Breaking and Securing Web Applications presented at DeepSec 2007

by Nitesh Dhanjani,

Summary : The application layer exposes an organization to a huge attack surface. A single coding error within millions of lines of code can deem disaster for organization. Security products and consultants are trying hard to keep up with the new attack vectors, but so are the attackers. Few security vendors will admit the class of vulnerabilities that cannot be scanned, parsed, or fuzzed for. There are the categories of extremely high risk vulnerabilities that continue to plague web applications because organizations do not realize the root cause of these vulnerabilities while commercial product vendors continue to promise a one-click-and-scan solution. This talk will focus on the discussion of high risk vulnerabilities that plague web applications today, including the following: Cross Site Scripting (XSS), Cross Site Request Forgery (XSRF), (anti) DNS Pinning, Browser plugin hijacking, and more. This talk will also discuss how these vulnerabilities can be abused by an external entity to launch attacks against a company's internal network. These attacks are lethal because they can be abuse a a legitimate user's browser to act as a proxy between the attacker and the company's internal network. In other words, stop believing the security vendor hype. Your applications are more vulnerable than ever before, it has become much harder to secure them, and your 'enterprise' crown jewels are most likely hanging out in the open.