Building Self-Defending Web Applications: Secrets of Session Hacking and Protecting Software Sessions presented at BlackHatUSA 2005

by Daniel Thompson, Arian J. Evans,

Summary : Web applications are constantly under attack, and must defend themselves. Sadly, today, most cannot.
There are several key elements to building self-defending software but only a few are focused on today, including input validation, output encoding, and error handling. Strong Session Handing and effective Authorization mechanisms are almost completely ignored in web application software development. Many of the threats are well known, but the techniques for building applications that can defend themselves against the known threat landscape are still ignored due to lack of documentation, lack of sample code, and lack of awareness of the threats and attack methods.
This ignorance is dangerous; The landscape has changed. In April 2005 alone, zero-day scripted session attacks were discovered in the wild for eBay and other high-profile web applications that you use.
Session and Authorization attacks are real, mature, and increasing in frequency of use in the wild. They are also misunderstood or ignored by most of the development and web application security community.
This presentation will:
Summarize and categorize what State, Session, and Authorization attacks are.
Provide you with a simple, effective Taxonomy for understanding the threats.
Provide you with an entirely new understanding of Cross-Site Scripting (XSS).
Disclose new Session and Authorization attacks released in recent months.
Show you how to attack your intranet from the Internet using Your browser without You knowing.
Unveil the Paraegis Project which will provide free web app security code for .NET, J2EE, and Flash frameworks.
Paraegis will include functional code elements for DAT generation and stopping automated scanners/scripts.
Paraegis will show you how to reduce the attack surface of XSS from "all people all the time" to "one person one time" resulting in XSS vulnerabilities being virtually unexploitable.
The techniques presented are simple, innovative, realistically usable, and predominantly missing in today's webapp designs. The Paraegis Project will release code that will not only demonstrate this, but that you will be able to use in your applications for free.