SlideShare a Scribd company logo

Owasp2013 johannesullrich

Download as PPTX, PDF
D
drewz lin

This document discusses how HTML5 features can be used for authentication purposes and addresses some security challenges. It describes APIs like local storage, canvas, geolocation, and notifications that could be leveraged for authentication factors like passwords, patterns, and one-time passwords. However, it also notes risks like storing sensitive data on devices, spoofing locations, and notifications not being reliable. The document advocates using HTML5 responsibly and understanding privacy and user behavior when designing authentication solutions.

1 of 34
Download to read offline
HTML5: Risky Business or Hidden Security Tool Chest Johannes B. Ullrich, Ph.D. jullrich@sans.edu
About Me • Dean of Research, SANS Technology Institute • Living in Jacksonville FL (aka Southern GA) • SANS Internet Storm Center https://isc.sans.edu • Created DShield.org • Instructor for SANS • Past: Physicist, Web Developer Hosted by OWASP & the NYC Chapter
What is HTML5 • Collection of JavaScript APIs supported by some modern browsers in some ways and sometimes they even work. • Features to enable modern desktop like applications and support mobile devices • 5th Revision of the HTML Standard
What is this talk about? • Ideas to improve security by using HTML5 responsibly • What are some of the security challenges that HTML5 addresses well (or doesn’t) • What are some of the limitations we have to consider
Authentication • Exclusive vs. Inclusive Authentication Methods: – Inclusive: Proof the identity of the user – Exclusive: Disproof the identity of the user
What the Factor? Segway: Multi Factor Authentication • Single Factor: Password • Two Factor: Password AND (Token|Biometric) • 1 ½ Factor: Password and Cookie • ½ Factor: Password OR (Token|Biometric)
HTML5 Components • • • • • • • Local Storage / Session Storage Canvas Geolocation Media Capture Notifications Accelerometer Encryption
Local and Session Storage • New JavaScript API to store data on client • Protected by “same origin” • Local Storage: – No defined expiration – Accessible by all browser windows • Session Storage: – Expired when window is closed – Scope limited to current window
Local Storage: Persistent Cookie • Alternative to Flash cookie for “1 ½ Factor” login • Part of an “Evercookie” • Can be used for good (additional authentication) or evil (more user tracking) • Exposed to XSS attacks • Similar to cookies in scope and security
Session Storage: Identifying users • Can be used to store session token • Breaks CSRF (good!) • User is logged out when they close the browser window (not entire browser) • Multiple users can use the same browser (is this a good thing?) • Easier log out, more secure session tracking, can be used alongside cookies.
Risks • Risks: Storing too much data on the client! Can’t enforce “secure” transmission over SSL Can’t protect from JavaScript/XSS (no httponly) Examples: – storing confidential data on mobile devices – Pushing data to the client the client is not authorized to see.
Can I use it? http://caniuse.com/#feat=namevalue-storage
Canvas • Allows drawing in the browser • Interactive image applications • Can be used for graphical login schemes – CAPTCHAs – Pattern based login
Image Login • Display image, user identifies features • Done in Windows 8/RT for mobile login (“Pattern Login”, “Picture Password”) Image: Microsoft
“Connect the Dots” • Implemented in Android • Good user acceptance for mobile login • No good studies yet as to how users select patterns Image: Extremetech.com
Demo • Demo: “Connect the Dots” for the web • http://authonthemove.com • See Github for code repository
Can I use it? http://caniuse.com/#feat=canvas
Geolocation • JavaScript API provides access to devices built in sensors like GPS • Can be very accurate • Can also be spoofed easily Image: Mozilla.org
Geolocation for Authentication • Only useful on mobile devices • Can be used to exclude users, but not to replace traditional authentication • Observe sudden changes in location • Combine with careful browser fingerprinting techniques
Can I use it?
Media Capture • aka getUserMedia/Stream API • Limited support (Chrome, Firefox, Blackberry) • Some potential for biometrics: – Face recognition – Hand signals / gestures – Fingerprint?
Implementations • Face recognition libraries: – http://neave.github.io/face-detection/
Difficulties • Hard to acquire sufficient detail • So far, in particular on mobile devices, more of a gimmick then a serious authentication feature • Possibility to use “finger print”, but current cameras not sufficient to acquire image
Can I use it? http://caniuse.com/#feat=stream
Accelerometer • • • • • • • Only useful for mobile devices Move the phone in a pattern to authenticate Detect step/walking pattern Detect if user/phone is at rest or on the move Can be spoofed (but not readily) Not easy to reproduce Adding sensors like compass may help.
Can I use it? http://caniuse.com/#feat=deviceorientation
Notifications • Popup Notifications sent by the server to notify the user • Initiated by server – Local Notifications: Require browser to be open, widely supported – Push Notifications: Safari Only
Bad stuff happened! • Notify the user of security relevant events: – “Someone is trying to log in as you” • • • • User needs to accept notifications Notifications no 100% reliable Not “out of band” (can be faked, intercepted) Safari Notifications may be useful for one time passwords (OTP)
Can I use it? http://caniuse.com/#feat=notifications
Encryption • Client side encryption • Allows encryption of specific sensitive fields (e.g. payment data, passwords) • Intermediate services (proxies, web services) don’t need to know the information • Upcoming: CryptoAPI (June 2013) http://www.w3.org/TR/WebCryptoAPI/ • Until then: https://www.pidder.de/pidcrypt/
Client side password hashing • Server sends random “nonce” as part of login form. • Client calculates hash from password/nonce • Passes hash to server • Server verifies hash • Advantage: Server never gets to know the “real” password.
Signup • • • • • Use enters password Client hashes password Password hash transmitted to server Salt: Username? Provided by server? Changing password: Same procedure, salt may change.
Summary • Lots of cool and useful tools in HTML5 • Use them as appropriate • “HTML5” itself isn’t the risk. Bad coding is the risk • Understand privacy issues • Understand user behavior • Share your code an experiences (OWASP!!)
Thanks! ! Thanks ! Questions? jullrich@sans.edu http://authonthemove.com http://isc.sans.edu Daily Updates * Daily Podcast * Live Data Feeds
Ad

