SlideShare une entreprise Scribd logo

Owasp talk-november-08

S
Security Ninja

HTML5 and local storage security at OWASP Ireland chapter meeting in 2008 by David Rook.

Technologie
1  sur  35
Télécharger pour lire hors ligne
David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!
The Internet is going offline and ...... David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!
The Internet is going offline and ...... The world is going to end (Title inspired by the world ending DNS bug and ClickJacking) David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!
Agenda Introduction The web is on a diet, no more cookies! Access Control Same Origin Issues SQL Issues David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!
Isn’t the idea to be online? Increased complexity and capability of web applications Traditional applications going “online” such as documents, spreadsheets and task managers This is a trend that many web applications will consider Improved application performance David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!
HTML history 1955 - Tim Berners-Lee David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!
HTML history 1955 - Tim Berners-Lee 1991 - HTML Tags David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!
HTML history 1955 - Tim Berners-Lee 1991 - HTML Tags 1995 - HTML 2 David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!
HTML history 1955 - Tim Berners-Lee 1991 - HTML Tags 1995 - HTML 2 1997 - HTML 3.2 David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!
HTML history 1955 - Tim Berners-Lee 1991 - HTML Tags 1995 - HTML 2 1997 - HTML 3.2 1999 - HTML 4.01 David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!
HTML history 1955 - Tim Berners-Lee 1991 - HTML Tags 1995 - HTML 2 1997 - HTML 3.2 1999 - HTML 4.01 2008 - HTML 5 (draft) David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!
So, why HTML 5? New elements such as <audio> and <video> Elements such as <font> and <center> removed New APIs: Drag and Drop Timed media playback Messaging David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!
So, why HTML 5? New elements such as <audio> and <video> Elements such as <font> and <center> removed New APIs: Drag and Drop Timed media playback Messaging Offline Storage David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!
Google Gears A web browser plugin First to provide offline capabilities Now embracing/extending HTML 5 Applications such as RTM and Google Docs Currently at version 0.4 David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!
No more cookies! No longer sufficient for Web 2.0 They are small (IE enforces a 4KB limit) Not designed for offline storage David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!
SessionStorage The closest thing to cookies in HTML 5 Used when: A user is carrying out a single transaction A user wants to carry out multiple transactions in multiple windows One object per origin Uses the sessionStorage DOM object to access data David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!
SessionStorage For example, a page could have a checkbox that the user ticks to indicate that he wants insurance: <label> <input type="checkbox" onchange="sessionStorage.insurance = checked"> I want insurance on this trip. </label> A later page could then check, from script, whether the user had checked the checkbox or not: if (sessionStorage.insurance) { ... } David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!
LocalStorage Designed to allow client side storage Used when: Storing users data on the client (i.e. documents) Data from multiple windows stored in one object One object per origin Uses the localStorage DOM object to access data David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!
LocalStorage The site at example.com can display a count of how many times the user has loaded its page by putting the following at the bottom of its page: <p> You have viewed this page <span id="count">an untold number of</span> time(s). </p> <script> if (!localStorage.pageLoadCount) localStorage.pageLoadCount = 0; localStorage.pageLoadCount = parseInt(localStorage.pageLoadCount, 10) + 1; document.getElementById('count').textContent = localStorage.pageLoadCount; </script> David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!
Local Databases Enables structured client side data storage Used when: Data such as emails need to be stored locally Shopping carts, documents, authentication data etc One object per origin Uses SQL Lite Databases David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!
David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!
Security Issues .... David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!
Access Control No requirement to ask for users authorisation in HTML 5 Local objects only protected by local OS policies Cross domain requests will be supported No authentication with SQL Lite David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!
Same Origin Issues Same Origin Policy based on current implementations Use known vulnerabilities to access local data Buxfer example David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!
Same Origin Issues David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!
SQL Database Attacks SQL Injection, the obvious attack? Same problems we are already seeing but on a wider scale David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!
SQL Database Attacks David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!
SQL Database Attacks SQL Injection, the obvious attack? Same problems we are already seeing but on a wider scale Cross Domain Read and Write capabilities No size limit enforced by default (Origins choice) Google Gears guidance? David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!
SQL Database Attacks SQL Injection, the obvious attack? Same problems we are already seeing but on a wider scale Cross Domain Read and Write capabilities No size limit enforced by default (Origins choice) Google Gears guidance? David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!
Trends Web application adoption increasing Bringing desktop functionality to your browser No longer a strict client/server model David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!
Trends David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!
Trends David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!
Trends Web application adoption increasing Bringing desktop functionality to your browser No longer a strict client/server model Google Gears the likely winner David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!
Future Work More detailed research in this area Whitepaper to be produced by us on this subject Proof of concept exploits hosted on Security Ninja Profit David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!
Questions? David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!

