Web Security Mistakes
Giving the Client Your Trust
http://grutztopia.jingojango.net
SyScan - May 29, 2008
1
Giving The Client Your Trust -- Don't.
Agenda

Who Am I Three Examples of Awesome Badness Rich Internet Apps (RIA) are not immune Internal Apps need review, too Q&A
http://grutztopia.jingojango.net
SyScan - May 29, 2008
2
Giving The Client Your Trust -- Don't.
Who Am I
http://grutztopia.jingojango.net
SyScan - May 29, 2008
3
Giving The Client Your Trust -- Don't.
Who Am I

Professional Corporate Penetration Tester (with a CISSP for business purposes) for nearly a decade Managed internal PT team for Federal Reserve Bank, now working at Pacic Gas & Electric Community contributor to Metasploit Developer of NTLM attack toolkit (coming soon)
http://grutztopia.jingojango.net
SyScan - May 29, 2008
3
Giving The Client Your Trust -- Don't.
What is Client-Side Security
Specically, what do I mean by it
Using client-side technology such as JavaScript, Java, Flash, etc to validate data before it is transmitted to the server. Not a new threat but one I regularly see "forgotten" about when performing penetration tests. "Hiding" data and performing functions within the client that should logically be performed on the server as well. Not the W3 Client-Side Security document by Lincoln Stein (http:// www.w3.org/Security/Faq/wwwsf2.html) Still a good history on what we used to fear before the days of XSS - ActiveX, Java, IE 4.01, etc. Not talking about DOM security, same-origin policy, VM sandboxes, etc. Only concerned with values the end user can modify.
http://grutztopia.jingojango.net
SyScan - May 29, 2008
4
Giving The Client Your Trust -- Don't.
http://grutztopia.jingojango.net
SyScan - May 29, 2008
5
Giving The Client Your Trust -- Don't.
http://grutztopia.jingojango.net

下一页