SlideShare uma empresa Scribd logo

Ajax Security

D
drkimsky
1 de 44
Baixar para ler offline
Ajax Security Andrew van der Stock vanderaj@owasp.org OWASP AppSec Europe Copyright © 2006 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document May 2006 under the terms of the GNU Free Documentation License. The OWASP Foundation http://www.owasp.org/
AJAX and Security Ajax Limited guidance New chapter in Guide OWASP AppSec Europe 2006
Compliance OWASP AppSec Europe 2006
Accessibility Accessibility is mandatory by law Except for “justifiable hardship” Corporations and governments No choice - do it! Personal web sites No one will come after you... but... OWASP AppSec Europe 2006
Accessibility Ask real users to test! Accessibility aides W3C WAI validator Basic tools OWASP AppSec Europe 2006
Back Button The most used button Ajax toolkits often destroy or hide it Support the Back Button! OWASP AppSec Europe 2006
Privacy “ ” You have no privacy. Get over it. Scott McNealy OWASP AppSec Europe 2006
Privacy “ Nothing that we have authorized conflicts with any law regarding privacy or any ” provision of the constitution. John Ashcroft OWASP AppSec Europe 2006
Privacy “ Relying on the government to protect your privacy is like asking a peeping tom to install ” your window blinds. John Perry Barlow OWASP AppSec Europe 2006
Privacy Ajax has client side state Local storage Caching Mash ups OWASP AppSec Europe 2006
Privacy ... not Javascript is clear text often cached regardless of browser settings Not private in any way OWASP AppSec Europe 2006
Privacy ... not DOM can be manipulated by hostile code Not private in any way OWASP AppSec Europe 2006
Privacy ... not Dojo.Storage uses Flash “Solution” for client-side persistent storage Not private in any way Often used for cross-domain postings... ARGH OWASP AppSec Europe 2006
Mash ups Who owns the data? Who gets the data? How are they going to handle it? OWASP AppSec Europe 2006
An example of a mash up OWASP AppSec Europe 2006
Credit Rating Mashup OWASP AppSec Europe 2006
Credit Rating Mashup OWASP AppSec Europe 2006
Credit Rating Mashup OWASP AppSec Europe 2006
Contentious issues OWASP AppSec Europe 2006
Contentious issues OWASP AppSec Europe 2006
Access Control AppSec Europe 2006 OWASP
Authentication Don’t let any old caller in What’s okay without authentication? Authenticate new XMLHttpRequest sessions OWASP AppSec Europe 2006
Ask... o m a! N ok s! Lo kie coo OWASP AppSec Europe 2006
and ye shall receive eah ! Y y Bab e om pa! C a to p OWASP AppSec Europe 2006
Authorization Would you let Bart call your admin function? OWASP AppSec Europe 2006
Authorization Use same authorization methods Default deny; all actions should be denied unless allowed Error responses for no authorization OWASP AppSec Europe 2006
Sessions and State Management2006 OWASP AppSec Europe
Session Fixation Use toolkits which send session tokens Use proper session management to maintain the session OWASP Guide - Session Management chapter OWASP AppSec Europe 2006
Cross-domain XML Http Requests By security design, no browser supports this Many designs want to do this or already do this (Google Maps, etc) How to do it safely? Only with federated security OWASP AppSec Europe 2006
State management In the good olde days, state was on the server With Ajax, a lot more state is on the client Think “hidden fields” but so much worse OWASP AppSec Europe 2006
Sending state Validate all state before use Sending state to the client for display DOM injections HTML injections Only send changed state back OWASP AppSec Europe 2006
Exposing internal state Just because it’s faster doesn’t mean it’s wiser Keep sensitive state on the server, always Don’t obfuscate JavaScript - it’s hard enough now OWASP AppSec Europe 2006
Ajax Attack Prevention Europe 2006 OWASP AppSec
Injection Attacks PHP toolkits: look for code injection attacks JSON injection: be careful how you decode! DOM injection - client side attacks now much easier XML injection - both client and server side Code injection - both client and server side OWASP AppSec Europe 2006
Data validation Data from XMLHttpRequest must be validated Perform validation after authorization checks Validate using same paths as existing code If you (de-)serialize, be aware of XML injection OWASP AppSec Europe 2006
Ajax APIs OWASP AppSec Europe 2006
Reconstructing Ajax API Many Ajax apps have been “decoded” e.g. libgmail, GMail Agent API, gmail.py, etc Spawned GMailFS, Win32 Gmail clients, etc Do not assume your app is special - it will be decoded! GMail Agent API in action OWASP AppSec Europe 2006
GET APIs OWASP AppSec Europe 2006
Pseudo API Injection Almost all Ajax toolkits use GET by default Force them to use POST Most PHP AJAX tool kits allow remote code injection by allowing client-side server code invocation eg: AJason, JPSpan and CPAINT (1.x) OWASP AppSec Europe 2006
Psuedo API Guess what I can do? Create proxy façades OWASP AppSec Europe 2006
Event Management OWASP AppSec Europe 2006
Error Handling Error handling is often neglected Parentless window syndrome Do not use Javascript alert() OWASP AppSec Europe 2006
Auditing Client-side auditing is a joke Auditing must be: comprehensive unavoidable tamper resistant OWASP AppSec Europe 2006
Questions Andrew van der Stock vanderaj@owasp.org Images: John Perry Barlow image used with permission OWASP Stock*Exchange Image After AppSec Andrew’s OWASP EU talks sponsored by Europe Copyright © 2006 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document May 2006 under the terms of the GNU Free Documentation License. The OWASP Foundation http://www.owasp.org/

