SlideShare a Scribd company logo

Ajax Security

Roberto Suggi Liverani
Roberto Suggi LiveraniPentester/Reseacher
OWASP – Ajax Security Roberto Suggi Liverani Security Consultant Security-Assessment.com 5 December 2007
Who am I? ,[object Object],[object Object],[object Object],[object Object],[object Object]
Agenda ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Introduction ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Ajax Components (cont.) ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Ajax Components ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Ajax Components – Simple Diagram
Let’s define Ajax: ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Traditional Web Model vs Ajax Web Model
Classic Web Model – Usability/Time
Ajax Web Model – Usability/Time
Why Ajax is used? ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Who is using Ajax? And many others…
Let’s talk about Ajax and security… ,[object Object],[object Object],[object Object],[object Object],[object Object]
Ajax and Security – Server of origin policy ,[object Object],URLs Cross – Scripting allowed? Comments http://www.example.com:8080/script1.js No Port number doesn’t match. http://www.example.com/script2.js http://www.example.com/script1.js No Protocol type doesn’t match. https://www.example.com/script2.js http://www.example.com/script1.js No Browser will not perform domain name resolution. http://192.168.0.10/script2.js http://sub.example.com/script1.js No Subdomains treated as separate domains. http://www.example.com/script2.js http://www.example.com/hello/script1.js YES Domain name is the same. http://www.example.com/bye/script.2.js http://www.example2.com/script1.js NO Different domain names. http://www.example1.com/script2.js
Ajax and Security – Server of origin policy ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Real attacks examples ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Ajax Security – Case Study – Samy worm ,[object Object],[object Object],[object Object],[object Object]
Ajax – Case Study – Samy worm (cont) ,[object Object]
Screenshot showing list of Myspace profiles infected by Samy Worm
And today there are still Myspace accounts with Samy as a hero! 532 results with live.com
Ajax – Case Study – Samy worm ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Ajax – Case Study – Yamanner worm ,[object Object],[object Object],[object Object],[object Object],[object Object]
Ajax – Case Study – Yamanner worm ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Ajax – Case Study – Nduja - Webmail XSS worm ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Ajax Security – Case Study – Nduja - Webmail XSS Worm ,[object Object],[object Object],[object Object],[object Object],[object Object]
Nduja - Webmail XSS Worm Demo
Web worms – Comparison So the question is: Can you think about the impact of the next cross domain web worm? Worm Target Domain(s) Cross Domain? Impact Samy worm Myspace.com No 1 million of users affected Yannamer worm Yahoo.com No Unknown number of yahoo users affected Nduja worm Tiscali.it Libero.it Lycos.it Excite.com Yes N/A – This is a PoC
Questions/Conclusion ,[object Object],[object Object]
References – Misc. ,[object Object],[object Object],[object Object],[object Object],[object Object]
References – Misc. ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
References – Books ,[object Object],[object Object],[object Object]
Table of Figures ,[object Object],[object Object],[object Object],[object Object],[object Object]
1 of 33

Ajax Security

Download to read offline
Technology

This talk highlights potential attacks against web application using Ajax and XHR technology. The first part of the talk introduces Ajax and related technologies. Second part of the talk focuses on potential attacks and consequences, including some scenario where SOP (Same of origin) policy is bypassed.

Roberto Suggi Liverani
Roberto Suggi LiveraniPentester/Reseacher

Recommended

Dzhengis 93098 ajax - security by
Dzhengis 93098 ajax - securityDzhengis 93098 ajax - security
Dzhengis 93098 ajax - securitydzhengo44
521 views11 slides
AJAX: How to Divert Threats by
AJAX: How to Divert ThreatsAJAX: How to Divert Threats
AJAX: How to Divert ThreatsCenzic
1.3K views33 slides
Ajax Security Dangers by
Ajax Security DangersAjax Security Dangers
Ajax Security Dangersdrkimsky
2.6K views8 slides
AJAX Security - LAC2016 by
AJAX Security - LAC2016AJAX Security - LAC2016
AJAX Security - LAC2016Julia Logan a.k.a. IrishWonder
1.1K views17 slides
Web Hacking Intro by
Web Hacking IntroWeb Hacking Intro
Web Hacking IntroAditya Kamat
356 views6 slides
Become a Security Ninja by
Become a Security NinjaBecome a Security Ninja
Become a Security NinjaPaul Gilzow
747 views84 slides
RSA Europe 2013 OWASP Training by
RSA Europe 2013 OWASP TrainingRSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingJim Manico
16.3K views150 slides
Vulnerabilities in modern web applications by
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
1.5K views34 slides

