tssci security

OWASP-Phoenix Chapter Meeting

From the Owasp-phoenix mailing list:

This month we have an exciting technical talk discussing the Same-Origin Policy and attacks that attempt to break/circumvent these controls by security researcher Andre Gironda. The details of this month's meeting are below:


UAT - University of Advancing Technology (Entrance at the back of the building) 2625 West Baseline Road Tempe, Arizona 85283-1056


6:30PM, Thursday, March 8th


6:30 to 6:45 News & Introductions 6:45 to 7:45 (1 hour): Reflections on Trusting the Same-Origin Policy – and other web+network trust issues – Andre Gironda, Independent Vulnerability Assessor / Researcher

In computing, the same origin policy is an important security measure for client-side scripting (mostly Javascript). It prevents a document or script loaded from one "origin" from getting or setting properties of a document from a different "origin". It was designed to protect browsers from executing code from external websites, which could be malicious.

XSS and CSRF vulnerabilities exploit trust shared between a user and a website by circumventing the same-domain policy. DNS Pinning didn't pan out exactly right, either. Can client-side scripting allow malicious code to get into your browser history and cache? Can it enumerate what plugins you have installed in your browser, or even programs you have installed to your computer? Can it access and modify files on your local hard drive or other connected filesystems? Can client-side scripts be used to access and control everything you access online? Can it be used to scan and attack your Intranet / local network? Does an attacker have to target you in order to pull off one of these attacks successfully? If I turn off Javascript or use NoScript, am I safe? What other trust relationships does the web application n-Tier model break?

7:45 to 8:00: Wrap up

8:00 Happy Hour/Social: Tilted Kilt 650 West Warner Road, Tempe AZ Google Maps

For more information on the OWASP-Phoenix chapter, check out Phoenox - OWASP Wiki entry

Posted by Marcin on Tuesday, March 6, 2007 in Security.

blog comments powered by Disqus
blog comments powered by Disqus