Recomendados

Ajax Security
Ajax SecurityAjax Security
Ajax Securityamiable_indian
 
OWASP TOP10 2017 - Nowa lista przebojów podatności
OWASP TOP10 2017 - Nowa lista przebojów podatnościOWASP TOP10 2017 - Nowa lista przebojów podatności
OWASP TOP10 2017 - Nowa lista przebojów podatnościklagrz
 
OWASP, PHP, life and universe
OWASP, PHP, life and universeOWASP, PHP, life and universe
OWASP, PHP, life and universeSebastien Gioria
 
Practical Application of the API Security Top Ten: A Tester's Perspective
Practical Application of the API Security Top Ten: A Tester's PerspectivePractical Application of the API Security Top Ten: A Tester's Perspective
Practical Application of the API Security Top Ten: A Tester's PerspectiveRajniHatti
 
23 owasp top 10 - resources
23 owasp top 10 - resources23 owasp top 10 - resources
23 owasp top 10 - resourcesappsec
 
Comm Web Virtual Payment Client
Comm Web Virtual Payment ClientComm Web Virtual Payment Client
Comm Web Virtual Payment Clientdrkimsky
 
Vbaac
VbaacVbaac
Vbaacdrkimsky
 
Jboss Exploit
Jboss ExploitJboss Exploit
Jboss Exploitdrkimsky
 

Recomendados

Ajax Security
Ajax SecurityAjax Security
Ajax Securityamiable_indian
 
OWASP TOP10 2017 - Nowa lista przebojów podatności
OWASP TOP10 2017 - Nowa lista przebojów podatnościOWASP TOP10 2017 - Nowa lista przebojów podatności
OWASP TOP10 2017 - Nowa lista przebojów podatnościklagrz
 
OWASP, PHP, life and universe
OWASP, PHP, life and universeOWASP, PHP, life and universe
OWASP, PHP, life and universeSebastien Gioria
 
Practical Application of the API Security Top Ten: A Tester's Perspective
Practical Application of the API Security Top Ten: A Tester's PerspectivePractical Application of the API Security Top Ten: A Tester's Perspective
Practical Application of the API Security Top Ten: A Tester's PerspectiveRajniHatti
 
23 owasp top 10 - resources
23 owasp top 10 - resources23 owasp top 10 - resources
23 owasp top 10 - resourcesappsec
 
Comm Web Virtual Payment Client
Comm Web Virtual Payment ClientComm Web Virtual Payment Client
Comm Web Virtual Payment Clientdrkimsky
 
Vbaac
VbaacVbaac
Vbaacdrkimsky
 
Jboss Exploit
Jboss ExploitJboss Exploit
Jboss Exploitdrkimsky
 
Web Application Frewall
Web Application FrewallWeb Application Frewall
Web Application FrewallAbhishek Singh
 
Best Practices Guide: Introducing Web Application Firewalls
Best Practices Guide: Introducing Web Application FirewallsBest Practices Guide: Introducing Web Application Firewalls
Best Practices Guide: Introducing Web Application Firewallsalexmeisel
 
OWASP an Introduction
OWASP an Introduction OWASP an Introduction
OWASP an Introduction alessiomarziali
 
Csrf protector
Csrf protectorCsrf protector
Csrf protectorMinhaz A V
 
OWASPAppSecEU2006_CanTestingToolsReallyFindOWASPTop10
OWASPAppSecEU2006_CanTestingToolsReallyFindOWASPTop10OWASPAppSecEU2006_CanTestingToolsReallyFindOWASPTop10
OWASPAppSecEU2006_CanTestingToolsReallyFindOWASPTop10Juan Golden Tiger
 