More Related Content

What's hot

2013 OWASP Top 10 by
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10bilcorry
14.2K views49 slides
Top 10 Web Security Vulnerabilities (OWASP Top 10) by
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
23.1K views27 slides
Browser Security 101 by
Browser Security 101 Browser Security 101
Browser Security 101 Stormpath
2.1K views48 slides
Avoiding Cross Site Scripting - Not as easy as you might think by
Avoiding Cross Site Scripting - Not as easy as you might thinkAvoiding Cross Site Scripting - Not as easy as you might think
Avoiding Cross Site Scripting - Not as easy as you might thinkErlend Oftedal
10.2K views60 slides
Owasp top 10 2013 by
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013Edouard de Lansalut
763 views58 slides
Web application attack Presentation by
Web application attack PresentationWeb application attack Presentation
Web application attack PresentationKhoa Nguyen
767 views8 slides
2013 michael coates-javaone by
2013 michael coates-javaone2013 michael coates-javaone
2013 michael coates-javaoneMichael Coates
10.4K views35 slides
Web application attacks by
Web application attacksWeb application attacks
Web application attackshruth
56.5K views37 slides
Common Web Application Attacks by
Common Web Application Attacks Common Web Application Attacks
Common Web Application Attacks Ahmed Sherif
802 views72 slides
Spring Security by
Spring SecuritySpring Security
Spring SecurityBoy Tech
10.5K views22 slides
Build A Killer Client For Your REST+JSON API by
Build A Killer Client For Your REST+JSON APIBuild A Killer Client For Your REST+JSON API
Build A Killer Client For Your REST+JSON APIStormpath
3.1K views59 slides
Starwest 2008 by
Starwest 2008Starwest 2008
Starwest 2008Caleb Sima
798 views40 slides
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011 by
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011Samvel Gevorgyan
3K views6 slides
Token Authentication for Java Applications by
Token Authentication for Java ApplicationsToken Authentication for Java Applications
Token Authentication for Java ApplicationsStormpath
8.5K views51 slides
ASP.NET Web Security by
ASP.NET Web SecurityASP.NET Web Security
ASP.NET Web SecuritySharePointRadi
2.2K views91 slides
BEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYAN by
BEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYANBEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYAN
BEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYANSamvel Gevorgyan
24.2K views88 slides
Secure Your REST API (The Right Way) by
Secure Your REST API (The Right Way)Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)Stormpath
218.8K views40 slides
Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter by
Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter
Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter Nilesh Sapariya
2.8K views46 slides
Web application security: Threats & Countermeasures by
Web application security: Threats & CountermeasuresWeb application security: Threats & Countermeasures
Web application security: Threats & CountermeasuresAung Thu Rha Hein
7.4K views16 slides
How do JavaScript frameworks impact the security of applications? by
How do JavaScript frameworks impact the security of applications?How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?Ksenia Peguero
651 views30 slides

What's hot (20)

2013 OWASP Top 10 by bilcorry
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10
bilcorry14.2K views
Top 10 Web Security Vulnerabilities (OWASP Top 10) by Brian Huff
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Brian Huff23.1K views
Browser Security 101 by Stormpath
Browser Security 101 Browser Security 101
Browser Security 101
Stormpath2.1K views
Avoiding Cross Site Scripting - Not as easy as you might think by Erlend Oftedal
Avoiding Cross Site Scripting - Not as easy as you might thinkAvoiding Cross Site Scripting - Not as easy as you might think
Avoiding Cross Site Scripting - Not as easy as you might think
Erlend Oftedal10.2K views
Owasp top 10 2013 by Edouard de Lansalut
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013
Edouard de Lansalut763 views
Web application attack Presentation by Khoa Nguyen
Web application attack PresentationWeb application attack Presentation
Web application attack Presentation
Khoa Nguyen767 views
2013 michael coates-javaone by Michael Coates
2013 michael coates-javaone2013 michael coates-javaone
2013 michael coates-javaone
Michael Coates10.4K views
Web application attacks by hruth
Web application attacksWeb application attacks
Web application attacks
hruth56.5K views
Common Web Application Attacks by Ahmed Sherif
Common Web Application Attacks Common Web Application Attacks
Common Web Application Attacks
Ahmed Sherif802 views
Spring Security by Boy Tech
Spring SecuritySpring Security
Spring Security
Boy Tech10.5K views
Build A Killer Client For Your REST+JSON API by Stormpath
Build A Killer Client For Your REST+JSON APIBuild A Killer Client For Your REST+JSON API
Build A Killer Client For Your REST+JSON API
Stormpath3.1K views
Starwest 2008 by Caleb Sima
Starwest 2008Starwest 2008
Starwest 2008
Caleb Sima798 views
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011 by Samvel Gevorgyan
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
Samvel Gevorgyan3K views
Token Authentication for Java Applications by Stormpath
Token Authentication for Java ApplicationsToken Authentication for Java Applications
Token Authentication for Java Applications
Stormpath8.5K views
ASP.NET Web Security by SharePointRadi
ASP.NET Web SecurityASP.NET Web Security
ASP.NET Web Security
SharePointRadi2.2K views
BEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYAN by Samvel Gevorgyan
BEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYANBEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYAN
BEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYAN
Samvel Gevorgyan24.2K views
Secure Your REST API (The Right Way) by Stormpath
Secure Your REST API (The Right Way)Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)
Stormpath218.8K views
Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter by Nilesh Sapariya
Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter
Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter
Nilesh Sapariya2.8K views
Web application security: Threats & Countermeasures by Aung Thu Rha Hein
Web application security: Threats & CountermeasuresWeb application security: Threats & Countermeasures
Web application security: Threats & Countermeasures
Aung Thu Rha Hein7.4K views
How do JavaScript frameworks impact the security of applications? by Ksenia Peguero
How do JavaScript frameworks impact the security of applications?How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?
Ksenia Peguero651 views

