Presentation is loading. Please wait.

Presentation is loading. Please wait.

Host and Application Security Lesson 20: How the Web Does not Work.

Published byBenedict Hall Modified over 9 years ago

Similar presentations

Presentation on theme: "Host and Application Security Lesson 20: How the Web Does not Work."— Presentation transcript:

1 Host and Application Security Lesson 20: How the Web Does not Work

2 Remind me…  Precisely how does the web work?

3 Web Vulns  This is host and application security, so we’re focusing on the host issues

4 Simple  Simple buffer overruns/security vulns in the browser or in its plugins  Determining the list of plugins is harder than it probably needs to be

5 Javascript  Pretty powerful language  History of different classes of vulnerabilites… perhaps most famous is cross site scripting

6 Java Applets  Tell me about Java Applets and their security model  Isn’t that good enough? Why? Why not?

7 ActiveX  “Safe for scripting”?  ActiveX: Pros and Cons?

8 Clickjacking  A really neat exploit – get the user to click on one thing when they think they are clicking on another  Example: a one click bank transfer  Cross-frame issues make life very interesting

9 To Do  Find and read the ACM Queue paper “Browser Security: Lessons from Google Chrome”  Write a demonstration of a cross site scripting attack. Do this in essay form, showing the code you would have on both ends and how it would work. What is the future for XSS attacks?

Download ppt "Host and Application Security Lesson 20: How the Web Does not Work."

Similar presentations

Runtime Prevention & Recovery Protect existing applications Advantages: Prevents vulnerabilities from doing harm Safe mode for Web application execution.

Runtime Prevention & Recovery Protect existing applications Advantages: Prevents vulnerabilities from doing harm Safe mode for Web application execution.
© 2009 IBM Corporation IBM Rational Application Security The Bank Job Utilizing XSS Vulnerabilities Adi Sharabani IBM Rational Application Security Research.

© 2009 IBM Corporation IBM Rational Application Security The Bank Job Utilizing XSS Vulnerabilities Adi Sharabani IBM Rational Application Security Research.
1 A Test Automation Tool For Java Applets Testing of Web Applications TATJA Program Demonstration Conclusions By Matthew Xuereb.

1 A Test Automation Tool For Java Applets Testing of Web Applications TATJA Program Demonstration Conclusions By Matthew Xuereb.
Web Toolkit Julie George & Ronald Lopez 1. Requirements  Java SDK version 1.5 or later  Apache Ant is also necessary to run command line arguments 

Web Toolkit Julie George & Ronald Lopez 1. Requirements  Java SDK version 1.5 or later  Apache Ant is also necessary to run command line arguments 
Web Trust Boundaries and Security Vulnerabilities Haris Volos and Hidayat Teonadi CS739 – Distributed Systems.

Web Trust Boundaries and Security Vulnerabilities Haris Volos and Hidayat Teonadi CS739 – Distributed Systems.
WEB BROWSER SECURITY By Robert Sellers Brian Bauer.

WEB BROWSER SECURITY By Robert Sellers Brian Bauer.
Benchmark and Java Applet Test Scenario Presentation Outline Introduction to Benchmark Testing Procedure to create the test Benchmark Playback Results.

Benchmark and Java Applet Test Scenario Presentation Outline Introduction to Benchmark Testing Procedure to create the test Benchmark Playback Results.
EECS 354 Network Security Cross Site Scripting (XSS)

EECS 354 Network Security Cross Site Scripting (XSS)
Google Web Toolkit - Gufran Mohammed. Google Web Toolkit (GWT) is an open source Java software development framework that makes writing AJAX applications.

Google Web Toolkit - Gufran Mohammed. Google Web Toolkit (GWT) is an open source Java software development framework that makes writing AJAX applications.
ACTIVE X By Ethan Huang. OUTLINE What is ActiveX? Component of ActiveX Why ActiveX? ActiveX and Java Security Issue.

ACTIVE X By Ethan Huang. OUTLINE What is ActiveX? Component of ActiveX Why ActiveX? ActiveX and Java Security Issue.
New Computer Security Threat - ClickJacking Ehab Ashary CS591-F2010 University of Colorado, Colorado Springs Dr. C.Edward Chow.

New Computer Security Threat - ClickJacking Ehab Ashary CS591-F2010 University of Colorado, Colorado Springs Dr. C.Edward Chow.
CS 290C: Formal Models for Web Software Lecture 1: Introduction Instructor: Tevfik Bultan.

CS 290C: Formal Models for Web Software Lecture 1: Introduction Instructor: Tevfik Bultan.
Define objects and their relationships to multimedia Explain the fundamentals of C, C++, Java, JavaScript, JScript, C#, ActiveX and VBScript Discuss security.

Define objects and their relationships to multimedia Explain the fundamentals of C, C++, Java, JavaScript, JScript, C#, ActiveX and VBScript Discuss security.
Happy Hacking HTML5! Group members: Dongyang Zhang Wei Liu Weizhou He Yutong Wei Yuxin Zhu.

Happy Hacking HTML5! Group members: Dongyang Zhang Wei Liu Weizhou He Yutong Wei Yuxin Zhu.
Server Side Scripting Norman White. Where do we do processing? Client side – Javascript (embed code in html) – Java applets (send java program to run.

Server Side Scripting Norman White. Where do we do processing? Client side – Javascript (embed code in html) – Java applets (send java program to run.
WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.

WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.
Ladd Van Tol Senior Software Engineer Security on the Web Part One - Vulnerabilities.

Ladd Van Tol Senior Software Engineer Security on the Web Part One - Vulnerabilities.
BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers Mike Ter Louw, V.N. Venkatakrishnan University of Illinois at Chicago.

BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers Mike Ter Louw, V.N. Venkatakrishnan University of Illinois at Chicago.
Web Browser Security Prepared By Mohammed EL-Batta Mohammed Soubih Supervised By Eng. Eman alajrami Explain Date 10. may. 2010 University of Palestine.

Web Browser Security Prepared By Mohammed EL-Batta Mohammed Soubih Supervised By Eng. Eman alajrami Explain Date 10. may University of Palestine.
Web Site Security Andrew Cormack JANET-CERT ©The JNT Association, 1999.

Web Site Security Andrew Cormack JANET-CERT ©The JNT Association, 1999.

Similar presentations

Ads by Google