Recommandé

Dennis Clark & RYAN SEACREST - morning show magic
Dennis Clark & RYAN SEACREST - morning show magicDennis Clark & RYAN SEACREST - morning show magic
Dennis Clark & RYAN SEACREST - morning show magicMyRadioFashion
 
SecurityBSides las vegas - Agnitio
SecurityBSides las vegas - AgnitioSecurityBSides las vegas - Agnitio
SecurityBSides las vegas - AgnitioSecurity Ninja
 
Injecting simplicity not SQL RSA Europe 2010
Injecting simplicity not SQL RSA Europe 2010Injecting simplicity not SQL RSA Europe 2010
Injecting simplicity not SQL RSA Europe 2010Security Ninja
 
The Principles of Secure Development - BSides Las Vegas 2009
The Principles of Secure Development - BSides Las Vegas 2009The Principles of Secure Development - BSides Las Vegas 2009
The Principles of Secure Development - BSides Las Vegas 2009Security Ninja
 
SecurityBSides London - Agnitio: it's static analysis but not as we know it
SecurityBSides London - Agnitio: it's static analysis but not as we know itSecurityBSides London - Agnitio: it's static analysis but not as we know it
SecurityBSides London - Agnitio: it's static analysis but not as we know itSecurity Ninja
 
SecurityBSides London - windows phone 7
SecurityBSides London - windows phone 7SecurityBSides London - windows phone 7
SecurityBSides London - windows phone 7Security Ninja
 
The Security Risks of Web 2.0 - DEF CON 17
The Security Risks of Web 2.0 - DEF CON 17The Security Risks of Web 2.0 - DEF CON 17
The Security Risks of Web 2.0 - DEF CON 17Security Ninja
 
SecurityBSides London - Jedi mind tricks for building application security pr...
SecurityBSides London - Jedi mind tricks for building application security pr...SecurityBSides London - Jedi mind tricks for building application security pr...
SecurityBSides London - Jedi mind tricks for building application security pr...Security Ninja
 

Recommandé

Dennis Clark & RYAN SEACREST - morning show magic
Dennis Clark & RYAN SEACREST - morning show magicDennis Clark & RYAN SEACREST - morning show magic
Dennis Clark & RYAN SEACREST - morning show magicMyRadioFashion
 
SecurityBSides las vegas - Agnitio
SecurityBSides las vegas - AgnitioSecurityBSides las vegas - Agnitio
SecurityBSides las vegas - AgnitioSecurity Ninja
 
Injecting simplicity not SQL RSA Europe 2010
Injecting simplicity not SQL RSA Europe 2010Injecting simplicity not SQL RSA Europe 2010
Injecting simplicity not SQL RSA Europe 2010Security Ninja
 
The Principles of Secure Development - BSides Las Vegas 2009
The Principles of Secure Development - BSides Las Vegas 2009The Principles of Secure Development - BSides Las Vegas 2009
The Principles of Secure Development - BSides Las Vegas 2009Security Ninja
 
SecurityBSides London - Agnitio: it's static analysis but not as we know it
SecurityBSides London - Agnitio: it's static analysis but not as we know itSecurityBSides London - Agnitio: it's static analysis but not as we know it
SecurityBSides London - Agnitio: it's static analysis but not as we know itSecurity Ninja
 
SecurityBSides London - windows phone 7
SecurityBSides London - windows phone 7SecurityBSides London - windows phone 7
SecurityBSides London - windows phone 7Security Ninja
 
