This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
OWASP AppSec DC 2012/DOMJacking Attack Exploit and Defense
Registration Now OPEN! | Hotel | Schedule | Convention Center | AppSecDC.org
The Presentation
Browsers architecture and usage are ever changing in todays world. Browser cannot be considered a thin client in this new era, it is very much a thick client and capable of loading very interesting applications. Ajax, RIA (Adobe), Silverlight and HTML5 are key ingredients of next generation applications. Document Object Model (DOM) is the most critical component of the browser; it allows various different technologies to glue at a single point. DOM is emerging as a potential battlefield for future application and can be considered as an interesting entry point. DOM can be attacked and exploited if it is implemented poorly across client side application. DOMJacking is an interesting vector and allows exploitation of various different interesting tags like object. Object tag holds application components like flash, Silverlight, applet etc. It is possible to hijack DOM and create various abuse cases and scenario. In this talk we are going to cover attack vectors encompassing DOM which can lead to exploitation of Browser components like HTML5, RIA and Silverlight. We will be covering various interesting concepts, threat vectors and innovative defense mechanism along with real life cases and demos.
The Speakers
Shreeraj ShahShreeraj Shah, (B.E., MSCS, MBA) is the founder of Blueinfy, a company that provides application security services. Prior to founding Blueinfy, he was founder and board member at Net Square. He also worked with Foundstone (McAfee), Chase Manhattan Bank and IBM in security space. He is also the author of popular books like Web 2.0 Security, Hacking Web Services and Web Hacking: Attacks and Defense. In addition, he has published several advisories, tools, and whitepapers, and has presented at numerous conferences including RSA, AusCERT, InfosecWorld (Misti), HackInTheBox, Blackhat, OSCON, Bellua, Syscan, ISACA etc. His articles are regularly published on Securityfocus, InformIT, DevX, OÕreilly, HNS. His work has been quoted on BBC, Dark Reading, Bank Technology as an expert. |
Gold Sponsors |
||||
Silver Sponsors |
||||
Small Business |
||||
Exhibitors |