Viewers also liked

Web Spam Techniques by
Web Spam TechniquesWeb Spam Techniques
Web Spam TechniquesRoberto Suggi Liverani
78.8K views53 slides
Black Energy18 - Russian botnet package analysis by
Black Energy18 - Russian botnet package analysisBlack Energy18 - Russian botnet package analysis
Black Energy18 - Russian botnet package analysisRoberto Suggi Liverani
1.8K views48 slides
Reversing JavaScript by
Reversing JavaScriptReversing JavaScript
Reversing JavaScriptRoberto Suggi Liverani
2.9K views48 slides
Exploiting Firefox Extensions by
Exploiting Firefox ExtensionsExploiting Firefox Extensions
Exploiting Firefox ExtensionsRoberto Suggi Liverani
3.5K views42 slides
Cross Context Scripting attacks & exploitation by
Cross Context Scripting attacks & exploitationCross Context Scripting attacks & exploitation
Cross Context Scripting attacks & exploitationRoberto Suggi Liverani
3.5K views69 slides
Bridging the gap - Security and Software Testing by
Bridging the gap - Security and Software TestingBridging the gap - Security and Software Testing
Bridging the gap - Security and Software TestingRoberto Suggi Liverani
1.2K views31 slides
Defending Against Application DoS attacks by
Defending Against Application DoS attacksDefending Against Application DoS attacks
Defending Against Application DoS attacksRoberto Suggi Liverani
5.1K views51 slides
Augmented reality in your web proxy by
Augmented reality in your web proxyAugmented reality in your web proxy
Augmented reality in your web proxyRoberto Suggi Liverani
3.3K views39 slides
XPath Injection by
XPath InjectionXPath Injection
XPath InjectionRoberto Suggi Liverani
7.1K views23 slides
Window Shopping Browser - Bug Hunting in 2012 by
Window Shopping Browser - Bug Hunting in 2012Window Shopping Browser - Bug Hunting in 2012
Window Shopping Browser - Bug Hunting in 2012Roberto Suggi Liverani
3.1K views56 slides
None More Black - the Dark Side of SEO by
None More Black - the Dark Side of SEONone More Black - the Dark Side of SEO
None More Black - the Dark Side of SEORoberto Suggi Liverani
21K views58 slides
WTF - Why the Future Is Up to Us - pptx version by
WTF - Why the Future Is Up to Us - pptx versionWTF - Why the Future Is Up to Us - pptx version
WTF - Why the Future Is Up to Us - pptx versionTim O'Reilly
584K views39 slides
Teaching Students with Emojis, Emoticons, & Textspeak by
Teaching Students with Emojis, Emoticons, & TextspeakTeaching Students with Emojis, Emoticons, & Textspeak
Teaching Students with Emojis, Emoticons, & TextspeakShelly Sanchez Terrell
210.2K views49 slides
The Future of Everything by
The Future of EverythingThe Future of Everything
The Future of EverythingCharbel Zeaiter
877K views263 slides
Study: The Future of VR, AR and Self-Driving Cars by
Study: The Future of VR, AR and Self-Driving CarsStudy: The Future of VR, AR and Self-Driving Cars
Study: The Future of VR, AR and Self-Driving CarsLinkedIn
871.6K views28 slides
32 Ways a Digital Marketing Consultant Can Help Grow Your Business by
32 Ways a Digital Marketing Consultant Can Help Grow Your Business32 Ways a Digital Marketing Consultant Can Help Grow Your Business
32 Ways a Digital Marketing Consultant Can Help Grow Your BusinessBarry Feldman
340.1K views43 slides
Hype vs. Reality: The AI Explainer by
Hype vs. Reality: The AI ExplainerHype vs. Reality: The AI Explainer
Hype vs. Reality: The AI ExplainerLuminary Labs
497.8K views28 slides
Visual Design with Data by
Visual Design with DataVisual Design with Data
Visual Design with DataSeth Familian
2.9M views76 slides
TEDx Manchester: AI & The Future of Work by
TEDx Manchester: AI & The Future of WorkTEDx Manchester: AI & The Future of Work
TEDx Manchester: AI & The Future of WorkVolker Hirsch
904.1K views54 slides
How to Become a Thought Leader in Your Niche by
How to Become a Thought Leader in Your NicheHow to Become a Thought Leader in Your Niche
How to Become a Thought Leader in Your NicheLeslie Samuel
1.6M views13 slides

Viewers also liked (20)

