SlideShare a Scribd company logo

Owasp talk-november-08

S
Security Ninja

HTML5 and local storage security at OWASP Ireland chapter meeting in 2008 by David Rook.

Technology
1 of 35
Download to read offline
David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!
The Internet is going offline and ...... David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!
The Internet is going offline and ...... The world is going to end (Title inspired by the world ending DNS bug and ClickJacking) David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!
Agenda Introduction The web is on a diet, no more cookies! Access Control Same Origin Issues SQL Issues David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!
Isn’t the idea to be online? Increased complexity and capability of web applications Traditional applications going “online” such as documents, spreadsheets and task managers This is a trend that many web applications will consider Improved application performance David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!
HTML history 1955 - Tim Berners-Lee David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!
HTML history 1955 - Tim Berners-Lee 1991 - HTML Tags David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!
HTML history 1955 - Tim Berners-Lee 1991 - HTML Tags 1995 - HTML 2 David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!
HTML history 1955 - Tim Berners-Lee 1991 - HTML Tags 1995 - HTML 2 1997 - HTML 3.2 David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!
HTML history 1955 - Tim Berners-Lee 1991 - HTML Tags 1995 - HTML 2 1997 - HTML 3.2 1999 - HTML 4.01 David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!
HTML history 1955 - Tim Berners-Lee 1991 - HTML Tags 1995 - HTML 2 1997 - HTML 3.2 1999 - HTML 4.01 2008 - HTML 5 (draft) David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!
So, why HTML 5? New elements such as <audio> and <video> Elements such as <font> and <center> removed New APIs: Drag and Drop Timed media playback Messaging David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!
So, why HTML 5? New elements such as <audio> and <video> Elements such as <font> and <center> removed New APIs: Drag and Drop Timed media playback Messaging Offline Storage David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!
Google Gears A web browser plugin First to provide offline capabilities Now embracing/extending HTML 5 Applications such as RTM and Google Docs Currently at version 0.4 David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!
No more cookies! No longer sufficient for Web 2.0 They are small (IE enforces a 4KB limit) Not designed for offline storage David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!
SessionStorage The closest thing to cookies in HTML 5 Used when: A user is carrying out a single transaction A user wants to carry out multiple transactions in multiple windows One object per origin Uses the sessionStorage DOM object to access data David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!
SessionStorage For example, a page could have a checkbox that the user ticks to indicate that he wants insurance: <label> <input type="checkbox" onchange="sessionStorage.insurance = checked"> I want insurance on this trip. </label> A later page could then check, from script, whether the user had checked the checkbox or not: if (sessionStorage.insurance) { ... } David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!
LocalStorage Designed to allow client side storage Used when: Storing users data on the client (i.e. documents) Data from multiple windows stored in one object One object per origin Uses the localStorage DOM object to access data David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!
LocalStorage The site at example.com can display a count of how many times the user has loaded its page by putting the following at the bottom of its page: <p> You have viewed this page <span id="count">an untold number of</span> time(s). </p> <script> if (!localStorage.pageLoadCount) localStorage.pageLoadCount = 0; localStorage.pageLoadCount = parseInt(localStorage.pageLoadCount, 10) + 1; document.getElementById('count').textContent = localStorage.pageLoadCount; </script> David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!
Local Databases Enables structured client side data storage Used when: Data such as emails need to be stored locally Shopping carts, documents, authentication data etc One object per origin Uses SQL Lite Databases David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!
David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!
Security Issues .... David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!
Access Control No requirement to ask for users authorisation in HTML 5 Local objects only protected by local OS policies Cross domain requests will be supported No authentication with SQL Lite David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!
Same Origin Issues Same Origin Policy based on current implementations Use known vulnerabilities to access local data Buxfer example David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!
Same Origin Issues David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!
SQL Database Attacks SQL Injection, the obvious attack? Same problems we are already seeing but on a wider scale David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!
SQL Database Attacks David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!
SQL Database Attacks SQL Injection, the obvious attack? Same problems we are already seeing but on a wider scale Cross Domain Read and Write capabilities No size limit enforced by default (Origins choice) Google Gears guidance? David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!
SQL Database Attacks SQL Injection, the obvious attack? Same problems we are already seeing but on a wider scale Cross Domain Read and Write capabilities No size limit enforced by default (Origins choice) Google Gears guidance? David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!
Trends Web application adoption increasing Bringing desktop functionality to your browser No longer a strict client/server model David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!
Trends David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!
Trends David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!
Trends Web application adoption increasing Bringing desktop functionality to your browser No longer a strict client/server model Google Gears the likely winner David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!
Future Work More detailed research in this area Whitepaper to be produced by us on this subject Proof of concept exploits hosted on Security Ninja Profit David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!
Questions? David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!

