This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

OWASP AppSec DC 2012/DOMJacking Attack Exploit and Defense

Revision as of 18:31, 25 March 2012 by Mark.bristow (talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search


Registration Now OPEN! | Hotel | Schedule | Convention Center |

The Presentation

Browser's architecture and usage are ever changing in today's world. Browser cannot be considered a thin client in this new era, it is very much a thick client and capable of loading very interesting applications. Ajax, RIA (Adobe), Silverlight and HTML5 are key ingredients of next generation applications. Document Object Model (DOM) is the most critical component of the browser; it allows various different technologies to glue at a single point. DOM is emerging as a potential battlefield for future application and can be considered as an interesting entry point. DOM can be attacked and exploited if it is implemented poorly across client side application. DOMJacking is an interesting vector and allows exploitation of various different interesting tags like object. Object tag holds application components like flash, Silverlight, applet etc. It is possible to hijack DOM and create various abuse cases and scenario. In this talk we are going to cover attack vectors encompassing DOM which can lead to exploitation of Browser components like HTML5, RIA and Silverlight. We will be covering various interesting concepts, threat vectors and innovative defense mechanism along with real life cases and demos.

The Speakers

Shreeraj Shah

Shreeraj Shah, (B.E., MSCS, MBA) is the founder of Blueinfy, a company that provides application security services. Prior to founding Blueinfy, he was founder and board member at Net Square. He also worked with Foundstone (McAfee), Chase Manhattan Bank and IBM in security space. He is also the author of popular books like Web 2.0 Security, Hacking Web Services and Web Hacking: Attacks and Defense. In addition, he has published several advisories, tools, and whitepapers, and has presented at numerous conferences including RSA, AusCERT, InfosecWorld (Misti), HackInTheBox, Blackhat, OSCON, Bellua, Syscan, ISACA etc. His articles are regularly published on Securityfocus, InformIT, DevX, O'reilly, HNS. His work has been quoted on BBC, Dark Reading, Bank Technology as an expert.

Gold Sponsors

Aspect logo owasp.jpg AppSecDC2009-Sponsor-securicon.gif AppSecDC2009-Sponsor-mandiant.gif AppSecDC2012-ISC2.gif

Silver Sponsors


Small Business

AppSecDC2012-Sponsor-sideas.gif BayShoreNetworks.png


link= Codenomicon WhiteHat Logo.png AppSecDC2012-HP.jpg WSI - Logo.jpg