Got your Nose! How to Steal Your Precious Data Without Using Scripts presented at TROOPERS 2012

by Mario Heiderich,

Tags: Security

Summary : Cross Site Scripting techniques and quirky JavaScript have received a lot of attention recently more and more ways to get hands on this threat are being developed and practiced. Security aware people switch JavaScript off, developers can use sand-boxed IFrames and CSP to protect their applications and NoScript, XSS filter and HTML Purifer do a great job in keeping people from getting XSSd. But what about attacks in the browser that dont require any scripting at all but still steal your precious data right before you know it? What about attacks, so sneaky and sophisticated or just simple, even your best Anti-XSS solution wont prevent them, since they dont use any scripting but fierce markup tricks from outer space? This talk will introduce and discuss those kinds of attacks, show how attackers steal plain-text passwords, read CSRF tokens and other sensitive data and create self-spying emails and worse. Deactivating JavaScript and eliminating is good level of protection? Not anymore!

Mario Heiderich: Mario Heiderich is a cologne based CTO for an online enterprise based in Cologne and New York. He was a visitor and speaker on several OWASP conferences, maintains the PHPIDS and other security related projects and recently authored a German book on Web Security together with Christian Matthies, fukami and Johannes Dahse. Mario is currently into browser security and digging the HTML5 specifications.