Recommended

Dennis Clark & RYAN SEACREST - morning show magic
Dennis Clark & RYAN SEACREST - morning show magicDennis Clark & RYAN SEACREST - morning show magic
Dennis Clark & RYAN SEACREST - morning show magic
MyRadioFashion
 
SecurityBSides las vegas - Agnitio
SecurityBSides las vegas - AgnitioSecurityBSides las vegas - Agnitio
SecurityBSides las vegas - Agnitio
Security Ninja
 
Injecting simplicity not SQL RSA Europe 2010
Injecting simplicity not SQL RSA Europe 2010Injecting simplicity not SQL RSA Europe 2010
Injecting simplicity not SQL RSA Europe 2010
Security Ninja
 
The Principles of Secure Development - BSides Las Vegas 2009
The Principles of Secure Development - BSides Las Vegas 2009The Principles of Secure Development - BSides Las Vegas 2009
The Principles of Secure Development - BSides Las Vegas 2009
Security Ninja
 
SecurityBSides London - Agnitio: it's static analysis but not as we know it
SecurityBSides London - Agnitio: it's static analysis but not as we know itSecurityBSides London - Agnitio: it's static analysis but not as we know it
SecurityBSides London - Agnitio: it's static analysis but not as we know it
Security Ninja
 
SecurityBSides London - windows phone 7
SecurityBSides London - windows phone 7SecurityBSides London - windows phone 7
SecurityBSides London - windows phone 7
Security Ninja
 
The Security Risks of Web 2.0 - DEF CON 17
The Security Risks of Web 2.0 - DEF CON 17The Security Risks of Web 2.0 - DEF CON 17
The Security Risks of Web 2.0 - DEF CON 17
Security Ninja
 
SecurityBSides London - Jedi mind tricks for building application security pr...
SecurityBSides London - Jedi mind tricks for building application security pr...SecurityBSides London - Jedi mind tricks for building application security pr...
SecurityBSides London - Jedi mind tricks for building application security pr...
Security Ninja
 

Recommended

Dennis Clark & RYAN SEACREST - morning show magic
Dennis Clark & RYAN SEACREST - morning show magicDennis Clark & RYAN SEACREST - morning show magic
Dennis Clark & RYAN SEACREST - morning show magic
MyRadioFashion
 
SecurityBSides las vegas - Agnitio
SecurityBSides las vegas - AgnitioSecurityBSides las vegas - Agnitio
SecurityBSides las vegas - Agnitio
Security Ninja
 
Injecting simplicity not SQL RSA Europe 2010
Injecting simplicity not SQL RSA Europe 2010Injecting simplicity not SQL RSA Europe 2010
Injecting simplicity not SQL RSA Europe 2010
Security Ninja
 
The Principles of Secure Development - BSides Las Vegas 2009
The Principles of Secure Development - BSides Las Vegas 2009The Principles of Secure Development - BSides Las Vegas 2009
The Principles of Secure Development - BSides Las Vegas 2009
Security Ninja
 
SecurityBSides London - Agnitio: it's static analysis but not as we know it
SecurityBSides London - Agnitio: it's static analysis but not as we know itSecurityBSides London - Agnitio: it's static analysis but not as we know it
SecurityBSides London - Agnitio: it's static analysis but not as we know it
Security Ninja
 
SecurityBSides London - windows phone 7
SecurityBSides London - windows phone 7SecurityBSides London - windows phone 7
SecurityBSides London - windows phone 7
Security Ninja
 
The Security Risks of Web 2.0 - DEF CON 17
The Security Risks of Web 2.0 - DEF CON 17The Security Risks of Web 2.0 - DEF CON 17
The Security Risks of Web 2.0 - DEF CON 17
Security Ninja
 
SecurityBSides London - Jedi mind tricks for building application security pr...
SecurityBSides London - Jedi mind tricks for building application security pr...SecurityBSides London - Jedi mind tricks for building application security pr...
SecurityBSides London - Jedi mind tricks for building application security pr...
Security Ninja
 