Web Spam Techniques by Roberto Suggi Liverani
Web Spam TechniquesWeb Spam Techniques
Web Spam Techniques
Roberto Suggi Liverani78.8K views
Black Energy18 - Russian botnet package analysis by Roberto Suggi Liverani
Black Energy18 - Russian botnet package analysisBlack Energy18 - Russian botnet package analysis
Black Energy18 - Russian botnet package analysis
Roberto Suggi Liverani1.8K views
Reversing JavaScript by Roberto Suggi Liverani
Reversing JavaScriptReversing JavaScript
Reversing JavaScript
Roberto Suggi Liverani2.9K views
Exploiting Firefox Extensions by Roberto Suggi Liverani
Exploiting Firefox ExtensionsExploiting Firefox Extensions
Exploiting Firefox Extensions
Roberto Suggi Liverani3.5K views
Cross Context Scripting attacks & exploitation by Roberto Suggi Liverani
Cross Context Scripting attacks & exploitationCross Context Scripting attacks & exploitation
Cross Context Scripting attacks & exploitation
Roberto Suggi Liverani3.5K views
Bridging the gap - Security and Software Testing by Roberto Suggi Liverani
Bridging the gap - Security and Software TestingBridging the gap - Security and Software Testing
Bridging the gap - Security and Software Testing
Roberto Suggi Liverani1.2K views
Defending Against Application DoS attacks by Roberto Suggi Liverani
Defending Against Application DoS attacksDefending Against Application DoS attacks
Defending Against Application DoS attacks
Roberto Suggi Liverani5.1K views
Augmented reality in your web proxy by Roberto Suggi Liverani
Augmented reality in your web proxyAugmented reality in your web proxy
Augmented reality in your web proxy
Roberto Suggi Liverani3.3K views
XPath Injection by Roberto Suggi Liverani
XPath InjectionXPath Injection
XPath Injection
Roberto Suggi Liverani7.1K views
Window Shopping Browser - Bug Hunting in 2012 by Roberto Suggi Liverani
Window Shopping Browser - Bug Hunting in 2012Window Shopping Browser - Bug Hunting in 2012
Window Shopping Browser - Bug Hunting in 2012
Roberto Suggi Liverani3.1K views
None More Black - the Dark Side of SEO by Roberto Suggi Liverani
None More Black - the Dark Side of SEONone More Black - the Dark Side of SEO
None More Black - the Dark Side of SEO
Roberto Suggi Liverani21K views
WTF - Why the Future Is Up to Us - pptx version by Tim O'Reilly
WTF - Why the Future Is Up to Us - pptx versionWTF - Why the Future Is Up to Us - pptx version
WTF - Why the Future Is Up to Us - pptx version
Tim O'Reilly584K views
Teaching Students with Emojis, Emoticons, & Textspeak by Shelly Sanchez Terrell
Teaching Students with Emojis, Emoticons, & TextspeakTeaching Students with Emojis, Emoticons, & Textspeak
Teaching Students with Emojis, Emoticons, & Textspeak
Shelly Sanchez Terrell210.2K views
The Future of Everything by Charbel Zeaiter
The Future of EverythingThe Future of Everything
The Future of Everything
Charbel Zeaiter877K views
Study: The Future of VR, AR and Self-Driving Cars by LinkedIn
Study: The Future of VR, AR and Self-Driving CarsStudy: The Future of VR, AR and Self-Driving Cars
Study: The Future of VR, AR and Self-Driving Cars
LinkedIn871.6K views
32 Ways a Digital Marketing Consultant Can Help Grow Your Business by Barry Feldman
32 Ways a Digital Marketing Consultant Can Help Grow Your Business32 Ways a Digital Marketing Consultant Can Help Grow Your Business
32 Ways a Digital Marketing Consultant Can Help Grow Your Business
Barry Feldman340.1K views
Hype vs. Reality: The AI Explainer by Luminary Labs
Hype vs. Reality: The AI ExplainerHype vs. Reality: The AI Explainer
Hype vs. Reality: The AI Explainer
Luminary Labs497.8K views
Visual Design with Data by Seth Familian
Visual Design with DataVisual Design with Data
Visual Design with Data
Seth Familian2.9M views
TEDx Manchester: AI & The Future of Work by Volker Hirsch
TEDx Manchester: AI & The Future of WorkTEDx Manchester: AI & The Future of Work
TEDx Manchester: AI & The Future of Work
Volker Hirsch904.1K views
How to Become a Thought Leader in Your Niche by Leslie Samuel
How to Become a Thought Leader in Your NicheHow to Become a Thought Leader in Your Niche
How to Become a Thought Leader in Your Niche
Leslie Samuel1.6M views

