Learn, hack!

URL

http://events.ccc.de/congress/2011/Fahrplan/attachments/1996_28c3%202011%20New%20Ways%20Hack%20Webapp.pptx

File name

1996_28c3%202011%20New%20Ways%20Hack%20Webapp.pptx

File size

24.9 MB

MD5

96d789517874d7598b43fa72b3024112

SHA1

d2f55117becf0b4d48d224cc754a4b14666d6941

Writing secure code is hard. Even when people do it basically right there are sometimes edge cases that can be exploited. Most the time writing code that works isn’t even the hard part, it’s keeping up with the changing attack techniques while still keeping an eye on all the old issues that can come back to bite you, straddling the ancient world of the 90’s RFCs and 2010’s HTML5 compatible browsers. A lot like how Indiana Jones bridges the ancient and the modern... Except for Indiana Jones 4. Let’s never talk about that again. Ever. Take Facebook, Office 365, Wordpress, Exchange, and Live. These are applications that had decent mitigations to standard threats, but they all had edge cases. Using a mix of old and new ingredients, we’ll provide a sampler plate of clickjacking protection bypasses, CSRF mitigation bypasses, "non-exploitable" XSS attacks that are suddenly exploitable and XML attacks where you can actually get a shell; and we'll talk about how to defend against these attacks. The best description is probably via the slides linked below. We've put a lot of effort into these, and they have video clips making the slide deck pretty big (why we're linking to it and not attaching it).