Vault and Security as a Service
Vault and Security as a ServiceVault and Security as a Service
Vault and Security as a Service
Patrick Shields
 
Good-cyber-hygiene-at-scale-and-speed
Good-cyber-hygiene-at-scale-and-speedGood-cyber-hygiene-at-scale-and-speed
Good-cyber-hygiene-at-scale-and-speed
James '​-- Mckinlay
 
Reallinx Overview
Reallinx OverviewReallinx Overview
Reallinx Overview
Jeff Davidson
 
IBM Connect 2014 SPOT114: No Compromise on Compliance: Streamline Administrat...
IBM Connect 2014 SPOT114: No Compromise on Compliance: Streamline Administrat...IBM Connect 2014 SPOT114: No Compromise on Compliance: Streamline Administrat...
IBM Connect 2014 SPOT114: No Compromise on Compliance: Streamline Administrat...
BCC - Solutions for IBM Collaboration Software
 
Sec devops 2.0 managing your robot army - final
Sec devops 2.0 managing your robot army - finalSec devops 2.0 managing your robot army - final
Sec devops 2.0 managing your robot army - final
Josh Bregman
 
Guardian Open Platform Launch Event
Guardian Open Platform Launch EventGuardian Open Platform Launch Event
Guardian Open Platform Launch Event
Matt McAlister
 
Get Ready for Web Application Security Testing
Get Ready for Web Application Security TestingGet Ready for Web Application Security Testing
Get Ready for Web Application Security Testing
Alan Kan
 
Intuit Analytics Cloud 101
Intuit Analytics Cloud 101Intuit Analytics Cloud 101
Intuit Analytics Cloud 101
DataWorks Summit/Hadoop Summit
 
How do I activate my Webroot keycode?
How do I activate my Webroot keycode?How do I activate my Webroot keycode?
How do I activate my Webroot keycode?
NovellaJohns
 
Cloud Innovation Tour - Discover Track
Cloud Innovation Tour - Discover TrackCloud Innovation Tour - Discover Track
Cloud Innovation Tour - Discover Track
LaurenWendler
 
SecDevOps 2.0 - Managing Your Robot Army
SecDevOps 2.0 - Managing Your Robot ArmySecDevOps 2.0 - Managing Your Robot Army
SecDevOps 2.0 - Managing Your Robot Army
conjur_inc
 
Lights, Camera, Action - Windows Azure Media Services on the Loose - the Azug...
Lights, Camera, Action - Windows Azure Media Services on the Loose - the Azug...Lights, Camera, Action - Windows Azure Media Services on the Loose - the Azug...
Lights, Camera, Action - Windows Azure Media Services on the Loose - the Azug...
Mike Martin
 
OFFICE 365 SECURITY
OFFICE 365 SECURITYOFFICE 365 SECURITY
OFFICE 365 SECURITY
Sylvain Martinez
 
The cyber house of horrors - securing the expanding attack surface
The cyber house of horrors - securing the expanding attack surfaceThe cyber house of horrors - securing the expanding attack surface
The cyber house of horrors - securing the expanding attack surface
Jason Bloomberg
 
Chaos Engineering: Why the World Needs More Resilient Systems
Chaos Engineering: Why the World Needs More Resilient SystemsChaos Engineering: Why the World Needs More Resilient Systems
Chaos Engineering: Why the World Needs More Resilient Systems
C4Media
 
EIC 2022 - Elimity - Trimming down user access governance to its essentials
EIC 2022 - Elimity - Trimming down user access governance to its essentialsEIC 2022 - Elimity - Trimming down user access governance to its essentials
EIC 2022 - Elimity - Trimming down user access governance to its essentials
Maarten Decat
 
Post Wannacry Update
Post Wannacry UpdatePost Wannacry Update
Post Wannacry Update
Thomas Springer
 
Cisco Security Presentation
Cisco Security PresentationCisco Security Presentation
Cisco Security Presentation
Simplex
 
Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...
Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...
Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...
Shannon Williams
 
GDPR Compliance Countdown - Is your Application environment ready?
GDPR Compliance Countdown - Is your Application environment ready?GDPR Compliance Countdown - Is your Application environment ready?
GDPR Compliance Countdown - Is your Application environment ready?
QualiQuali
 