The Security Risks of Web 2.0 - DEF CON 17
The Security Risks of Web 2.0 - DEF CON 17The Security Risks of Web 2.0 - DEF CON 17
The Security Risks of Web 2.0 - DEF CON 17Security Ninja
 
SecurityBSides London - Jedi mind tricks for building application security pr...
SecurityBSides London - Jedi mind tricks for building application security pr...SecurityBSides London - Jedi mind tricks for building application security pr...
SecurityBSides London - Jedi mind tricks for building application security pr...Security Ninja
 
Vault and Security as a Service
Vault and Security as a ServiceVault and Security as a Service
Vault and Security as a ServicePatrick Shields
 
Good-cyber-hygiene-at-scale-and-speed
Good-cyber-hygiene-at-scale-and-speedGood-cyber-hygiene-at-scale-and-speed
Good-cyber-hygiene-at-scale-and-speedJames '​-- Mckinlay
 
Reallinx Overview
Reallinx OverviewReallinx Overview
Reallinx OverviewJeff Davidson
 
IBM Connect 2014 SPOT114: No Compromise on Compliance: Streamline Administrat...
IBM Connect 2014 SPOT114: No Compromise on Compliance: Streamline Administrat...IBM Connect 2014 SPOT114: No Compromise on Compliance: Streamline Administrat...
IBM Connect 2014 SPOT114: No Compromise on Compliance: Streamline Administrat...BCC - Solutions for IBM Collaboration Software
 
Sec devops 2.0 managing your robot army - final
Sec devops 2.0 managing your robot army - finalSec devops 2.0 managing your robot army - final
Sec devops 2.0 managing your robot army - finalJosh Bregman
 
Guardian Open Platform Launch Event
Guardian Open Platform Launch EventGuardian Open Platform Launch Event
Guardian Open Platform Launch EventMatt McAlister
 
Get Ready for Web Application Security Testing
Get Ready for Web Application Security TestingGet Ready for Web Application Security Testing
Get Ready for Web Application Security TestingAlan Kan
 
Intuit Analytics Cloud 101
Intuit Analytics Cloud 101Intuit Analytics Cloud 101
Intuit Analytics Cloud 101DataWorks Summit/Hadoop Summit
 
How do I activate my Webroot keycode?
How do I activate my Webroot keycode?How do I activate my Webroot keycode?
How do I activate my Webroot keycode?NovellaJohns
 
Cloud Innovation Tour - Discover Track
Cloud Innovation Tour - Discover TrackCloud Innovation Tour - Discover Track
Cloud Innovation Tour - Discover TrackLaurenWendler
 
SecDevOps 2.0 - Managing Your Robot Army
SecDevOps 2.0 - Managing Your Robot ArmySecDevOps 2.0 - Managing Your Robot Army
SecDevOps 2.0 - Managing Your Robot Armyconjur_inc
 
Lights, Camera, Action - Windows Azure Media Services on the Loose - the Azug...
Lights, Camera, Action - Windows Azure Media Services on the Loose - the Azug...Lights, Camera, Action - Windows Azure Media Services on the Loose - the Azug...
Lights, Camera, Action - Windows Azure Media Services on the Loose - the Azug...Mike Martin
 
OFFICE 365 SECURITY
OFFICE 365 SECURITYOFFICE 365 SECURITY
OFFICE 365 SECURITYSylvain Martinez
 
The cyber house of horrors - securing the expanding attack surface
The cyber house of horrors - securing the expanding attack surfaceThe cyber house of horrors - securing the expanding attack surface
The cyber house of horrors - securing the expanding attack surfaceJason Bloomberg
 
Chaos Engineering: Why the World Needs More Resilient Systems
Chaos Engineering: Why the World Needs More Resilient SystemsChaos Engineering: Why the World Needs More Resilient Systems
Chaos Engineering: Why the World Needs More Resilient SystemsC4Media
 
EIC 2022 - Elimity - Trimming down user access governance to its essentials
EIC 2022 - Elimity - Trimming down user access governance to its essentialsEIC 2022 - Elimity - Trimming down user access governance to its essentials
EIC 2022 - Elimity - Trimming down user access governance to its essentialsMaarten Decat
 
