RIA and AJAX Security Workshop Web Expo Europe 21 October, 2008 Part 1: AJAX and Web Security Alex Stamos alex@ Agenda Introduction Who are we? Why care about AJAX? Attacks Against AJAX Discovery and Method Manipulation XSS Cross-Site Request Forgery Security of Popular Frameworks Java DWR SAJAX Microsoft ATLAS Google GWT Conclusion: How does AJAX change Web Attacks? Q&A Introduction Who are we? Alex is a Founder and Partner at iSEC Partners Application security consultants and researchers Based in San Francisco, offices in Seattle and New York Why listen to this talk? New technologies are making web app security much plicated This is obvious to anybody who reads the paper MySpace Yahoo Worming of XSS Our Goals for what you should walk away with: Basic understanding of AJAX and different AJAX technologies Knowledge of how AJAX changes web attacks In-depth knowledge on XSS and CSRF in AJAX An opinion on whether you can trust your AJAX framework to “take care of security” Shameless Plug Slide Slides available on SlideShare nt/web-20-expo-europe-2008 Special Thanks to: Scott Stender, Jesse Burns, and Brad Hill of iSEC Partners Amit Klein and Jeremiah Grossman for doing great work in this area Rich Cannings at Google
We are always looking for a few good geeks! careers@ Web A honeypot to get Venture Capital “We’ll synergize on the power of works using AJAX, flash videos, and mash-ups!” Web is really more of an attitude than a technology User-created content!! MySpace YouTube working!! MySpace Facebook LinkedIn Highly Interactive GUIs!! Google Maps Mash-Ups and Plugins!! Housingmaps A9 RSS Aggregators Web Not all “Web ” sites use new technologies YouTube and MySpace are surprising boring on the wire iFrames, Flash Content, HTML Forms Not everybody needs as much technological innovation MySpace on low-end Google Maps / MSN Virtual Earth / RedFin on high-end For our part, we really care about the uses of new technologies AJA
RIA and Ajax Security Workshop Presentation 来自淘豆网www.taodocs.com转载请标明出处.