Hack in Paris 2013
Hack in Paris 2013Hack in Paris 2013
Hack in Paris 2013
Security Ninja
 
The Realex Payments Application Story
The Realex Payments Application StoryThe Realex Payments Application Story
The Realex Payments Application Story
Security Ninja
 

More Related Content

Similar to Owasp talk-november-08

IBM Connect 2014 SPOT114: No Compromise on Compliance: Streamline Administrat...
IBM Connect 2014 SPOT114: No Compromise on Compliance: Streamline Administrat...IBM Connect 2014 SPOT114: No Compromise on Compliance: Streamline Administrat...
IBM Connect 2014 SPOT114: No Compromise on Compliance: Streamline Administrat...
BCC - Solutions for IBM Collaboration Software
 
Lights, Camera, Action - Windows Azure Media Services on the Loose - the Azug...
Lights, Camera, Action - Windows Azure Media Services on the Loose - the Azug...Lights, Camera, Action - Windows Azure Media Services on the Loose - the Azug...
Lights, Camera, Action - Windows Azure Media Services on the Loose - the Azug...
Mike Martin
 
The cyber house of horrors - securing the expanding attack surface
The cyber house of horrors - securing the expanding attack surfaceThe cyber house of horrors - securing the expanding attack surface
The cyber house of horrors - securing the expanding attack surface
Jason Bloomberg
 
EIC 2022 - Elimity - Trimming down user access governance to its essentials
EIC 2022 - Elimity - Trimming down user access governance to its essentialsEIC 2022 - Elimity - Trimming down user access governance to its essentials
EIC 2022 - Elimity - Trimming down user access governance to its essentials
Maarten Decat
 

Similar to Owasp talk-november-08 (20)

Vault and Security as a Service
Vault and Security as a ServiceVault and Security as a Service
Vault and Security as a Service
 
Good-cyber-hygiene-at-scale-and-speed
Good-cyber-hygiene-at-scale-and-speedGood-cyber-hygiene-at-scale-and-speed
Good-cyber-hygiene-at-scale-and-speed
 
Reallinx Overview
Reallinx OverviewReallinx Overview
Reallinx Overview
 
IBM Connect 2014 SPOT114: No Compromise on Compliance: Streamline Administrat...
IBM Connect 2014 SPOT114: No Compromise on Compliance: Streamline Administrat...IBM Connect 2014 SPOT114: No Compromise on Compliance: Streamline Administrat...
IBM Connect 2014 SPOT114: No Compromise on Compliance: Streamline Administrat...
 
Sec devops 2.0 managing your robot army - final
Sec devops 2.0 managing your robot army - finalSec devops 2.0 managing your robot army - final
Sec devops 2.0 managing your robot army - final
 
Guardian Open Platform Launch Event
Guardian Open Platform Launch EventGuardian Open Platform Launch Event
Guardian Open Platform Launch Event
 
Get Ready for Web Application Security Testing
Get Ready for Web Application Security TestingGet Ready for Web Application Security Testing
Get Ready for Web Application Security Testing
 
Intuit Analytics Cloud 101
Intuit Analytics Cloud 101Intuit Analytics Cloud 101
Intuit Analytics Cloud 101
 
How do I activate my Webroot keycode?
How do I activate my Webroot keycode?How do I activate my Webroot keycode?
How do I activate my Webroot keycode?
 
Cloud Innovation Tour - Discover Track
Cloud Innovation Tour - Discover TrackCloud Innovation Tour - Discover Track
Cloud Innovation Tour - Discover Track
 
SecDevOps 2.0 - Managing Your Robot Army
SecDevOps 2.0 - Managing Your Robot ArmySecDevOps 2.0 - Managing Your Robot Army
SecDevOps 2.0 - Managing Your Robot Army
 
Lights, Camera, Action - Windows Azure Media Services on the Loose - the Azug...
Lights, Camera, Action - Windows Azure Media Services on the Loose - the Azug...Lights, Camera, Action - Windows Azure Media Services on the Loose - the Azug...
Lights, Camera, Action - Windows Azure Media Services on the Loose - the Azug...
 
