All about HTML5 Security.
HTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
HTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
Shreeraj Shah
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
Shreeraj Shah
Mobile Security Review
Mobile security chess board - attacks & defense
Mobile security chess board - attacks & defense
Blueinfy Solutions
XSS and CSRF with HTML5
XSS and CSRF with HTML5
Shreeraj Shah
I presented this at HITB KL 2007. I have covered it with lot of demos as well. May help you in understanding Web 2.0 attacks.
Hacking Ajax & Web Services - Next Generation Web Attacks on the Rise
Hacking Ajax & Web Services - Next Generation Web Attacks on the Rise
Shreeraj Shah
This presentation covers DASt/SAST and Manual testing for web applciations.
Assessment methodology and approach
Assessment methodology and approach
Blueinfy Solutions
[Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web
[Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web
Shreeraj Shah
Covering top web attacks ...
Web Attacks - Top threats - 2010
Web Attacks - Top threats - 2010
Shreeraj Shah
[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...
[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...
Shreeraj Shah
Hacking browser components by Reverse Engineering is emerging as the best way for discovering potential vulnerabilities across web applications in an era of Rich Internet Applications (RIA). The RIA space is flooded with technologies like HTML 5, Flex/Flash, Silverlight, extended DOM and numerous third party libraries. Browsers are the target of hackers, worms and malware with specific scope, almost on a daily basis. We have seen exploitation of these technologies on popular sites like Facebook, Twitter, Yahoo, Google, to name a few. The traditional boundaries of web applications are disappearing. Browsers today host a substantial part of web applications including data access, business logic, encryption, etc. along with presentation layer. This shift is making browser components a potential target for hackers. The danger of poorly written browser components being
Blackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browser
Shreeraj Shah
AppSec 2007 - .NET Web Services Hacking
AppSec 2007 - .NET Web Services Hacking
Shreeraj Shah
Application Security TRENDS – Lessons Learnt- Firosh Ummer
Application Security TRENDS – Lessons Learnt- Firosh Ummer
OWASP-Qatar Chapter
DeepSec 2013
Automation In Android & iOS Application Review