Recommended

Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2
drewz lin
 
Web security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-kearyWeb security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-keary
drewz lin
 
Web Application Security with PHP
Web Application Security with PHPWeb Application Security with PHP
Web Application Security with PHP
jikbal
 
Addressing the OWASP Mobile Security Threats using Xamarin
Addressing the OWASP Mobile Security Threats using XamarinAddressing the OWASP Mobile Security Threats using Xamarin
Addressing the OWASP Mobile Security Threats using Xamarin
Alec Tucker
 
Android Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamAndroid Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed Adam
Mohammed Adam
 
4 . future uni presentation
4 . future uni presentation4 . future uni presentation
4 . future uni presentation
Rashid Khatmey
 
Web Security - Introduction v.1.3
Web Security - Introduction v.1.3Web Security - Introduction v.1.3
Web Security - Introduction v.1.3
Oles Seheda
 
2 . web app s canners
2 . web app s canners2 . web app s canners
2 . web app s canners
Rashid Khatmey
 
Authentication and session v4
Authentication and session v4Authentication and session v4
Authentication and session v4
skimil
 
3. backup file artifacts - mazin ahmed
3. backup file artifacts - mazin ahmed3. backup file artifacts - mazin ahmed
3. backup file artifacts - mazin ahmed
Rashid Khatmey
 
Web Security: A Primer for Developers
Web Security: A Primer for DevelopersWeb Security: A Primer for Developers
Web Security: A Primer for Developers
Mike North
 
Mobile Application Security Code Reviews
Mobile Application Security Code ReviewsMobile Application Security Code Reviews
Mobile Application Security Code Reviews
Denim Group
 
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resourcesGetting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
OWASP Delhi
 
Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017
TriNimbus
 
ATM Malware: Understanding the threat
ATM Malware: Understanding the threat ATM Malware: Understanding the threat
ATM Malware: Understanding the threat
Cysinfo Cyber Security Community
 
OWASP Mobile Top 10
OWASP Mobile Top 10OWASP Mobile Top 10
OWASP Mobile Top 10
NowSecure
 
Phishing with Super Bait
Phishing with Super BaitPhishing with Super Bait
Phishing with Super Bait
Jeremiah Grossman
 
OWASP Serbia - A3 broken authentication and session management
OWASP Serbia - A3 broken authentication and session managementOWASP Serbia - A3 broken authentication and session management
OWASP Serbia - A3 broken authentication and session management
Nikola Milosevic
 
Nbt con december-2014-slides
Nbt con december-2014-slidesNbt con december-2014-slides
Nbt con december-2014-slides
Behrouz Sadeghipour
 
Introduction to IOS Application Penetration Testing
Introduction to IOS Application Penetration TestingIntroduction to IOS Application Penetration Testing
Introduction to IOS Application Penetration Testing
Ammar WK
 
Security testing
Security testingSecurity testing
Security testing
Khizra Sammad
 
Mobile hacking, pentest, and malware
Mobile hacking, pentest, and malwareMobile hacking, pentest, and malware
Mobile hacking, pentest, and malware
Ammar WK
 
ECrime presentation - A few bits about malware
ECrime presentation - A few bits about malwareECrime presentation - A few bits about malware
ECrime presentation - A few bits about malware
Michael Hendrickx
 
Security risks awareness
Security risks awarenessSecurity risks awareness
Security risks awareness
Janagi Kannan
 
Help AG spot light - social engineering
Help AG spot light - social engineeringHelp AG spot light - social engineering
Help AG spot light - social engineering
Michael Hendrickx
 
Declaration of malWARe
Declaration of malWAReDeclaration of malWARe
Declaration of malWARe
Scott Sutherland
 