Similar to Ajax Security

Web 2.0 Application Kung-Fu - Securing Ajax & Web Services by
Web 2.0 Application Kung-Fu - Securing Ajax & Web ServicesWeb 2.0 Application Kung-Fu - Securing Ajax & Web Services
Web 2.0 Application Kung-Fu - Securing Ajax & Web ServicesShreeraj Shah
82K views42 slides
www.webre24h.com - Ajax security by
www.webre24h.com - Ajax securitywww.webre24h.com - Ajax security
www.webre24h.com - Ajax securitywebre24h
189 views58 slides
Layer 7 Technologies: Web Services Hacking And Hardening by
Layer 7 Technologies: Web Services Hacking And HardeningLayer 7 Technologies: Web Services Hacking And Hardening
Layer 7 Technologies: Web Services Hacking And HardeningCA API Management
2.9K views37 slides
Antiviruxss by
AntiviruxssAntiviruxss
AntiviruxssMarcusgcm
39 views34 slides
BsidesDelhi 2018: DomGoat - the DOM Security Playground by
BsidesDelhi 2018: DomGoat - the DOM Security PlaygroundBsidesDelhi 2018: DomGoat - the DOM Security Playground
BsidesDelhi 2018: DomGoat - the DOM Security PlaygroundBSides Delhi
202 views53 slides
Web Application Security by
Web Application SecurityWeb Application Security
Web Application SecurityChris Hillman
974 views27 slides
Owasp Top 10 - Owasp Pune Chapter - January 2008 by
Owasp Top 10 - Owasp Pune Chapter - January 2008Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008abhijitapatil
9.6K views93 slides
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai] by
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]Shreeraj Shah
33.8K views116 slides
Cross Site Scripting (XSS) by
Cross Site Scripting (XSS)Cross Site Scripting (XSS)
Cross Site Scripting (XSS)Barrel Software
1.7K views27 slides
A26001006 by
A26001006A26001006
A26001006IJERA Editor
2.8K views6 slides
Reflective and Stored XSS- Cross Site Scripting by
Reflective and Stored XSS- Cross Site ScriptingReflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site ScriptingInMobi Technology
4.1K views29 slides
A Validation Model of Data Input for Web Services by
A Validation Model of Data Input for Web ServicesA Validation Model of Data Input for Web Services
A Validation Model of Data Input for Web ServicesRafael Brinhosa
1.2K views28 slides
Website hacking and prevention (All Tools,Topics & Technique ) by
Website hacking and prevention (All Tools,Topics & Technique )Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Jay Nagar
671 views180 slides
Layer7-WebServices-Hacking-and-Hardening.pdf by
Layer7-WebServices-Hacking-and-Hardening.pdfLayer7-WebServices-Hacking-and-Hardening.pdf
Layer7-WebServices-Hacking-and-Hardening.pdfdistortdistort
4 views37 slides
Bank One App Sec Training by
Bank One App Sec TrainingBank One App Sec Training
Bank One App Sec TrainingMike Spaulding
453 views49 slides
Cross Site Scripting Defense Presentation by
Cross Site Scripting Defense Presentation Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Ikhade Maro Igbape
3.7K views23 slides
Cross-site scripting (XSS) Attacks Cross-site scripting (XSS) .docx by
Cross-site scripting (XSS) Attacks Cross-site scripting (XSS) .docxCross-site scripting (XSS) Attacks Cross-site scripting (XSS) .docx
Cross-site scripting (XSS) Attacks Cross-site scripting (XSS) .docxmydrynan
11 views12 slides
React security vulnerabilities by
React security vulnerabilitiesReact security vulnerabilities
React security vulnerabilitiesAngelinaJasper
79 views12 slides
Security risks awareness by
Security risks awarenessSecurity risks awareness
Security risks awarenessJanagi Kannan
71 views22 slides
Intro to Web Application Security by
Intro to Web Application SecurityIntro to Web Application Security
Intro to Web Application SecurityRob Ragan
7.6K views35 slides

Similar to Ajax Security (20)

