Beware Of Serialized Gui Objects Bearing Data presented at OWASP FROC 2010

by David Byrne (Trustwave), Rohini Sulatycki (Trustwave),

Tags: Security Others


Summary : A recently discovered view state vulnerability in Apache MyFaces and Sun Mojara allows an attacker to access all server-side session data, as well as some globally-scoped application variables. The technical details of the vulnerabilities will be explained and a live demonstration will be performed. A similar vulnerability will also be demonstrated in Microsoft's ASP.Net.

Rohini Sulatycki: Rohini Sulatycki is a Security Consultant within the Application Security practice at Trustwave's SpiderLabs. SpiderLabs is the advanced security team responsible for Penetration Testing, Application Security, and Incident Response testing for Trustwave's clients. Rohini has been involved in the Information Technology industry for more than 13 years. Rohini specializes in application security testing and code review conducting a large number of application tests in her capacity at Trustwave. Rohini has been a technical reviewer for several books and publications including Java Security and IEEE Security and Privacy. Rohini has presented at various security events including Black Hat.