OFFICE 365 SECURITY
OFFICE 365 SECURITYOFFICE 365 SECURITY
OFFICE 365 SECURITY
 
The cyber house of horrors - securing the expanding attack surface
The cyber house of horrors - securing the expanding attack surfaceThe cyber house of horrors - securing the expanding attack surface
The cyber house of horrors - securing the expanding attack surface
 
Chaos Engineering: Why the World Needs More Resilient Systems
Chaos Engineering: Why the World Needs More Resilient SystemsChaos Engineering: Why the World Needs More Resilient Systems
Chaos Engineering: Why the World Needs More Resilient Systems
 
EIC 2022 - Elimity - Trimming down user access governance to its essentials
EIC 2022 - Elimity - Trimming down user access governance to its essentialsEIC 2022 - Elimity - Trimming down user access governance to its essentials
EIC 2022 - Elimity - Trimming down user access governance to its essentials
 
Post Wannacry Update
Post Wannacry UpdatePost Wannacry Update
Post Wannacry Update
 
Cisco Security Presentation
Cisco Security PresentationCisco Security Presentation
Cisco Security Presentation
 
Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...
Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...
Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...
 
GDPR Compliance Countdown - Is your Application environment ready?
GDPR Compliance Countdown - Is your Application environment ready?GDPR Compliance Countdown - Is your Application environment ready?
GDPR Compliance Countdown - Is your Application environment ready?
 

More from Security Ninja

Owasp App Sec Ireland Windows Phone 7 Security
Owasp App Sec Ireland Windows Phone 7 SecurityOwasp App Sec Ireland Windows Phone 7 Security
Owasp App Sec Ireland Windows Phone 7 Security
Security Ninja
 

More from Security Ninja (11)

Hack in Paris 2013
Hack in Paris 2013Hack in Paris 2013
Hack in Paris 2013
 
The Realex Payments Application Story
The Realex Payments Application StoryThe Realex Payments Application Story
The Realex Payments Application Story
 
Owasp App Sec Ireland Windows Phone 7 Security
Owasp App Sec Ireland Windows Phone 7 SecurityOwasp App Sec Ireland Windows Phone 7 Security
Owasp App Sec Ireland Windows Phone 7 Security
 
OWASP Birmingham - Mobile Application Security
OWASP Birmingham - Mobile Application SecurityOWASP Birmingham - Mobile Application Security
OWASP Birmingham - Mobile Application Security
 
BruCON Agnitio Workshop
BruCON Agnitio WorkshopBruCON Agnitio Workshop
BruCON Agnitio Workshop
 
Hack in Paris - Agnitio
Hack in Paris - AgnitioHack in Paris - Agnitio
Hack in Paris - Agnitio
 
The Principles of Secure Development - Epicenter Dublin
The Principles of Secure Development - Epicenter DublinThe Principles of Secure Development - Epicenter Dublin
The Principles of Secure Development - Epicenter Dublin
 
Application security and PCI DSS
Application security and PCI DSSApplication security and PCI DSS
Application security and PCI DSS
 
Developing secure web applications
Developing secure web applicationsDeveloping secure web applications
Developing secure web applications
 
Injecting simplicity not SQL BSides Las Vegas 2010
Injecting simplicity not SQL BSides Las Vegas 2010Injecting simplicity not SQL BSides Las Vegas 2010
Injecting simplicity not SQL BSides Las Vegas 2010
 
The Principles of Secure Development
The Principles of Secure DevelopmentThe Principles of Secure Development
The Principles of Secure Development
 

Recently uploaded

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 

Recently uploaded (20)