Web 2.0 Application Kung-Fu - Securing Ajax & Web Services by Shreeraj Shah
Web 2.0 Application Kung-Fu - Securing Ajax & Web ServicesWeb 2.0 Application Kung-Fu - Securing Ajax & Web Services
Web 2.0 Application Kung-Fu - Securing Ajax & Web Services
Shreeraj Shah82K views
www.webre24h.com - Ajax security by webre24h
www.webre24h.com - Ajax securitywww.webre24h.com - Ajax security
www.webre24h.com - Ajax security
webre24h189 views
Layer 7 Technologies: Web Services Hacking And Hardening by CA API Management
Layer 7 Technologies: Web Services Hacking And HardeningLayer 7 Technologies: Web Services Hacking And Hardening
Layer 7 Technologies: Web Services Hacking And Hardening
CA API Management2.9K views
Antiviruxss by Marcusgcm
AntiviruxssAntiviruxss
Antiviruxss
Marcusgcm39 views
BsidesDelhi 2018: DomGoat - the DOM Security Playground by BSides Delhi
BsidesDelhi 2018: DomGoat - the DOM Security PlaygroundBsidesDelhi 2018: DomGoat - the DOM Security Playground
BsidesDelhi 2018: DomGoat - the DOM Security Playground
BSides Delhi202 views
Web Application Security by Chris Hillman
Web Application SecurityWeb Application Security
Web Application Security
Chris Hillman974 views
Owasp Top 10 - Owasp Pune Chapter - January 2008 by abhijitapatil
Owasp Top 10 - Owasp Pune Chapter - January 2008Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008
abhijitapatil9.6K views
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai] by Shreeraj Shah
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]
Shreeraj Shah33.8K views
Cross Site Scripting (XSS) by Barrel Software
Cross Site Scripting (XSS)Cross Site Scripting (XSS)
Cross Site Scripting (XSS)
Barrel Software1.7K views
A26001006 by IJERA Editor
A26001006A26001006
A26001006
IJERA Editor2.8K views
Reflective and Stored XSS- Cross Site Scripting by InMobi Technology
Reflective and Stored XSS- Cross Site ScriptingReflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site Scripting
InMobi Technology4.1K views
A Validation Model of Data Input for Web Services by Rafael Brinhosa
A Validation Model of Data Input for Web ServicesA Validation Model of Data Input for Web Services
A Validation Model of Data Input for Web Services
Rafael Brinhosa1.2K views
Website hacking and prevention (All Tools,Topics & Technique ) by Jay Nagar
Website hacking and prevention (All Tools,Topics & Technique )Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )
Jay Nagar671 views
Layer7-WebServices-Hacking-and-Hardening.pdf by distortdistort
Layer7-WebServices-Hacking-and-Hardening.pdfLayer7-WebServices-Hacking-and-Hardening.pdf
Layer7-WebServices-Hacking-and-Hardening.pdf
distortdistort4 views
Bank One App Sec Training by Mike Spaulding
Bank One App Sec TrainingBank One App Sec Training
Bank One App Sec Training
Mike Spaulding453 views
Cross Site Scripting Defense Presentation by Ikhade Maro Igbape
Cross Site Scripting Defense Presentation Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation
Ikhade Maro Igbape3.7K views
Cross-site scripting (XSS) Attacks Cross-site scripting (XSS) .docx by mydrynan
Cross-site scripting (XSS) Attacks Cross-site scripting (XSS) .docxCross-site scripting (XSS) Attacks Cross-site scripting (XSS) .docx
Cross-site scripting (XSS) Attacks Cross-site scripting (XSS) .docx
mydrynan11 views
React security vulnerabilities by AngelinaJasper
React security vulnerabilitiesReact security vulnerabilities
React security vulnerabilities
AngelinaJasper79 views
Security risks awareness by Janagi Kannan
Security risks awarenessSecurity risks awareness
Security risks awareness
Janagi Kannan71 views
Intro to Web Application Security by Rob Ragan
Intro to Web Application SecurityIntro to Web Application Security
Intro to Web Application Security
Rob Ragan7.6K views

