Arian J. Evans and Daniel Thompson: Building Self-Defending Web Applications: Secrets of Session Hacking and Protecting Software Sessions

Black Hat Briefings, Las Vegas 2005 [Audio] Presentations from the security conference

Black Hat / CMP and Jeff Moss에서 제공하는 콘텐츠입니다. 에피소드, 그래픽, 팟캐스트 설명을 포함한 모든 팟캐스트 콘텐츠는 Black Hat / CMP and Jeff Moss 또는 해당 팟캐스트 플랫폼 파트너가 직접 업로드하고 제공합니다. 누군가가 귀하의 허락 없이 귀하의 저작물을 사용하고 있다고 생각되는 경우 여기에 설명된 절차를 따르실 수 있습니다 https://ko.player.fm/legal.

18y ago 21:51

MP3•에피소드 홈

Web applications are constantly under attack, and must defend themselves. Sadly, today, most cannot. There are several key elements to building self-defending software but only a few are focused on today, including input validation, output encoding, and error handling. Strong Session Handing and effective Authorization mechanisms are almost completely ignored in web application software development. Many of the threats are well known, but the techniques for building applications that can defend themselves against the known threat landscape are still ignored due to lack of documentation, lack of sample code, and lack of awareness of the threats and attack methods. This ignorance is dangerous; The landscape has changed. In April 2005 alone, zero-day scripted session attacks were discovered in the wild for eBay and other high-profile web applications that you use. Session and Authorization attacks are real, mature, and increasing in frequency of use in the wild. They are also misunderstood or ignored by most of the development and web application security community. This presentation will: * Summarize and categorize what State, Session, and Authorization attacks are. * Provide you with a simple, effective Taxonomy for understanding the threats. * Provide you with an entirely new understanding of Cross-Site Scripting (XSS). * Disclose new Session and Authorization attacks released in recent months. * Show you how to attack your intranet from the Internet using Your browser without You knowing. * Unveil the Paraegis Project which will provide free web app security code for .NET, J2EE, and Flash frameworks. * Paraegis will include functional code elements for DAT generation and stopping automated scanners/scripts. * Paraegis will show you how to reduce the attack surface of XSS from "all people all the time" to "one person one time" resulting in XSS vulnerabilities being virtually unexploitable. The techniques presented are simple, innovative, realistically usable, and predominantly missing in today's webapp designs. The Paraegis Project will release code that will not only demonstrate this, but that you will be able to use in your applications for free. Arian Evans has spent the last seven years pondering information security and disliking long bios. His focus has been on intrusion detection and application security. He currently works for FishNet Security researching and developing new methodologies for evaluating the security posture of applications and databases, in addition to helping FishNet clients design, deploy, and defend their applications. Arian works with clients worldwide for FishNet Security, and has worked with the Center for Internet Security, FBI, and various client organizations on web application-related hacking incident response. Arian contributes to the information security community in the form of vulnerability research and advisories, writing courseware and teaching classes on how to build secure web applications, and questioning everything. He frequently breaks things, and sometimes figures out how to put them back together again. Daniel Thompson is the lead interface developer for Secure Passage, a software company specializing in network device change management. His interest in computer graphics and visual design started over fifteen years ago while searching for an efficient way to create fake documents. Currently Daniel works with Java, C# and ActionScript to create secure, dependable, distributed applications. He targest .JSP, ASP.NET and the Macromedia Flash Player for delivery to the browser and Eclipse SWT and Microsoft WindowsForms for delivery to the desktop. In his spare time he works on data visualization and generative graphics, as well as the occasional game. Dan became interested in information security when Arian Evans started reading his email.

61 에피소드