Learn, hack!

URL

http://ftp.ccc.de/congress/28C3/mp4-h264-HQ/28c3-4761-en-new_ways_im_going_to_hack_your_web_app_h264.mp4

File name

28c3-4761-en-new_ways_im_going_to_hack_your_web_app_h264.mp4

File size

282.9 MB

MD5

b0b44d1596e993e625e8c434c45f80af

SHA1

5aa3ab9fe6dacb7869eaaebc26d1bfe935cb4935

Writing secure code is hard. Even when people do it basically right there are sometimes edge cases that can be exploited. Most the time writing code that works isn’t even the hard part, it’s keeping up with the changing attack techniques while still keeping an eye on all the old issues that can come back to bite you, straddling the ancient world of the 90’s RFCs and 2010’s HTML5 compatible browsers. A lot like how Indiana Jones bridges the ancient and the modern... Except for Indiana Jones 4. Let’s never talk about that again. Ever. Take Facebook, Office 365, Wordpress, Exchange, and Live. These are applications that had decent mitigations to standard threats, but they all had edge cases. Using a mix of old and new ingredients, we’ll provide a sampler plate of clickjacking protection bypasses, CSRF mitigation bypasses, "non-exploitable" XSS attacks that are suddenly exploitable and XML attacks where you can actually get a shell; and we'll talk about how to defend against these attacks. The best description is probably via the slides linked below. We've put a lot of effort into these, and they have video clips making the slide deck pretty big (why we're linking to it and not attaching it).