Recently uploaded

Adopting Karpenter for Cost and Simplicity at Grafana Labs.pdf by
Adopting Karpenter for Cost and Simplicity at Grafana Labs.pdfAdopting Karpenter for Cost and Simplicity at Grafana Labs.pdf
Adopting Karpenter for Cost and Simplicity at Grafana Labs.pdfMichaelOLeary82
16 views74 slides
Mobile Core Solutions & Successful Cases.pdf by
Mobile Core Solutions & Successful Cases.pdfMobile Core Solutions & Successful Cases.pdf
Mobile Core Solutions & Successful Cases.pdfIPLOOK Networks
20 views7 slides
Redefining the book supply chain: A glimpse into the future - Tech Forum 2023 by
Redefining the book supply chain: A glimpse into the future - Tech Forum 2023Redefining the book supply chain: A glimpse into the future - Tech Forum 2023
Redefining the book supply chain: A glimpse into the future - Tech Forum 2023BookNet Canada
57 views19 slides
Building Learning to Rank (LTR) search reranking models using Large Language ... by
Building Learning to Rank (LTR) search reranking models using Large Language ...Building Learning to Rank (LTR) search reranking models using Large Language ...
Building Learning to Rank (LTR) search reranking models using Large Language ...Sujit Pal
53 views35 slides
Business Analyst Series 2023 - Week 5 Session 9 by
Business Analyst Series 2023 - Week 5 Session 9Business Analyst Series 2023 - Week 5 Session 9
Business Analyst Series 2023 - Week 5 Session 9DianaGray10
109 views13 slides
Transcript: Redefining the book supply chain: A glimpse into the future - Tec... by
Transcript: Redefining the book supply chain: A glimpse into the future - Tec...Transcript: Redefining the book supply chain: A glimpse into the future - Tec...
Transcript: Redefining the book supply chain: A glimpse into the future - Tec...BookNet Canada
58 views16 slides
GDSC GLAU Info Session.pptx by
GDSC GLAU Info Session.pptxGDSC GLAU Info Session.pptx
GDSC GLAU Info Session.pptxgauriverrma4
15 views28 slides
Incremental data processing with Hudi & Spark + dbt.pdf by
Incremental data processing with Hudi & Spark + dbt.pdfIncremental data processing with Hudi & Spark + dbt.pdf
Incremental data processing with Hudi & Spark + dbt.pdfnadine39280
17 views20 slides
Generative AI: Shifting the AI Landscape by
Generative AI: Shifting the AI LandscapeGenerative AI: Shifting the AI Landscape
Generative AI: Shifting the AI LandscapeDeakin University
155 views55 slides
A plenarily integrated SIEM solution and it’s Deployment by
A plenarily integrated SIEM solution and it’s DeploymentA plenarily integrated SIEM solution and it’s Deployment
A plenarily integrated SIEM solution and it’s DeploymentBangladesh Network Operators Group
42 views26 slides
[2024] GDSC India - Discover, Design, Develop.pdf.pdf by
[2024] GDSC India - Discover, Design, Develop.pdf.pdf[2024] GDSC India - Discover, Design, Develop.pdf.pdf
[2024] GDSC India - Discover, Design, Develop.pdf.pdfbcedsc
28 views19 slides
Measurecamp Brussels - Synthetic data.pdf by
Measurecamp Brussels - Synthetic data.pdfMeasurecamp Brussels - Synthetic data.pdf
Measurecamp Brussels - Synthetic data.pdfHuman37
34 views14 slides
AI + Memoori = AIM by
AI + Memoori = AIMAI + Memoori = AIM
AI + Memoori = AIMMemoori
41 views9 slides
Transcript: Show and tell: What’s in your tech stack? - Tech Forum 2023 by
Transcript: Show and tell: What’s in your tech stack? - Tech Forum 2023Transcript: Show and tell: What’s in your tech stack? - Tech Forum 2023
Transcript: Show and tell: What’s in your tech stack? - Tech Forum 2023BookNet Canada
41 views16 slides
The Mysterious Paradigm of Fuzzing by Rakesh Seal by
The Mysterious Paradigm of Fuzzing by Rakesh SealThe Mysterious Paradigm of Fuzzing by Rakesh Seal
The Mysterious Paradigm of Fuzzing by Rakesh Sealnull - The Open Security Community
20 views11 slides
KubeConNA23 Recap.pdf by
KubeConNA23 Recap.pdfKubeConNA23 Recap.pdf
KubeConNA23 Recap.pdfMichaelOLeary82
34 views27 slides
Qualifying SaaS, IaaS.pptx by
Qualifying SaaS, IaaS.pptxQualifying SaaS, IaaS.pptx
Qualifying SaaS, IaaS.pptxSachin Bhandari
1.2K views8 slides
The Role of Patterns in the Era of Large Language Models by
The Role of Patterns in the Era of Large Language ModelsThe Role of Patterns in the Era of Large Language Models
The Role of Patterns in the Era of Large Language ModelsYunyao Li
134 views65 slides
Digital Personal Data Protection (DPDP) Practical Approach For CISOs by
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsPriyanka Aash
187 views59 slides
Network eWaste : Community role to manage end of life Product by
Network eWaste : Community role to manage end of life ProductNetwork eWaste : Community role to manage end of life Product
Network eWaste : Community role to manage end of life ProductBangladesh Network Operators Group
26 views13 slides

Recently uploaded (20)

