“Advanced Web Application Security” by Jeremiah Grossman and Joe Walker @ JavaOne 2008

The queue for this session was huge and started outside of the Moscone center. It was interesting and well organized but the characterization “advanced” was not very accurate. Of course you cannot have any “advanced” presentation on a crowd of hundreds and you should give Jeremiah and Joe the credit for keeping a good balance.

Here are some points that are not very trivial:

  • You can mess with your friends Google search history with simple basic CSRF
  • The OWASP servlet filter is a nice tool
  • Mentioned a way to make a double cookie check both on the body and the HTTP headers and said that it was the way DWR works, but didn’t quite elaborate on it.
  • They mentioned several times that there is a wrong and right way to use JSON and it would be nice to provide more details but I suppose time was an issue.
  • Maybe the corner stone of JavaScript hacking is the action to override Object(). This is also a nice way to do AOP.
  • There are many-many places where JavaScript is executed in a web page besides the <script> element like attributes (javascript:), event listeners, browser specific event listeners, CSS (inline and imports), etc. so…
    • … you might consider using AntiSamy
  • With XSS you can grab the secret token and then launch a CSRF

Some things that I feel that should also be added in a similar presentation should be:

    • Application layer firewalls like mod_security
    • Hacking browser extensions that users typically have like firebug, Greasemonkey, etc.
    • Protecting your app from malicious JSON
    • Browser standards compliance mode (IE8 ) as a way to protect from attacks that aim at malformed HTML
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s