Akila srinivasan microsoft-bug_bounty-(publish)
Akila srinivasan microsoft-bug_bounty-(publish)Akila srinivasan microsoft-bug_bounty-(publish)
Akila srinivasan microsoft-bug_bounty-(publish)
PacSecJP
 
State of Web Security RailsConf 2016
State of Web Security RailsConf 2016State of Web Security RailsConf 2016
State of Web Security RailsConf 2016
IMMUNIO
 
Phu appsec13
Phu appsec13Phu appsec13
Phu appsec13
drewz lin
 
Via forensics appsecusa-nov-2013
Via forensics appsecusa-nov-2013Via forensics appsecusa-nov-2013
Via forensics appsecusa-nov-2013
drewz lin
 
Ad

More Related Content

What's hot (20)

Authentication and session v4
Authentication and session v4Authentication and session v4
Authentication and session v4
skimil
 
3. backup file artifacts - mazin ahmed
3. backup file artifacts - mazin ahmed3. backup file artifacts - mazin ahmed
3. backup file artifacts - mazin ahmed
Rashid Khatmey
 
Web Security: A Primer for Developers
Web Security: A Primer for DevelopersWeb Security: A Primer for Developers
Web Security: A Primer for Developers
Mike North
 
Mobile Application Security Code Reviews
Mobile Application Security Code ReviewsMobile Application Security Code Reviews
Mobile Application Security Code Reviews
Denim Group
 
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resourcesGetting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
OWASP Delhi
 
Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017
TriNimbus
 
ATM Malware: Understanding the threat
ATM Malware: Understanding the threat ATM Malware: Understanding the threat
ATM Malware: Understanding the threat
Cysinfo Cyber Security Community
 
OWASP Mobile Top 10
OWASP Mobile Top 10OWASP Mobile Top 10
OWASP Mobile Top 10
NowSecure
 
Phishing with Super Bait
Phishing with Super BaitPhishing with Super Bait
Phishing with Super Bait
Jeremiah Grossman
 
OWASP Serbia - A3 broken authentication and session management
OWASP Serbia - A3 broken authentication and session managementOWASP Serbia - A3 broken authentication and session management
OWASP Serbia - A3 broken authentication and session management
Nikola Milosevic
 
Nbt con december-2014-slides
Nbt con december-2014-slidesNbt con december-2014-slides
Nbt con december-2014-slides
Behrouz Sadeghipour
 
Introduction to IOS Application Penetration Testing
Introduction to IOS Application Penetration TestingIntroduction to IOS Application Penetration Testing
Introduction to IOS Application Penetration Testing
Ammar WK
 
Security testing
Security testingSecurity testing
Security testing
Khizra Sammad
 
Mobile hacking, pentest, and malware
Mobile hacking, pentest, and malwareMobile hacking, pentest, and malware
Mobile hacking, pentest, and malware
Ammar WK
 
ECrime presentation - A few bits about malware
ECrime presentation - A few bits about malwareECrime presentation - A few bits about malware
ECrime presentation - A few bits about malware
Michael Hendrickx
 
Security risks awareness
Security risks awarenessSecurity risks awareness
Security risks awareness
Janagi Kannan
 
Help AG spot light - social engineering
Help AG spot light - social engineeringHelp AG spot light - social engineering
Help AG spot light - social engineering
Michael Hendrickx
 
Declaration of malWARe
Declaration of malWAReDeclaration of malWARe
Declaration of malWARe
Scott Sutherland
 
Akila srinivasan microsoft-bug_bounty-(publish)
Akila srinivasan microsoft-bug_bounty-(publish)Akila srinivasan microsoft-bug_bounty-(publish)
Akila srinivasan microsoft-bug_bounty-(publish)
PacSecJP
 
State of Web Security RailsConf 2016
State of Web Security RailsConf 2016State of Web Security RailsConf 2016
State of Web Security RailsConf 2016
IMMUNIO
 
Authentication and session v4
Authentication and session v4Authentication and session v4
Authentication and session v4
skimil
 
3. backup file artifacts - mazin ahmed
3. backup file artifacts - mazin ahmed3. backup file artifacts - mazin ahmed
3. backup file artifacts - mazin ahmed
Rashid Khatmey
 
Web Security: A Primer for Developers
Web Security: A Primer for DevelopersWeb Security: A Primer for Developers
Web Security: A Primer for Developers
Mike North
 
Mobile Application Security Code Reviews
Mobile Application Security Code ReviewsMobile Application Security Code Reviews
Mobile Application Security Code Reviews
Denim Group
 
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resourcesGetting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
OWASP Delhi
 
Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017
TriNimbus
 
ATM Malware: Understanding the threat
ATM Malware: Understanding the threat ATM Malware: Understanding the threat
ATM Malware: Understanding the threat
Cysinfo Cyber Security Community
 
OWASP Mobile Top 10
OWASP Mobile Top 10OWASP Mobile Top 10
OWASP Mobile Top 10
NowSecure
 
