OWASP AppSec India Conference 2008 Web 2.0 Attacks

Jump to: navigation, search

Web 2.0 Attacks - Next Generation Threats on the Rise

Introduction and adaptation of new technologies like Ajax, Rich Internet Applications and Web Services has changed the dimension of Application Security. We are witnessing new attack vectors on web based applications and it needs better understanding of technologies to secure applications. In the era of Web 2.0, it is important to understand new threats that emerge in order to build constructive strategies to protect corporate application assets. McKinsey’s recent global survey suggested that 80% of companies are investing in Web 2.0 technologies. Web 2.0 technologies are no longer restricted to social networking site but forming backend to enterprise level applications.

Application layers are evolving and lot of client side attack vectors are on the rise like Ajax based XSS, CSRF, Widget injections, RSS exploits, Mashup manipulations and client side logic exploitations. At the same time various new attack vectors are evolving around SOA by attacking SOAP, XML-RPC and REST. It is time to understand these advanced attack vectors and defense strategies. This presentation is going to cover following important aspects of next generation application security with higher level view for decision makers.

  • Web 2.0 Architecture and Technologies
  • Footprinting, Scanning and Crawling of Web 2.0 applications and its importance.
  • Ajax and Flash based vulnerabilities for Web 2.0 application.
  • Threat Model 2.0 for Web 2.0 applications.
  • Hacking and Securing Service Oriented Architecture (SOAP, XML-RPC and REST based applications)
  • Strategic security controls by leveraging Source code scanning and application layer filtering.

This presentation will be full of real life cases, live demonstrations, new tools and techniques along in-depth coverage on the latest concepts, methodologies and strategies.

About Speaker

Shreeraj Shah

Shreeraj Shah, B.E., MSCS, MBA, is the founder of Blueinfy, an application security company. Prior to founding Blueinfy, he was founder and board member at Net Square. He also worked with Foundstone (McAfee), Chase Manhattan Bank and IBM in security space. He is also the author of popular books like Web 2.0 Security (Thomson 07), Hacking Web Services (Thomson 06) and Web Hacking: Attacks and Defense (Addison-Wesley 03). In addition, he has published several advisories, tools, and whitepapers, and has presented at numerous conferences including RSA, AusCERT, InfosecWorld (Misti), HackInTheBox, Blackhat, OSCON, Bellua, Syscan, ISACA etc. His articles are regularly published on Securityfocus, InformIT, DevX, O’reilly, HNS. His work has been quoted on BBC, Dark Reading, Bank Technology as an expert.

Shreeraj was instrumental in product development, researching new methodologies and training designs. He has performed several security consulting assignments in the area of penetration testing, code reviews, web application assessments, security architecture reviews and managing projects.