Documents

XSS Street Fight Ryan Barnett BlackhatDC 2011

Description
XSS Street-Fight: The Only Rule Is There Are No Rules Ryan Barnett Senior Security Researcher SpiderLabs Research Team Copyright Trustwave 2011 Confidential Ryan Barnett - Background Trustwave ã Member of the SpiderLabs Research Team ã Senior Security Researcher ! Web application firewall research/development ! Virtual patching for web applications ã ModSecurity Community Manager ! Interface with the community on public mail-list ! Steer the internal development of ModSecurity
Categories
Published
of 69
All materials on our website are shared by users. If you have any questions about copyright issues, please report us to resolve them. We are always happy to assist you.
Related Documents
Share
Transcript
   XSS Street-Fight: The Only Rule Is There Are No Rules    Ryan Barnett Senior Security Researcher SpiderLabs Research Team  Copyright Trustwave 2011 Confidential Ryan Barnett - Background   Trustwave ã   Member of the SpiderLabs Research Team ã   Senior Security Researcher !   Web application firewall research/development !    Virtual patching for web applications ã   ModSecurity Community Manager !   Interface with the community on public mail-list !   Steer the internal development of ModSecurity  Author ã    “Preventing Web Attacks with Apache”  Copyright Trustwave 2011 Confidential Ryan Barnett – Community Projects   Open Web Application Security Project (OWASP) ã   Speaker/Instructor ã   Project Leader, ModSecurity Core Rule Set ã   Project Contributor, OWASP Top 10 ã   Project Contributor, AppSensor Web Application Security Consortium (WASC) ã   Board Member ã   Project Leader, Web Hacking Incident Database ã   Project Leader, Distributed Web Honeypots ã   Project Contributor, Web Application Firewall Evaluation Criteria ã   Project Contributor, Threat Classification The SANS Institute ã   Courseware Developer/Instructor ã   Project Contributor, CWE/SANS Top 25 Worst Programming Errors  Copyright Trustwave 2011 Confidential Session Outline ã    XSS Intro ã   What is it? ã   Real-world compromise of Apache.org ã    XSS Remediation ã   Strategic vs. Tactical ã   When you can’t fix the code ã    XSS Street-Fight ã   Input Validation !   Whitelist Filtering !   Blacklist Filtering !   Generic Attack Payload Detection ã   Identify Output Handling Flaws !   Missing output escaping of user-supplied content ã    Application Response Profiling !   Track the # of scripts/iframes in pages ã   Defensive JS Injection !   JS Sandbox ã   Conclusion/Questions  
We Need Your Support
Thank you for visiting our website and your interest in our free products and services. We are nonprofit website to share and download documents. To the running of this website, we need your help to support us.

Thanks to everyone for your continued support.

No, Thanks