Phishing with Super Bait
Phishing with Super BaitPhishing with Super Bait
Phishing with Super Bait
Jeremiah Grossman
 
OWASP Serbia - A3 broken authentication and session management
OWASP Serbia - A3 broken authentication and session managementOWASP Serbia - A3 broken authentication and session management
OWASP Serbia - A3 broken authentication and session management
Nikola Milosevic
 
Nbt con december-2014-slides
Nbt con december-2014-slidesNbt con december-2014-slides
Nbt con december-2014-slides
Behrouz Sadeghipour
 
Introduction to IOS Application Penetration Testing
Introduction to IOS Application Penetration TestingIntroduction to IOS Application Penetration Testing
Introduction to IOS Application Penetration Testing
Ammar WK
 
Security testing
Security testingSecurity testing
Security testing
Khizra Sammad
 
Mobile hacking, pentest, and malware
Mobile hacking, pentest, and malwareMobile hacking, pentest, and malware
Mobile hacking, pentest, and malware
Ammar WK
 
ECrime presentation - A few bits about malware
ECrime presentation - A few bits about malwareECrime presentation - A few bits about malware
ECrime presentation - A few bits about malware
Michael Hendrickx
 
Security risks awareness
Security risks awarenessSecurity risks awareness
Security risks awareness
Janagi Kannan
 
Help AG spot light - social engineering
Help AG spot light - social engineeringHelp AG spot light - social engineering
Help AG spot light - social engineering
Michael Hendrickx
 
Declaration of malWARe
Declaration of malWAReDeclaration of malWARe
Declaration of malWARe
Scott Sutherland
 
Akila srinivasan microsoft-bug_bounty-(publish)
Akila srinivasan microsoft-bug_bounty-(publish)Akila srinivasan microsoft-bug_bounty-(publish)
Akila srinivasan microsoft-bug_bounty-(publish)
PacSecJP
 
State of Web Security RailsConf 2016
State of Web Security RailsConf 2016State of Web Security RailsConf 2016
State of Web Security RailsConf 2016
IMMUNIO
 

Viewers also liked (19)

Phu appsec13
Phu appsec13Phu appsec13
Phu appsec13
drewz lin
 
Via forensics appsecusa-nov-2013
Via forensics appsecusa-nov-2013Via forensics appsecusa-nov-2013
Via forensics appsecusa-nov-2013
drewz lin
 
I mas appsecusa-nov13-v2
I mas appsecusa-nov13-v2I mas appsecusa-nov13-v2
I mas appsecusa-nov13-v2
drewz lin
 
Csrf not-all-defenses-are-created-equal
Csrf not-all-defenses-are-created-equalCsrf not-all-defenses-are-created-equal
Csrf not-all-defenses-are-created-equal
drewz lin
 
Appsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martinAppsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martin
drewz lin
 
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitations
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitationsAppsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitations
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitations
drewz lin
 
Appsec usa2013 js_libinsecurity_stefanodipaola
Appsec usa2013 js_libinsecurity_stefanodipaolaAppsec usa2013 js_libinsecurity_stefanodipaola
Appsec usa2013 js_libinsecurity_stefanodipaola
drewz lin
 
新浪微博稳定性经验谈
新浪微博稳定性经验谈新浪微博稳定性经验谈
新浪微博稳定性经验谈
drewz lin
 
Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21
Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21
Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21
drewz lin
 
基于虚拟化技术的分布式软件测试框架
基于虚拟化技术的分布式软件测试框架基于虚拟化技术的分布式软件测试框架
基于虚拟化技术的分布式软件测试框架
drewz lin
 
Appsec2013 presentation-dickson final-with_all_final_edits
Appsec2013 presentation-dickson final-with_all_final_editsAppsec2013 presentation-dickson final-with_all_final_edits
Appsec2013 presentation-dickson final-with_all_final_edits
drewz lin
 
Cyber Threats & Cybersecurity - Are You Ready? - Jared Carstensen
Cyber Threats & Cybersecurity - Are You Ready? - Jared CarstensenCyber Threats & Cybersecurity - Are You Ready? - Jared Carstensen
Cyber Threats & Cybersecurity - Are You Ready? - Jared Carstensen
jaredcarst
 
Telecom security issues (Raoul Chiesa, day 1 )
Telecom security issues (Raoul Chiesa, day 1 ) Telecom security issues (Raoul Chiesa, day 1 )
Telecom security issues (Raoul Chiesa, day 1 )
ClubHack
 
Information Security
Information SecurityInformation Security
Information Security
SamilMehdiyev
 
Pptv lb日志实时分析平台
Pptv lb日志实时分析平台Pptv lb日志实时分析平台
Pptv lb日志实时分析平台
drewz lin
 
Breaking down the cyber security framework closing critical it security gaps
Breaking down the cyber security framework closing critical it security gapsBreaking down the cyber security framework closing critical it security gaps
Breaking down the cyber security framework closing critical it security gaps
IBM Security
 