Adopting Karpenter for Cost and Simplicity at Grafana Labs.pdf by MichaelOLeary82
Adopting Karpenter for Cost and Simplicity at Grafana Labs.pdfAdopting Karpenter for Cost and Simplicity at Grafana Labs.pdf
Adopting Karpenter for Cost and Simplicity at Grafana Labs.pdf
MichaelOLeary8216 views
Mobile Core Solutions & Successful Cases.pdf by IPLOOK Networks
Mobile Core Solutions & Successful Cases.pdfMobile Core Solutions & Successful Cases.pdf
Mobile Core Solutions & Successful Cases.pdf
IPLOOK Networks20 views
Redefining the book supply chain: A glimpse into the future - Tech Forum 2023 by BookNet Canada
Redefining the book supply chain: A glimpse into the future - Tech Forum 2023Redefining the book supply chain: A glimpse into the future - Tech Forum 2023
Redefining the book supply chain: A glimpse into the future - Tech Forum 2023
BookNet Canada57 views
Building Learning to Rank (LTR) search reranking models using Large Language ... by Sujit Pal
Building Learning to Rank (LTR) search reranking models using Large Language ...Building Learning to Rank (LTR) search reranking models using Large Language ...
Building Learning to Rank (LTR) search reranking models using Large Language ...
Sujit Pal53 views
Business Analyst Series 2023 - Week 5 Session 9 by DianaGray10
Business Analyst Series 2023 - Week 5 Session 9Business Analyst Series 2023 - Week 5 Session 9
Business Analyst Series 2023 - Week 5 Session 9
DianaGray10109 views
Transcript: Redefining the book supply chain: A glimpse into the future - Tec... by BookNet Canada
Transcript: Redefining the book supply chain: A glimpse into the future - Tec...Transcript: Redefining the book supply chain: A glimpse into the future - Tec...
Transcript: Redefining the book supply chain: A glimpse into the future - Tec...
BookNet Canada58 views
GDSC GLAU Info Session.pptx by gauriverrma4
GDSC GLAU Info Session.pptxGDSC GLAU Info Session.pptx
GDSC GLAU Info Session.pptx
gauriverrma415 views
Incremental data processing with Hudi & Spark + dbt.pdf by nadine39280
Incremental data processing with Hudi & Spark + dbt.pdfIncremental data processing with Hudi & Spark + dbt.pdf
Incremental data processing with Hudi & Spark + dbt.pdf
nadine3928017 views
Generative AI: Shifting the AI Landscape by Deakin University
Generative AI: Shifting the AI LandscapeGenerative AI: Shifting the AI Landscape
Generative AI: Shifting the AI Landscape
Deakin University155 views
A plenarily integrated SIEM solution and it’s Deployment by Bangladesh Network Operators Group
A plenarily integrated SIEM solution and it’s DeploymentA plenarily integrated SIEM solution and it’s Deployment
A plenarily integrated SIEM solution and it’s Deployment
Bangladesh Network Operators Group42 views
[2024] GDSC India - Discover, Design, Develop.pdf.pdf by bcedsc
[2024] GDSC India - Discover, Design, Develop.pdf.pdf[2024] GDSC India - Discover, Design, Develop.pdf.pdf
[2024] GDSC India - Discover, Design, Develop.pdf.pdf
bcedsc28 views
Measurecamp Brussels - Synthetic data.pdf by Human37
Measurecamp Brussels - Synthetic data.pdfMeasurecamp Brussels - Synthetic data.pdf
Measurecamp Brussels - Synthetic data.pdf
Human37 34 views
AI + Memoori = AIM by Memoori
AI + Memoori = AIMAI + Memoori = AIM
AI + Memoori = AIM
Memoori41 views
Transcript: Show and tell: What’s in your tech stack? - Tech Forum 2023 by BookNet Canada
Transcript: Show and tell: What’s in your tech stack? - Tech Forum 2023Transcript: Show and tell: What’s in your tech stack? - Tech Forum 2023
Transcript: Show and tell: What’s in your tech stack? - Tech Forum 2023
BookNet Canada41 views
The Mysterious Paradigm of Fuzzing by Rakesh Seal by null - The Open Security Community
The Mysterious Paradigm of Fuzzing by Rakesh SealThe Mysterious Paradigm of Fuzzing by Rakesh Seal
The Mysterious Paradigm of Fuzzing by Rakesh Seal
null - The Open Security Community20 views
KubeConNA23 Recap.pdf by MichaelOLeary82
KubeConNA23 Recap.pdfKubeConNA23 Recap.pdf
KubeConNA23 Recap.pdf
MichaelOLeary8234 views
Qualifying SaaS, IaaS.pptx by Sachin Bhandari
Qualifying SaaS, IaaS.pptxQualifying SaaS, IaaS.pptx
Qualifying SaaS, IaaS.pptx
Sachin Bhandari1.2K views
The Role of Patterns in the Era of Large Language Models by Yunyao Li
The Role of Patterns in the Era of Large Language ModelsThe Role of Patterns in the Era of Large Language Models
The Role of Patterns in the Era of Large Language Models
Yunyao Li134 views
Digital Personal Data Protection (DPDP) Practical Approach For CISOs by Priyanka Aash
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Priyanka Aash187 views
Network eWaste : Community role to manage end of life Product by Bangladesh Network Operators Group
Network eWaste : Community role to manage end of life ProductNetwork eWaste : Community role to manage end of life Product
Network eWaste : Community role to manage end of life Product
Bangladesh Network Operators Group26 views

Ajax Security

  • 1. OWASP – Ajax Security Roberto Suggi Liverani Security Consultant Security-Assessment.com 5 December 2007
  • 2.
  • 3.
  • 4.
  • 5.
  • 6.
  • 7. Ajax Components – Simple Diagram
  • 8.
  • 9. Traditional Web Model vs Ajax Web Model
  • 10. Classic Web Model – Usability/Time
  • 11. Ajax Web Model – Usability/Time
  • 12.
  • 13. Who is using Ajax? And many others…
  • 14.
  • 15.
  • 16.
  • 17.
  • 18.
  • 19.
  • 20. Screenshot showing list of Myspace profiles infected by Samy Worm
  • 21. And today there are still Myspace accounts with Samy as a hero! 532 results with live.com
  • 22.
  • 23.
  • 24.
  • 25.
  • 26.
  • 27. Nduja - Webmail XSS Worm Demo
  • 28. Web worms – Comparison So the question is: Can you think about the impact of the next cross domain web worm? Worm Target Domain(s) Cross Domain? Impact Samy worm Myspace.com No 1 million of users affected Yannamer worm Yahoo.com No Unknown number of yahoo users affected Nduja worm Tiscali.it Libero.it Lycos.it Excite.com Yes N/A – This is a PoC
  • 29.
  • 30.
  • 31.
  • 32.
  • 33.

Report as inappropriate

*Required
Copyright Complaint

1 like

views

Total views1,970
On Slideshare0
From embeds0
Number of embeds0