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 

Owasp talk-november-08

  • 1. David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!
  • 2. The Internet is going offline and ...... David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!
  • 3. The Internet is going offline and ...... The world is going to end (Title inspired by the world ending DNS bug and ClickJacking) David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!
  • 4. Agenda Introduction The web is on a diet, no more cookies! Access Control Same Origin Issues SQL Issues David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!
  • 5. Isn’t the idea to be online? Increased complexity and capability of web applications Traditional applications going “online” such as documents, spreadsheets and task managers This is a trend that many web applications will consider Improved application performance David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!
  • 6. HTML history 1955 - Tim Berners-Lee David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!
  • 7. HTML history 1955 - Tim Berners-Lee 1991 - HTML Tags David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!
  • 8. HTML history 1955 - Tim Berners-Lee 1991 - HTML Tags 1995 - HTML 2 David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!
  • 9. HTML history 1955 - Tim Berners-Lee 1991 - HTML Tags 1995 - HTML 2 1997 - HTML 3.2 David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!
  • 10. HTML history 1955 - Tim Berners-Lee 1991 - HTML Tags 1995 - HTML 2 1997 - HTML 3.2 1999 - HTML 4.01 David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!
  • 11. HTML history 1955 - Tim Berners-Lee 1991 - HTML Tags 1995 - HTML 2 1997 - HTML 3.2 1999 - HTML 4.01 2008 - HTML 5 (draft) David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!
  • 12. So, why HTML 5? New elements such as <audio> and <video> Elements such as <font> and <center> removed New APIs: Drag and Drop Timed media playback Messaging David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!
  • 13. So, why HTML 5? New elements such as <audio> and <video> Elements such as <font> and <center> removed New APIs: Drag and Drop Timed media playback Messaging Offline Storage David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!
  • 14. Google Gears A web browser plugin First to provide offline capabilities Now embracing/extending HTML 5 Applications such as RTM and Google Docs Currently at version 0.4 David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!
  • 15. No more cookies! No longer sufficient for Web 2.0 They are small (IE enforces a 4KB limit) Not designed for offline storage David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!
  • 16. SessionStorage The closest thing to cookies in HTML 5 Used when: A user is carrying out a single transaction A user wants to carry out multiple transactions in multiple windows One object per origin Uses the sessionStorage DOM object to access data David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!
  • 17. SessionStorage For example, a page could have a checkbox that the user ticks to indicate that he wants insurance: <label> <input type="checkbox" onchange="sessionStorage.insurance = checked"> I want insurance on this trip. </label> A later page could then check, from script, whether the user had checked the checkbox or not: if (sessionStorage.insurance) { ... } David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!
  • 18. LocalStorage Designed to allow client side storage Used when: Storing users data on the client (i.e. documents) Data from multiple windows stored in one object One object per origin Uses the localStorage DOM object to access data David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!
  • 19. LocalStorage The site at example.com can display a count of how many times the user has loaded its page by putting the following at the bottom of its page: <p> You have viewed this page <span id="count">an untold number of</span> time(s). </p> <script> if (!localStorage.pageLoadCount) localStorage.pageLoadCount = 0; localStorage.pageLoadCount = parseInt(localStorage.pageLoadCount, 10) + 1; document.getElementById('count').textContent = localStorage.pageLoadCount; </script> David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!
  • 20. Local Databases Enables structured client side data storage Used when: Data such as emails need to be stored locally Shopping carts, documents, authentication data etc One object per origin Uses SQL Lite Databases David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!
  • 21. David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!
  • 22. Security Issues .... David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!
  • 23. Access Control No requirement to ask for users authorisation in HTML 5 Local objects only protected by local OS policies Cross domain requests will be supported No authentication with SQL Lite David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!
  • 24. Same Origin Issues Same Origin Policy based on current implementations Use known vulnerabilities to access local data Buxfer example David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!
  • 25. Same Origin Issues David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!
  • 26. SQL Database Attacks SQL Injection, the obvious attack? Same problems we are already seeing but on a wider scale David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!
  • 27. SQL Database Attacks David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!
  • 28. SQL Database Attacks SQL Injection, the obvious attack? Same problems we are already seeing but on a wider scale Cross Domain Read and Write capabilities No size limit enforced by default (Origins choice) Google Gears guidance? David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!
  • 29. SQL Database Attacks SQL Injection, the obvious attack? Same problems we are already seeing but on a wider scale Cross Domain Read and Write capabilities No size limit enforced by default (Origins choice) Google Gears guidance? David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!
  • 30. Trends Web application adoption increasing Bringing desktop functionality to your browser No longer a strict client/server model David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!
  • 31. Trends David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!
  • 32. Trends David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!
  • 33. Trends Web application adoption increasing Bringing desktop functionality to your browser No longer a strict client/server model Google Gears the likely winner David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!
  • 34. Future Work More detailed research in this area Whitepaper to be produced by us on this subject Proof of concept exploits hosted on Security Ninja Profit David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!
  • 35. Questions? David Rook Conor McGoveran Security Analyst - Realex Payments Managing Director - Onformonics Ltd Founder of www.securityninja.co.uk Compliance Management Solutions Information Security Evangelist 1,0 - there, my two bits!