1 security goals
1 security goals1 security goals
1 security goals
drewz lin
 
Cryptography and Encryptions,Network Security,Caesar Cipher
Cryptography and Encryptions,Network Security,Caesar CipherCryptography and Encryptions,Network Security,Caesar Cipher
Cryptography and Encryptions,Network Security,Caesar Cipher
Gopal Sakarkar
 
Cryptography.ppt
Cryptography.pptCryptography.ppt
Cryptography.ppt
kusum sharma
 
Phu appsec13
Phu appsec13Phu appsec13
Phu appsec13
drewz lin
 
Via forensics appsecusa-nov-2013
Via forensics appsecusa-nov-2013Via forensics appsecusa-nov-2013
Via forensics appsecusa-nov-2013
drewz lin
 
I mas appsecusa-nov13-v2
I mas appsecusa-nov13-v2I mas appsecusa-nov13-v2
I mas appsecusa-nov13-v2
drewz lin
 
Csrf not-all-defenses-are-created-equal
Csrf not-all-defenses-are-created-equalCsrf not-all-defenses-are-created-equal
Csrf not-all-defenses-are-created-equal
drewz lin
 
Appsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martinAppsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martin
drewz lin
 
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitations
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitationsAppsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitations
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitations
drewz lin
 
Appsec usa2013 js_libinsecurity_stefanodipaola
Appsec usa2013 js_libinsecurity_stefanodipaolaAppsec usa2013 js_libinsecurity_stefanodipaola
Appsec usa2013 js_libinsecurity_stefanodipaola
drewz lin
 
新浪微博稳定性经验谈
新浪微博稳定性经验谈新浪微博稳定性经验谈
新浪微博稳定性经验谈
drewz lin
 
Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21
Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21
Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21
drewz lin
 
基于虚拟化技术的分布式软件测试框架
基于虚拟化技术的分布式软件测试框架基于虚拟化技术的分布式软件测试框架
基于虚拟化技术的分布式软件测试框架
drewz lin
 
Appsec2013 presentation-dickson final-with_all_final_edits
Appsec2013 presentation-dickson final-with_all_final_editsAppsec2013 presentation-dickson final-with_all_final_edits
Appsec2013 presentation-dickson final-with_all_final_edits
drewz lin
 
Cyber Threats & Cybersecurity - Are You Ready? - Jared Carstensen
Cyber Threats & Cybersecurity - Are You Ready? - Jared CarstensenCyber Threats & Cybersecurity - Are You Ready? - Jared Carstensen
Cyber Threats & Cybersecurity - Are You Ready? - Jared Carstensen
jaredcarst
 
Telecom security issues (Raoul Chiesa, day 1 )
Telecom security issues (Raoul Chiesa, day 1 ) Telecom security issues (Raoul Chiesa, day 1 )
Telecom security issues (Raoul Chiesa, day 1 )
ClubHack
 
Information Security
Information SecurityInformation Security
Information Security
SamilMehdiyev
 
Pptv lb日志实时分析平台
Pptv lb日志实时分析平台Pptv lb日志实时分析平台
Pptv lb日志实时分析平台
drewz lin
 
Breaking down the cyber security framework closing critical it security gaps
Breaking down the cyber security framework closing critical it security gapsBreaking down the cyber security framework closing critical it security gaps
Breaking down the cyber security framework closing critical it security gaps
IBM Security
 
1 security goals
1 security goals1 security goals
1 security goals
drewz lin
 
Cryptography and Encryptions,Network Security,Caesar Cipher
Cryptography and Encryptions,Network Security,Caesar CipherCryptography and Encryptions,Network Security,Caesar Cipher
Cryptography and Encryptions,Network Security,Caesar Cipher
Gopal Sakarkar
 
Cryptography.ppt
Cryptography.pptCryptography.ppt
Cryptography.ppt
kusum sharma
 
Ad

Similar to Owasp2013 johannesullrich (20)

Essential security measures in ASP.NET MVC
Essential security measures in ASP.NET MVC Essential security measures in ASP.NET MVC
Essential security measures in ASP.NET MVC
Rafał Hryniewski
 
Progressive Web Apps are here!
Progressive Web Apps are here!Progressive Web Apps are here!
Progressive Web Apps are here!
Antonio Peric-Mazar
 
20181023 progressive web_apps_are_here_sfcampua
20181023 progressive web_apps_are_here_sfcampua20181023 progressive web_apps_are_here_sfcampua
20181023 progressive web_apps_are_here_sfcampua
Юлия Коваленко
 
Keeping Secrets on the Internet of Things - Mobile Web Application Security
Keeping Secrets on the Internet of Things - Mobile Web Application SecurityKeeping Secrets on the Internet of Things - Mobile Web Application Security
Keeping Secrets on the Internet of Things - Mobile Web Application Security
Kelly Robertson
 
474 Password Not Found
474 Password Not Found474 Password Not Found
474 Password Not Found
Codemotion
 
We are Digital Puppets
We are Digital PuppetsWe are Digital Puppets
We are Digital Puppets
Secpro - Security Professionals
 
