JSFoo 2017

JSFoo is a conference about JavaScript and everything related.

Safety not Guaranteed

Submitted by Riyaz Walikar (@riyazw) on Friday, 1 September 2017

videocam_off

Technical level

Intermediate

Section

Full Talk

Status

Confirmed & Scheduled

View proposal in schedule

Vote on this proposal

Login to vote

Total votes:  +1

Abstract

Hackers are everywhere! Are they also in your client side code? What do attackers target when they are breaking JavaScript frameworks and libraries? How are they stealing those elusive crypto keys and your authentication protected data?

Detecting and exploiting JavaScript security issues can easily become complex since the scope for attack would be constrained by features built into the framework and libraries. Allowing external resources to be loaded via Content Delivery Networks, improper dynamic parsing of user input, using 3rd party widgets and extensions can all lead to security troubles.

This talk will take the audience through multiple case studies of JavaScript framework/library bugs and the impact that these bugs would have if exploited. Real world examples of application security testing that show how we were able to bypass controls and gain access to data will also be covered. The talk will also cover some common security server configurations that can break client side applications when implemented as is.

Outline

Application Security Clinic

Speaker bio

Riyaz Walikar is a web application pentester, security evangelist and researcher. He has been active in the security community for the better part of the last 10 years. He has been actively involved with the Bangalore OWASP and null chapters for the last 7 years and is one of the OWASP and null Bangalore chapter leads. He is actively involved with Vulnerability Research in popular web applications and network aware services and has disclosed multiple security issues in popular software like Apache Archiva, Openfire, Joomla!, EJabberd, .NET Script Injection Bypass and has found vulnerabilities with popular web applications like Facebook, Twitter, Google, Cisco, Symantec, Mozilla, PayPal, Ebay, Apigee, Yahoo, Adobe, Tumblr, Pinterest etc. and for which he is on the Hall of Fame for most of these services.

He has also been a speaker and trainer at many security conferences including OWASP AppsecUSA 2012, BlackHat Abu Dhabi 2012, Las Vegas 2015, EU 2015, nullcon 2012, 2013, 2014, 2015, 2016 and 2017, DefCon Las Vegas 2016 and c0c0n 2011, 2013, 2015 and 2016.

Some of the trainings/workshops by Riyaz: Secure Web Programming 2-day training at HackerRank Bangalore 2017
Xtreme Web Hacking at NULLCON Goa 2012, 2013, 2014, 2015, 2016
Cloud Security for Devs & Ops – NULLCON 2017
Ninja Level Infrastructure Monitoring – DefCon 2016
Xtreme Web Hacking (CTF Style) – c0c0n 2015, 2016

Some of the talks given Riyaz: Poking Servers with Facebook – AppsecUSA 2012, BlackHat Abu Dhabi 2012, c0c0n 2013
A Pentester’s Methodology to Discover and Exploit Windows Privilege Escalation flaws – c0c0n 2015, nullcon 2016
Esoteric XSS Payloads – c0c0n 2016
The Whys and Hows of Cyber Attacks – SAP Security Summit 2016

Online: +www.linkedin.com/in/riyazw +http://www.twitter.com/@riyazwalikar +http://www.twitter.com/@wincmdfu

Slides

https://speakerdeck.com/riyazwalikar/safety-not-guaranteed-v2

Comments

Login with Twitter or Google to leave a comment