Post Wannacry Update
Post Wannacry UpdatePost Wannacry Update
Post Wannacry UpdateThomas Springer
 
Cisco Security Presentation
Cisco Security PresentationCisco Security Presentation
Cisco Security PresentationSimplex
 
Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...
Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...
Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...Shannon Williams
 
GDPR Compliance Countdown - Is your Application environment ready?
GDPR Compliance Countdown - Is your Application environment ready?GDPR Compliance Countdown - Is your Application environment ready?
GDPR Compliance Countdown - Is your Application environment ready?QualiQuali
 
Hack in Paris 2013
Hack in Paris 2013Hack in Paris 2013
Hack in Paris 2013Security Ninja
 
The Realex Payments Application Story
The Realex Payments Application StoryThe Realex Payments Application Story
The Realex Payments Application StorySecurity Ninja
 

Contenu connexe

Similaire à Owasp talk-november-08

Vault and Security as a Service
Vault and Security as a ServiceVault and Security as a Service
Vault and Security as a ServicePatrick Shields
 
Good-cyber-hygiene-at-scale-and-speed
Good-cyber-hygiene-at-scale-and-speedGood-cyber-hygiene-at-scale-and-speed
Good-cyber-hygiene-at-scale-and-speedJames '​-- Mckinlay
 
Sec devops 2.0 managing your robot army - final
Sec devops 2.0 managing your robot army - finalSec devops 2.0 managing your robot army - final
Sec devops 2.0 managing your robot army - finalJosh Bregman
 
Guardian Open Platform Launch Event
Guardian Open Platform Launch EventGuardian Open Platform Launch Event
Guardian Open Platform Launch EventMatt McAlister
 
Get Ready for Web Application Security Testing
Get Ready for Web Application Security TestingGet Ready for Web Application Security Testing
Get Ready for Web Application Security TestingAlan Kan
 
How do I activate my Webroot keycode?
How do I activate my Webroot keycode?How do I activate my Webroot keycode?
How do I activate my Webroot keycode?NovellaJohns
 
Cloud Innovation Tour - Discover Track
Cloud Innovation Tour - Discover TrackCloud Innovation Tour - Discover Track
Cloud Innovation Tour - Discover TrackLaurenWendler
 
SecDevOps 2.0 - Managing Your Robot Army
SecDevOps 2.0 - Managing Your Robot ArmySecDevOps 2.0 - Managing Your Robot Army
SecDevOps 2.0 - Managing Your Robot Armyconjur_inc
 
Lights, Camera, Action - Windows Azure Media Services on the Loose - the Azug...
Lights, Camera, Action - Windows Azure Media Services on the Loose - the Azug...Lights, Camera, Action - Windows Azure Media Services on the Loose - the Azug...
Lights, Camera, Action - Windows Azure Media Services on the Loose - the Azug...Mike Martin
 
The cyber house of horrors - securing the expanding attack surface
The cyber house of horrors - securing the expanding attack surfaceThe cyber house of horrors - securing the expanding attack surface
The cyber house of horrors - securing the expanding attack surfaceJason Bloomberg
 
Chaos Engineering: Why the World Needs More Resilient Systems
Chaos Engineering: Why the World Needs More Resilient SystemsChaos Engineering: Why the World Needs More Resilient Systems
Chaos Engineering: Why the World Needs More Resilient SystemsC4Media
 
EIC 2022 - Elimity - Trimming down user access governance to its essentials
EIC 2022 - Elimity - Trimming down user access governance to its essentialsEIC 2022 - Elimity - Trimming down user access governance to its essentials
EIC 2022 - Elimity - Trimming down user access governance to its essentialsMaarten Decat
 
Cisco Security Presentation
Cisco Security PresentationCisco Security Presentation
Cisco Security PresentationSimplex
 
Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...
Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...
Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...Shannon Williams
 
GDPR Compliance Countdown - Is your Application environment ready?
GDPR Compliance Countdown - Is your Application environment ready?GDPR Compliance Countdown - Is your Application environment ready?
GDPR Compliance Countdown - Is your Application environment ready?QualiQuali
 

Similaire à Owasp talk-november-08 (20)

Vault and Security as a Service
Vault and Security as a ServiceVault and Security as a Service
Vault and Security as a Service
 