Application security in a hurry webinar
Application security in a hurry webinarApplication security in a hurry webinar
Application security in a hurry webinar
kdinerman
 
Keeping the wolf from 1000 doors.
Keeping the wolf from 1000 doors.Keeping the wolf from 1000 doors.
Keeping the wolf from 1000 doors.
Eoin Keary
 
Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2
Claus Cramon Houmann
 
Heartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and SolutionHeartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and Solution
CASCouncil
 
03 - Membangun Aplikasi Mobile Berkualitas (Herman Tolle)
03 - Membangun Aplikasi Mobile Berkualitas (Herman Tolle)03 - Membangun Aplikasi Mobile Berkualitas (Herman Tolle)
03 - Membangun Aplikasi Mobile Berkualitas (Herman Tolle)
Lab Mobile Filkom UB
 
The Joy of Proactive Security
The Joy of Proactive SecurityThe Joy of Proactive Security
The Joy of Proactive Security
Andy Hoernecke
 
Security by the numbers
Security by the numbersSecurity by the numbers
Security by the numbers
Eoin Keary
 
Fragments-Plug the vulnerabilities in your App
Fragments-Plug the vulnerabilities in your AppFragments-Plug the vulnerabilities in your App
Fragments-Plug the vulnerabilities in your App
Appsecco
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile World
David Lindner
 
AppSensor Near Real-Time Event Detection and Response - DevNexus 2016
AppSensor Near Real-Time Event Detection and Response - DevNexus 2016AppSensor Near Real-Time Event Detection and Response - DevNexus 2016
AppSensor Near Real-Time Event Detection and Response - DevNexus 2016
jtmelton
 
Implementing Acessibility in Liferay 6.1
Implementing Acessibility in Liferay 6.1Implementing Acessibility in Liferay 6.1
Implementing Acessibility in Liferay 6.1
Julio Camarero
 
IBWAS 2010: Web Security From an Auditor's Standpoint
IBWAS 2010: Web Security From an Auditor's StandpointIBWAS 2010: Web Security From an Auditor's Standpoint
IBWAS 2010: Web Security From an Auditor's Standpoint
Luis Grangeia
 
Luis Grangeia IBWAS
Luis Grangeia IBWASLuis Grangeia IBWAS
Luis Grangeia IBWAS
Luis Grangeia
 
Win j svsphonegap-damyan-petev-mihail-mateev
Win j svsphonegap-damyan-petev-mihail-mateevWin j svsphonegap-damyan-petev-mihail-mateev
Win j svsphonegap-damyan-petev-mihail-mateev
Mihail Mateev
 
Essential security measures in ASP.NET MVC
Essential security measures in ASP.NET MVC Essential security measures in ASP.NET MVC
Essential security measures in ASP.NET MVC
Rafał Hryniewski
 
Progressive Web Apps are here!
Progressive Web Apps are here!Progressive Web Apps are here!
Progressive Web Apps are here!
Antonio Peric-Mazar
 
20181023 progressive web_apps_are_here_sfcampua
20181023 progressive web_apps_are_here_sfcampua20181023 progressive web_apps_are_here_sfcampua
20181023 progressive web_apps_are_here_sfcampua
Юлия Коваленко
 
Keeping Secrets on the Internet of Things - Mobile Web Application Security
Keeping Secrets on the Internet of Things - Mobile Web Application SecurityKeeping Secrets on the Internet of Things - Mobile Web Application Security
Keeping Secrets on the Internet of Things - Mobile Web Application Security
Kelly Robertson
 
474 Password Not Found
474 Password Not Found474 Password Not Found
474 Password Not Found
Codemotion
 
We are Digital Puppets
We are Digital PuppetsWe are Digital Puppets
We are Digital Puppets
Secpro - Security Professionals
 
Application security in a hurry webinar
Application security in a hurry webinarApplication security in a hurry webinar
Application security in a hurry webinar
kdinerman
 
Keeping the wolf from 1000 doors.
Keeping the wolf from 1000 doors.Keeping the wolf from 1000 doors.
Keeping the wolf from 1000 doors.
Eoin Keary
 
Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2
Claus Cramon Houmann
 
Heartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and SolutionHeartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and Solution
CASCouncil
 
03 - Membangun Aplikasi Mobile Berkualitas (Herman Tolle)
03 - Membangun Aplikasi Mobile Berkualitas (Herman Tolle)03 - Membangun Aplikasi Mobile Berkualitas (Herman Tolle)
03 - Membangun Aplikasi Mobile Berkualitas (Herman Tolle)
Lab Mobile Filkom UB
 
The Joy of Proactive Security
The Joy of Proactive SecurityThe Joy of Proactive Security
The Joy of Proactive Security
Andy Hoernecke
 
Security by the numbers
Security by the numbersSecurity by the numbers
Security by the numbers
Eoin Keary
 
