Presentation given by Thomas Powell (tpowell@pint.com) and Joe Lima (jlima@port80software.com) - 2-15-2012 covering WebAppSec issues with an emphasis on concerns with the Sitecore CMS platform.
Sorry for any small quirks in slideshare conversion.
HTML5 introduces many new features that can impact security, both positively and negatively. It allows richer multimedia but also makes some attacks easier. Features like Cross-Origin Resource Sharing, Web Storage, and IFRAME sandboxing could enable attacks like session hijacking or user tracking if not implemented correctly. The IFRAME sandboxing feature is particularly useful for security as it disables scripts and popups, though relaxing its restrictions too much could re-enable frame busting defenses. References are provided for further information on HTML5 security examples and specifications.
The document discusses security considerations for HTML5. It notes that while HTML5 specifications are not inherently flawed, bad code can introduce new vulnerabilities. It outlines several attack vectors like XSS, history tampering, web storage manipulation, and clickjacking. It also discusses mitigations like script isolation, cross-document messaging, sandboxing, and CORS, noting their limitations. The document aims to raise awareness of the expanded client-side attack surface in HTML5.
Don't Do what Derpy the Dreadful Dev DoesLiam O'Saurus
1) The document discusses common web application vulnerabilities like SQL injection and cross-site scripting. It demonstrates how these vulnerabilities can be exploited in PHP and Ruby on Rails applications.
2) While Ruby on Rails has security features built-in, the speaker argues these do not eliminate security risks and that all developers must take responsibility for security.
3) Popular tools like BeEF, SQLmap, and Burp Suite are demonstrated for exploiting vulnerabilities like cross-site scripting and stealing cookie sessions. The key message is that no framework can replace secure coding practices.
Be Securious – Hack Your Own Site for Better Securitysecuriously
This document summarizes a presentation about hacking your own WordPress site for better security. It introduces the speaker and their background in security. The presentation covers why website security is important, common WordPress vulnerabilities like admin login issues and outdated software. It suggests solutions like using strong passwords, limiting plugins, and keeping software updated. The presentation demonstrates security scanning tools like wpscan and Google dorks that attackers use to find vulnerabilities. Additional resources for hardening WordPress security are provided.
Joomla websites can be hacked for various reasons such as finding vulnerabilities, seeing if they can break in, or for financial gain. To prevent hacking, site owners should regularly update software, secure server configurations, remove unnecessary files and extensions, and implement security measures like two-factor authentication. Backups are also important in case a site becomes compromised, though completely restoring a hacked site can be difficult. Security is an ongoing process that requires vigilance through actions like monitoring, patching issues, and preparing for potential hacks.
This document discusses security challenges with web applications that combine content from multiple sources (mashups). It covers how the same-origin policy isolates origins but exempts scripts, allowing cross-site scripting attacks. Frame-based communication and the postMessage API provide secure cross-origin messaging capabilities. The document recommends sandboxing iframes and using features like CORS to mitigate risks in mashups.