Good-cyber-hygiene-at-scale-and-speed
Good-cyber-hygiene-at-scale-and-speedGood-cyber-hygiene-at-scale-and-speed
Good-cyber-hygiene-at-scale-and-speed
 
Reallinx Overview
Reallinx OverviewReallinx Overview
Reallinx Overview
 
IBM Connect 2014 SPOT114: No Compromise on Compliance: Streamline Administrat...
IBM Connect 2014 SPOT114: No Compromise on Compliance: Streamline Administrat...IBM Connect 2014 SPOT114: No Compromise on Compliance: Streamline Administrat...
IBM Connect 2014 SPOT114: No Compromise on Compliance: Streamline Administrat...
 
Sec devops 2.0 managing your robot army - final
Sec devops 2.0 managing your robot army - finalSec devops 2.0 managing your robot army - final
Sec devops 2.0 managing your robot army - final
 
Guardian Open Platform Launch Event
Guardian Open Platform Launch EventGuardian Open Platform Launch Event
Guardian Open Platform Launch Event
 
Get Ready for Web Application Security Testing
Get Ready for Web Application Security TestingGet Ready for Web Application Security Testing
Get Ready for Web Application Security Testing
 
Intuit Analytics Cloud 101
Intuit Analytics Cloud 101Intuit Analytics Cloud 101
Intuit Analytics Cloud 101
 
How do I activate my Webroot keycode?
How do I activate my Webroot keycode?How do I activate my Webroot keycode?
How do I activate my Webroot keycode?
 
Cloud Innovation Tour - Discover Track
Cloud Innovation Tour - Discover TrackCloud Innovation Tour - Discover Track
Cloud Innovation Tour - Discover Track
 
SecDevOps 2.0 - Managing Your Robot Army
SecDevOps 2.0 - Managing Your Robot ArmySecDevOps 2.0 - Managing Your Robot Army
SecDevOps 2.0 - Managing Your Robot Army
 
Lights, Camera, Action - Windows Azure Media Services on the Loose - the Azug...
Lights, Camera, Action - Windows Azure Media Services on the Loose - the Azug...Lights, Camera, Action - Windows Azure Media Services on the Loose - the Azug...
Lights, Camera, Action - Windows Azure Media Services on the Loose - the Azug...
 
OFFICE 365 SECURITY
OFFICE 365 SECURITYOFFICE 365 SECURITY
OFFICE 365 SECURITY
 
The cyber house of horrors - securing the expanding attack surface
The cyber house of horrors - securing the expanding attack surfaceThe cyber house of horrors - securing the expanding attack surface
The cyber house of horrors - securing the expanding attack surface
 
Chaos Engineering: Why the World Needs More Resilient Systems
Chaos Engineering: Why the World Needs More Resilient SystemsChaos Engineering: Why the World Needs More Resilient Systems
Chaos Engineering: Why the World Needs More Resilient Systems
 
EIC 2022 - Elimity - Trimming down user access governance to its essentials
EIC 2022 - Elimity - Trimming down user access governance to its essentialsEIC 2022 - Elimity - Trimming down user access governance to its essentials
EIC 2022 - Elimity - Trimming down user access governance to its essentials
 
Post Wannacry Update
Post Wannacry UpdatePost Wannacry Update
Post Wannacry Update
 
Cisco Security Presentation
Cisco Security PresentationCisco Security Presentation
Cisco Security Presentation
 
Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...
Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...
Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...
 
GDPR Compliance Countdown - Is your Application environment ready?
GDPR Compliance Countdown - Is your Application environment ready?GDPR Compliance Countdown - Is your Application environment ready?
GDPR Compliance Countdown - Is your Application environment ready?
 