Fragments-Plug the vulnerabilities in your App
Fragments-Plug the vulnerabilities in your AppFragments-Plug the vulnerabilities in your App
Fragments-Plug the vulnerabilities in your App
Appsecco
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile World
David Lindner
 
AppSensor Near Real-Time Event Detection and Response - DevNexus 2016
AppSensor Near Real-Time Event Detection and Response - DevNexus 2016AppSensor Near Real-Time Event Detection and Response - DevNexus 2016
AppSensor Near Real-Time Event Detection and Response - DevNexus 2016
jtmelton
 
Implementing Acessibility in Liferay 6.1
Implementing Acessibility in Liferay 6.1Implementing Acessibility in Liferay 6.1
Implementing Acessibility in Liferay 6.1
Julio Camarero
 
IBWAS 2010: Web Security From an Auditor's Standpoint
IBWAS 2010: Web Security From an Auditor's StandpointIBWAS 2010: Web Security From an Auditor's Standpoint
IBWAS 2010: Web Security From an Auditor's Standpoint
Luis Grangeia
 
Luis Grangeia IBWAS
Luis Grangeia IBWASLuis Grangeia IBWAS
Luis Grangeia IBWAS
Luis Grangeia
 
Win j svsphonegap-damyan-petev-mihail-mateev
Win j svsphonegap-damyan-petev-mihail-mateevWin j svsphonegap-damyan-petev-mihail-mateev
Win j svsphonegap-damyan-petev-mihail-mateev
Mihail Mateev
 
Ad

More from drewz lin (17)

Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfDefeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
drewz lin
 
Appsec usa roberthansen
Appsec usa roberthansenAppsec usa roberthansen
Appsec usa roberthansen
drewz lin
 
Appsec2013 presentation
Appsec2013 presentationAppsec2013 presentation
Appsec2013 presentation
drewz lin
 
Amol scadaowasp
Amol scadaowaspAmol scadaowasp
Amol scadaowasp
drewz lin
 
Agile sdlc-v1.1-owasp-app sec-usa
Agile sdlc-v1.1-owasp-app sec-usaAgile sdlc-v1.1-owasp-app sec-usa
Agile sdlc-v1.1-owasp-app sec-usa
drewz lin
 
Vulnex app secusa2013
Vulnex app secusa2013Vulnex app secusa2013
Vulnex app secusa2013
drewz lin
 
无线App的性能分析和监控实践 rickyqiu
无线App的性能分析和监控实践 rickyqiu无线App的性能分析和监控实践 rickyqiu
无线App的性能分析和监控实践 rickyqiu
drewz lin
 
网易移动自动化测试实践(孔庆云)
网易移动自动化测试实践(孔庆云)网易移动自动化测试实践(孔庆云)
网易移动自动化测试实践(孔庆云)
drewz lin
 
天猫后端技术架构优化实践
天猫后端技术架构优化实践天猫后端技术架构优化实践
天猫后端技术架构优化实践
drewz lin
 
天猫大促性能测试实践 耿电
天猫大促性能测试实践 耿电天猫大促性能测试实践 耿电
天猫大促性能测试实践 耿电
drewz lin
 
互联网海量运维 20130807
互联网海量运维 20130807互联网海量运维 20130807
互联网海量运维 20130807
drewz lin
 
阿里自研数据库 Ocean base实践
阿里自研数据库 Ocean base实践阿里自研数据库 Ocean base实践
阿里自研数据库 Ocean base实践
drewz lin
 
T4 淘宝私有云
T4 淘宝私有云T4 淘宝私有云
T4 淘宝私有云
drewz lin
 
I os与android多平台开发心得
I os与android多平台开发心得I os与android多平台开发心得
I os与android多平台开发心得
drewz lin
 
Hadoop在反作弊中的应用 林述民
Hadoop在反作弊中的应用 林述民Hadoop在反作弊中的应用 林述民
Hadoop在反作弊中的应用 林述民
drewz lin
 
人人网服务化与架构变迁V3
人人网服务化与架构变迁V3人人网服务化与架构变迁V3
人人网服务化与架构变迁V3
drewz lin
 
有道云笔记架构简介
有道云笔记架构简介有道云笔记架构简介
有道云笔记架构简介
drewz lin
 
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfDefeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
drewz lin
 
Appsec usa roberthansen
Appsec usa roberthansenAppsec usa roberthansen
Appsec usa roberthansen
drewz lin
 
Appsec2013 presentation
Appsec2013 presentationAppsec2013 presentation
Appsec2013 presentation
drewz lin
 
Amol scadaowasp
Amol scadaowaspAmol scadaowasp
Amol scadaowasp
drewz lin
 
Agile sdlc-v1.1-owasp-app sec-usa
Agile sdlc-v1.1-owasp-app sec-usaAgile sdlc-v1.1-owasp-app sec-usa
Agile sdlc-v1.1-owasp-app sec-usa
drewz lin
 
Vulnex app secusa2013
Vulnex app secusa2013Vulnex app secusa2013
Vulnex app secusa2013
drewz lin
 