Web Application Defences
Web Application DefencesWeb Application Defences
Web Application DefencesDamilola Longe, CISSP, CCSP, MSc
 
Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech...
Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech...Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech...
Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech...gmaran23
 
Owasptunisiawebday2011 120112072523-phpapp02
Owasptunisiawebday2011 120112072523-phpapp02Owasptunisiawebday2011 120112072523-phpapp02
Owasptunisiawebday2011 120112072523-phpapp02Abwebnet
 
Owasp tunisia web day 2011
Owasp tunisia web day 2011Owasp tunisia web day 2011
Owasp tunisia web day 2011OWASPTunisia
 
Android in the healthcare workplace
Android in the healthcare workplaceAndroid in the healthcare workplace
Android in the healthcare workplaceThomas Richards
 
OWASP DefectDojo - Open Source Security Sanity
OWASP DefectDojo - Open Source Security SanityOWASP DefectDojo - Open Source Security Sanity
OWASP DefectDojo - Open Source Security SanityMatt Tesauro
 
2014 09-04-pj
2014 09-04-pj2014 09-04-pj
2014 09-04-pjSébastien GIORIA
 
Cross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaCross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaJim Manico
 
OWASP Overview of Projects You Can Use Today - DefCamp 2012
OWASP Overview of Projects You Can Use Today - DefCamp 2012OWASP Overview of Projects You Can Use Today - DefCamp 2012
OWASP Overview of Projects You Can Use Today - DefCamp 2012DefCamp
 
Owasp Orizon New Static Analysis In Hi Fi
Owasp Orizon New Static Analysis In Hi FiOwasp Orizon New Static Analysis In Hi Fi
Owasp Orizon New Static Analysis In Hi FiPaolo Perego
 
OWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptxOWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptxnmk42194
 
RSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingRSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingJim Manico
 
VMware Studio & vAPP-s
VMware Studio & vAPP-sVMware Studio & vAPP-s
VMware Studio & vAPP-sJaroslav Mraz
 
Owasp Serbia overview
Owasp Serbia overviewOwasp Serbia overview
Owasp Serbia overviewNikola Milosevic
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxjohnpragasam1
 

Mais conteúdo relacionado

Semelhante a Ajax Security

Web Application Frewall
Web Application FrewallWeb Application Frewall
Web Application FrewallAbhishek Singh
 
Best Practices Guide: Introducing Web Application Firewalls
Best Practices Guide: Introducing Web Application FirewallsBest Practices Guide: Introducing Web Application Firewalls
Best Practices Guide: Introducing Web Application Firewallsalexmeisel
 
Csrf protector
Csrf protectorCsrf protector
Csrf protectorMinhaz A V
 
OWASPAppSecEU2006_CanTestingToolsReallyFindOWASPTop10
OWASPAppSecEU2006_CanTestingToolsReallyFindOWASPTop10OWASPAppSecEU2006_CanTestingToolsReallyFindOWASPTop10
OWASPAppSecEU2006_CanTestingToolsReallyFindOWASPTop10Juan Golden Tiger
 
Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech...
Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech...Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech...
Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech...gmaran23
 
Owasptunisiawebday2011 120112072523-phpapp02
Owasptunisiawebday2011 120112072523-phpapp02Owasptunisiawebday2011 120112072523-phpapp02
Owasptunisiawebday2011 120112072523-phpapp02Abwebnet
 
Owasp tunisia web day 2011
Owasp tunisia web day 2011Owasp tunisia web day 2011
Owasp tunisia web day 2011OWASPTunisia
 
Android in the healthcare workplace
Android in the healthcare workplaceAndroid in the healthcare workplace
Android in the healthcare workplaceThomas Richards
 
OWASP DefectDojo - Open Source Security Sanity
OWASP DefectDojo - Open Source Security SanityOWASP DefectDojo - Open Source Security Sanity
OWASP DefectDojo - Open Source Security SanityMatt Tesauro
 
Cross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaCross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaJim Manico
 
OWASP Overview of Projects You Can Use Today - DefCamp 2012
OWASP Overview of Projects You Can Use Today - DefCamp 2012OWASP Overview of Projects You Can Use Today - DefCamp 2012
OWASP Overview of Projects You Can Use Today - DefCamp 2012DefCamp
 
Owasp Orizon New Static Analysis In Hi Fi
Owasp Orizon New Static Analysis In Hi FiOwasp Orizon New Static Analysis In Hi Fi
Owasp Orizon New Static Analysis In Hi FiPaolo Perego
 
OWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptxOWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptxnmk42194
 
RSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingRSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingJim Manico
 
VMware Studio & vAPP-s
VMware Studio & vAPP-sVMware Studio & vAPP-s
VMware Studio & vAPP-sJaroslav Mraz
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxjohnpragasam1
 

Semelhante a Ajax Security (20)

Web Application Frewall
Web Application FrewallWeb Application Frewall
Web Application Frewall
 
Best Practices Guide: Introducing Web Application Firewalls
Best Practices Guide: Introducing Web Application FirewallsBest Practices Guide: Introducing Web Application Firewalls
Best Practices Guide: Introducing Web Application Firewalls
 
OWASP an Introduction
OWASP an Introduction OWASP an Introduction
OWASP an Introduction
 
Csrf protector
Csrf protectorCsrf protector
Csrf protector
 
OWASPAppSecEU2006_CanTestingToolsReallyFindOWASPTop10
OWASPAppSecEU2006_CanTestingToolsReallyFindOWASPTop10OWASPAppSecEU2006_CanTestingToolsReallyFindOWASPTop10
OWASPAppSecEU2006_CanTestingToolsReallyFindOWASPTop10
 
Web Application Defences
Web Application DefencesWeb Application Defences
Web Application Defences
 
Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech...
Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech...Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech...
Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech...
 
Owasptunisiawebday2011 120112072523-phpapp02
Owasptunisiawebday2011 120112072523-phpapp02Owasptunisiawebday2011 120112072523-phpapp02
Owasptunisiawebday2011 120112072523-phpapp02
 
Owasp tunisia web day 2011
Owasp tunisia web day 2011Owasp tunisia web day 2011
Owasp tunisia web day 2011
 
Android in the healthcare workplace
Android in the healthcare workplaceAndroid in the healthcare workplace
Android in the healthcare workplace
 
OWASP DefectDojo - Open Source Security Sanity
OWASP DefectDojo - Open Source Security SanityOWASP DefectDojo - Open Source Security Sanity
OWASP DefectDojo - Open Source Security Sanity
 
2014 09-04-pj
2014 09-04-pj2014 09-04-pj
2014 09-04-pj
 
Cross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaCross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with Java
 
OWASP Overview of Projects You Can Use Today - DefCamp 2012
OWASP Overview of Projects You Can Use Today - DefCamp 2012OWASP Overview of Projects You Can Use Today - DefCamp 2012
OWASP Overview of Projects You Can Use Today - DefCamp 2012
 
Owasp Orizon New Static Analysis In Hi Fi
Owasp Orizon New Static Analysis In Hi FiOwasp Orizon New Static Analysis In Hi Fi
Owasp Orizon New Static Analysis In Hi Fi
 
OWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptxOWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptx
 
RSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingRSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP Training
 
VMware Studio & vAPP-s
VMware Studio & vAPP-sVMware Studio & vAPP-s
VMware Studio & vAPP-s
 
Owasp Serbia overview
Owasp Serbia overviewOwasp Serbia overview
Owasp Serbia overview
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 