Plus de Security Ninja

The Realex Payments Application Story
The Realex Payments Application StoryThe Realex Payments Application Story
The Realex Payments Application StorySecurity Ninja
 
Owasp App Sec Ireland Windows Phone 7 Security
Owasp App Sec Ireland Windows Phone 7 SecurityOwasp App Sec Ireland Windows Phone 7 Security
Owasp App Sec Ireland Windows Phone 7 SecuritySecurity Ninja
 
OWASP Birmingham - Mobile Application Security
OWASP Birmingham - Mobile Application SecurityOWASP Birmingham - Mobile Application Security
OWASP Birmingham - Mobile Application SecuritySecurity Ninja
 
BruCON Agnitio Workshop
BruCON Agnitio WorkshopBruCON Agnitio Workshop
BruCON Agnitio WorkshopSecurity Ninja
 
Hack in Paris - Agnitio
Hack in Paris - AgnitioHack in Paris - Agnitio
Hack in Paris - AgnitioSecurity Ninja
 
The Principles of Secure Development - Epicenter Dublin
The Principles of Secure Development - Epicenter DublinThe Principles of Secure Development - Epicenter Dublin
The Principles of Secure Development - Epicenter DublinSecurity Ninja
 
Application security and PCI DSS
Application security and PCI DSSApplication security and PCI DSS
Application security and PCI DSSSecurity Ninja
 
Developing secure web applications
Developing secure web applicationsDeveloping secure web applications
Developing secure web applicationsSecurity Ninja
 
Injecting simplicity not SQL BSides Las Vegas 2010
Injecting simplicity not SQL BSides Las Vegas 2010Injecting simplicity not SQL BSides Las Vegas 2010
Injecting simplicity not SQL BSides Las Vegas 2010Security Ninja
 
The Principles of Secure Development
The Principles of Secure DevelopmentThe Principles of Secure Development
The Principles of Secure DevelopmentSecurity Ninja
 

Plus de Security Ninja (11)

Hack in Paris 2013
Hack in Paris 2013Hack in Paris 2013
Hack in Paris 2013
 
The Realex Payments Application Story
The Realex Payments Application StoryThe Realex Payments Application Story
The Realex Payments Application Story
 
Owasp App Sec Ireland Windows Phone 7 Security
Owasp App Sec Ireland Windows Phone 7 SecurityOwasp App Sec Ireland Windows Phone 7 Security
Owasp App Sec Ireland Windows Phone 7 Security
 
OWASP Birmingham - Mobile Application Security
OWASP Birmingham - Mobile Application SecurityOWASP Birmingham - Mobile Application Security
OWASP Birmingham - Mobile Application Security
 
BruCON Agnitio Workshop
BruCON Agnitio WorkshopBruCON Agnitio Workshop
BruCON Agnitio Workshop
 
Hack in Paris - Agnitio
Hack in Paris - AgnitioHack in Paris - Agnitio
Hack in Paris - Agnitio
 
The Principles of Secure Development - Epicenter Dublin
The Principles of Secure Development - Epicenter DublinThe Principles of Secure Development - Epicenter Dublin
The Principles of Secure Development - Epicenter Dublin
 
Application security and PCI DSS
Application security and PCI DSSApplication security and PCI DSS
Application security and PCI DSS
 
Developing secure web applications
Developing secure web applicationsDeveloping secure web applications
Developing secure web applications
 
Injecting simplicity not SQL BSides Las Vegas 2010
Injecting simplicity not SQL BSides Las Vegas 2010Injecting simplicity not SQL BSides Las Vegas 2010
Injecting simplicity not SQL BSides Las Vegas 2010
 
The Principles of Secure Development
The Principles of Secure DevelopmentThe Principles of Secure Development
The Principles of Secure Development
 

Dernier

08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 

Dernier (20)

