Tuesday, October 30th, 2007

Joe Walker on Web Application Security

Category: Security

<>p>Joe Walker gave a standout talk on Web Application Security at The Ajax Experience.

I love to watch people leaving this talk as they are usually gasping as they realise that we are not secure :)

Joe has posted the slides from his talk, and has provided some great resources:

Related Content:

Posted by Dion Almaer at 7:38 am
5 Comments

++++-
4.4 rating from 25 votes

5 Comments »

Comments feed TrackBack URI

Some interesting points, though I didn’t really see where he tried to go with the whole DNS story…

Comment by Utimer — October 30, 2007

Awesome little presentation, especially when pointing out the difficulties of detecting scripts hidden in your user inputs.

Comment by Jon Hartmann — October 30, 2007

@Ultimer:

What part of the DNS pinning did you not understand?

Comment by Brad — October 30, 2007

is there a video of the presentation?

Comment by DarkRat — October 30, 2007

@Brad
I understand the attack well, but compared to the rest of the presentation it stands out for not giving a lot of info on the attack.

It for example doesn’t state it only works if the victim-server doesn’t check the “http host ” prop-erty, which seems like an effective way to block this attack. I’m aware most intranet servers will not do this, but not giving a solution at all, seems odd to me.

Other parts of the presentation give far more information on prevention, where the DNS-part does not. It simply went into the next subject, leaving someone to think there is no solution.

See http://www.securityfocus.com/archive/1/443209/30/0/threaded, for more info on the attack though. (Maybe he said it during the presentation, but I can’t know by only going by the sheets)

Comment by Utimer — October 31, 2007

Leave a comment

You must be logged in to post a comment.