Ajax Security

  • 1. Ajax Security Andrew van der Stock vanderaj@owasp.org OWASP AppSec Europe Copyright © 2006 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document May 2006 under the terms of the GNU Free Documentation License. The OWASP Foundation http://www.owasp.org/
  • 2. AJAX and Security Ajax Limited guidance New chapter in Guide OWASP AppSec Europe 2006
  • 3. Compliance OWASP AppSec Europe 2006
  • 4. Accessibility Accessibility is mandatory by law Except for “justifiable hardship” Corporations and governments No choice - do it! Personal web sites No one will come after you... but... OWASP AppSec Europe 2006
  • 5. Accessibility Ask real users to test! Accessibility aides W3C WAI validator Basic tools OWASP AppSec Europe 2006
  • 6. Back Button The most used button Ajax toolkits often destroy or hide it Support the Back Button! OWASP AppSec Europe 2006
  • 7. Privacy “ ” You have no privacy. Get over it. Scott McNealy OWASP AppSec Europe 2006
  • 8. Privacy “ Nothing that we have authorized conflicts with any law regarding privacy or any ” provision of the constitution. John Ashcroft OWASP AppSec Europe 2006
  • 9. Privacy “ Relying on the government to protect your privacy is like asking a peeping tom to install ” your window blinds. John Perry Barlow OWASP AppSec Europe 2006
  • 10. Privacy Ajax has client side state Local storage Caching Mash ups OWASP AppSec Europe 2006
  • 11. Privacy ... not Javascript is clear text often cached regardless of browser settings Not private in any way OWASP AppSec Europe 2006
  • 12. Privacy ... not DOM can be manipulated by hostile code Not private in any way OWASP AppSec Europe 2006
  • 13. Privacy ... not Dojo.Storage uses Flash “Solution” for client-side persistent storage Not private in any way Often used for cross-domain postings... ARGH OWASP AppSec Europe 2006
  • 14. Mash ups Who owns the data? Who gets the data? How are they going to handle it? OWASP AppSec Europe 2006
  • 15. An example of a mash up OWASP AppSec Europe 2006
  • 16. Credit Rating Mashup OWASP AppSec Europe 2006
  • 17. Credit Rating Mashup OWASP AppSec Europe 2006
  • 18. Credit Rating Mashup OWASP AppSec Europe 2006
  • 19. Contentious issues OWASP AppSec Europe 2006
  • 20. Contentious issues OWASP AppSec Europe 2006
  • 21. Access Control AppSec Europe 2006 OWASP
  • 22. Authentication Don’t let any old caller in What’s okay without authentication? Authenticate new XMLHttpRequest sessions OWASP AppSec Europe 2006
  • 23. Ask... o m a! N ok s! Lo kie coo OWASP AppSec Europe 2006
  • 24. and ye shall receive eah ! Y y Bab e om pa! C a to p OWASP AppSec Europe 2006
  • 25. Authorization Would you let Bart call your admin function? OWASP AppSec Europe 2006
  • 26. Authorization Use same authorization methods Default deny; all actions should be denied unless allowed Error responses for no authorization OWASP AppSec Europe 2006
  • 27. Sessions and State Management2006 OWASP AppSec Europe
  • 28. Session Fixation Use toolkits which send session tokens Use proper session management to maintain the session OWASP Guide - Session Management chapter OWASP AppSec Europe 2006
  • 29. Cross-domain XML Http Requests By security design, no browser supports this Many designs want to do this or already do this (Google Maps, etc) How to do it safely? Only with federated security OWASP AppSec Europe 2006
  • 30. State management In the good olde days, state was on the server With Ajax, a lot more state is on the client Think “hidden fields” but so much worse OWASP AppSec Europe 2006
  • 31. Sending state Validate all state before use Sending state to the client for display DOM injections HTML injections Only send changed state back OWASP AppSec Europe 2006
  • 32. Exposing internal state Just because it’s faster doesn’t mean it’s wiser Keep sensitive state on the server, always Don’t obfuscate JavaScript - it’s hard enough now OWASP AppSec Europe 2006
  • 33. Ajax Attack Prevention Europe 2006 OWASP AppSec
  • 34. Injection Attacks PHP toolkits: look for code injection attacks JSON injection: be careful how you decode! DOM injection - client side attacks now much easier XML injection - both client and server side Code injection - both client and server side OWASP AppSec Europe 2006
  • 35. Data validation Data from XMLHttpRequest must be validated Perform validation after authorization checks Validate using same paths as existing code If you (de-)serialize, be aware of XML injection OWASP AppSec Europe 2006
  • 36. Ajax APIs OWASP AppSec Europe 2006
  • 37. Reconstructing Ajax API Many Ajax apps have been “decoded” e.g. libgmail, GMail Agent API, gmail.py, etc Spawned GMailFS, Win32 Gmail clients, etc Do not assume your app is special - it will be decoded! GMail Agent API in action OWASP AppSec Europe 2006
  • 38. GET APIs OWASP AppSec Europe 2006
  • 39. Pseudo API Injection Almost all Ajax toolkits use GET by default Force them to use POST Most PHP AJAX tool kits allow remote code injection by allowing client-side server code invocation eg: AJason, JPSpan and CPAINT (1.x) OWASP AppSec Europe 2006
  • 40. Psuedo API Guess what I can do? Create proxy façades OWASP AppSec Europe 2006
  • 41. Event Management OWASP AppSec Europe 2006
  • 42. Error Handling Error handling is often neglected Parentless window syndrome Do not use Javascript alert() OWASP AppSec Europe 2006
  • 43. Auditing Client-side auditing is a joke Auditing must be: comprehensive unavoidable tamper resistant OWASP AppSec Europe 2006
  • 44. Questions Andrew van der Stock vanderaj@owasp.org Images: John Perry Barlow image used with permission OWASP Stock*Exchange Image After AppSec Andrew’s OWASP EU talks sponsored by Europe Copyright © 2006 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document May 2006 under the terms of the GNU Free Documentation License. The OWASP Foundation http://www.owasp.org/