08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 

Owasp talk-november-08

  • 1. David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!
  • 2. The Internet is going offline and ...... David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!
  • 3. The Internet is going offline and ...... The world is going to end (Title inspired by the world ending DNS bug and ClickJacking) David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!
  • 4. Agenda Introduction The web is on a diet, no more cookies! Access Control Same Origin Issues SQL Issues David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!
  • 5. Isn’t the idea to be online? Increased complexity and capability of web applications Traditional applications going “online” such as documents, spreadsheets and task managers This is a trend that many web applications will consider Improved application performance David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!
  • 6. HTML history 1955 - Tim Berners-Lee David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!
  • 7. HTML history 1955 - Tim Berners-Lee 1991 - HTML Tags David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!
  • 8. HTML history 1955 - Tim Berners-Lee 1991 - HTML Tags 1995 - HTML 2 David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!
  • 9. HTML history 1955 - Tim Berners-Lee 1991 - HTML Tags 1995 - HTML 2 1997 - HTML 3.2 David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!
  • 10. HTML history 1955 - Tim Berners-Lee 1991 - HTML Tags 1995 - HTML 2 1997 - HTML 3.2 1999 - HTML 4.01 David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!
  • 11. HTML history 1955 - Tim Berners-Lee 1991 - HTML Tags 1995 - HTML 2 1997 - HTML 3.2 1999 - HTML 4.01 2008 - HTML 5 (draft) David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!
  • 12. So, why HTML 5? New elements such as <audio> and <video> Elements such as <font> and <center> removed New APIs: Drag and Drop Timed media playback Messaging David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!
  • 13. So, why HTML 5? New elements such as <audio> and <video> Elements such as <font> and <center> removed New APIs: Drag and Drop Timed media playback Messaging Offline Storage David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!
  • 14. Google Gears A web browser plugin First to provide offline capabilities Now embracing/extending HTML 5 Applications such as RTM and Google Docs Currently at version 0.4 David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!
  • 15. No more cookies! No longer sufficient for Web 2.0 They are small (IE enforces a 4KB limit) Not designed for offline storage David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!
  • 16. SessionStorage The closest thing to cookies in HTML 5 Used when: A user is carrying out a single transaction A user wants to carry out multiple transactions in multiple windows One object per origin Uses the sessionStorage DOM object to access data David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!
  • 17. SessionStorage For example, a page could have a checkbox that the user ticks to indicate that he wants insurance: <label> <input type="checkbox" onchange="sessionStorage.insurance = checked"> I want insurance on this trip. </label> A later page could then check, from script, whether the user had checked the checkbox or not: if (sessionStorage.insurance) { ... } David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!
  • 18. LocalStorage Designed to allow client side storage Used when: Storing users data on the client (i.e. documents) Data from multiple windows stored in one object One object per origin Uses the localStorage DOM object to access data David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!
  • 19. LocalStorage The site at example.com can display a count of how many times the user has loaded its page by putting the following at the bottom of its page: <p> You have viewed this page <span id="count">an untold number of</span> time(s). </p> <script> if (!localStorage.pageLoadCount) localStorage.pageLoadCount = 0; localStorage.pageLoadCount = parseInt(localStorage.pageLoadCount, 10) + 1; document.getElementById('count').textContent = localStorage.pageLoadCount; </script> David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!
  • 20. Local Databases Enables structured client side data storage Used when: Data such as emails need to be stored locally Shopping carts, documents, authentication data etc One object per origin Uses SQL Lite Databases David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!
  • 21. David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!
  • 22. Security Issues .... David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!
  • 23. Access Control No requirement to ask for users authorisation in HTML 5 Local objects only protected by local OS policies Cross domain requests will be supported No authentication with SQL Lite David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!
  • 24. Same Origin Issues Same Origin Policy based on current implementations Use known vulnerabilities to access local data Buxfer example David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!
  • 25. Same Origin Issues David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!
  • 26. SQL Database Attacks SQL Injection, the obvious attack? Same problems we are already seeing but on a wider scale David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!
  • 27. SQL Database Attacks David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!
  • 28. SQL Database Attacks SQL Injection, the obvious attack? Same problems we are already seeing but on a wider scale Cross Domain Read and Write capabilities No size limit enforced by default (Origins choice) Google Gears guidance? David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!
  • 29. SQL Database Attacks SQL Injection, the obvious attack? Same problems we are already seeing but on a wider scale Cross Domain Read and Write capabilities No size limit enforced by default (Origins choice) Google Gears guidance? David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!
  • 30. Trends Web application adoption increasing Bringing desktop functionality to your browser No longer a strict client/server model David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!
  • 31. Trends David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!
  • 32. Trends David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!
  • 33. Trends Web application adoption increasing Bringing desktop functionality to your browser No longer a strict client/server model Google Gears the likely winner David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!
  • 34. Future Work More detailed research in this area Whitepaper to be produced by us on this subject Proof of concept exploits hosted on Security Ninja Profit David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!
  • 35. Questions? David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!