无线App的性能分析和监控实践 rickyqiu
无线App的性能分析和监控实践 rickyqiu无线App的性能分析和监控实践 rickyqiu
无线App的性能分析和监控实践 rickyqiu
drewz lin
 
网易移动自动化测试实践(孔庆云)
网易移动自动化测试实践(孔庆云)网易移动自动化测试实践(孔庆云)
网易移动自动化测试实践(孔庆云)
drewz lin
 
天猫后端技术架构优化实践
天猫后端技术架构优化实践天猫后端技术架构优化实践
天猫后端技术架构优化实践
drewz lin
 
天猫大促性能测试实践 耿电
天猫大促性能测试实践 耿电天猫大促性能测试实践 耿电
天猫大促性能测试实践 耿电
drewz lin
 
互联网海量运维 20130807
互联网海量运维 20130807互联网海量运维 20130807
互联网海量运维 20130807
drewz lin
 
阿里自研数据库 Ocean base实践
阿里自研数据库 Ocean base实践阿里自研数据库 Ocean base实践
阿里自研数据库 Ocean base实践
drewz lin
 
T4 淘宝私有云
T4 淘宝私有云T4 淘宝私有云
T4 淘宝私有云
drewz lin
 
I os与android多平台开发心得
I os与android多平台开发心得I os与android多平台开发心得
I os与android多平台开发心得
drewz lin
 
Hadoop在反作弊中的应用 林述民
Hadoop在反作弊中的应用 林述民Hadoop在反作弊中的应用 林述民
Hadoop在反作弊中的应用 林述民
drewz lin
 
人人网服务化与架构变迁V3
人人网服务化与架构变迁V3人人网服务化与架构变迁V3
人人网服务化与架构变迁V3
drewz lin
 
有道云笔记架构简介
有道云笔记架构简介有道云笔记架构简介
有道云笔记架构简介
drewz lin
 

Recently uploaded (20)

Generative Artificial Intelligence (GenAI) in Business
Generative Artificial Intelligence (GenAI) in BusinessGenerative Artificial Intelligence (GenAI) in Business
Generative Artificial Intelligence (GenAI) in Business
Dr. Tathagat Varma
 
Big Data Analytics Quick Research Guide by Arthur Morgan
Big Data Analytics Quick Research Guide by Arthur MorganBig Data Analytics Quick Research Guide by Arthur Morgan
Big Data Analytics Quick Research Guide by Arthur Morgan
Arthur Morgan
 
HCL Nomad Web – Best Practices and Managing Multiuser Environments
HCL Nomad Web – Best Practices and Managing Multiuser EnvironmentsHCL Nomad Web – Best Practices and Managing Multiuser Environments
HCL Nomad Web – Best Practices and Managing Multiuser Environments
panagenda
 
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Aqusag Technologies
 
Mobile App Development Company in Saudi Arabia
Mobile App Development Company in Saudi ArabiaMobile App Development Company in Saudi Arabia
Mobile App Development Company in Saudi Arabia
Steve Jonas
 
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdfSAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
Precisely
 
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc
 
Greenhouse_Monitoring_Presentation.pptx.
Greenhouse_Monitoring_Presentation.pptx.Greenhouse_Monitoring_Presentation.pptx.
Greenhouse_Monitoring_Presentation.pptx.
hpbmnnxrvb
 
TrsLabs - Fintech Product & Business Consulting
TrsLabs - Fintech Product & Business ConsultingTrsLabs - Fintech Product & Business Consulting
TrsLabs - Fintech Product & Business Consulting
Trs Labs
 
tecnologias de las primeras civilizaciones.pdf
tecnologias de las primeras civilizaciones.pdftecnologias de las primeras civilizaciones.pdf
tecnologias de las primeras civilizaciones.pdf
fjgm517
 
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
SOFTTECHHUB
 
Role of Data Annotation Services in AI-Powered Manufacturing
Role of Data Annotation Services in AI-Powered ManufacturingRole of Data Annotation Services in AI-Powered Manufacturing
Role of Data Annotation Services in AI-Powered Manufacturing
Andrew Leo
 
Build Your Own Copilot & Agents For Devs
Build Your Own Copilot & Agents For DevsBuild Your Own Copilot & Agents For Devs
Build Your Own Copilot & Agents For Devs
Brian McKeiver
 
Special Meetup Edition - TDX Bengaluru Meetup #52.pptx
Special Meetup Edition - TDX Bengaluru Meetup #52.pptxSpecial Meetup Edition - TDX Bengaluru Meetup #52.pptx
Special Meetup Edition - TDX Bengaluru Meetup #52.pptx
shyamraj55
 
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In FranceManifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
chb3
 
How Can I use the AI Hype in my Business Context?
How Can I use the AI Hype in my Business Context?How Can I use the AI Hype in my Business Context?
How Can I use the AI Hype in my Business Context?
Daniel Lehner
 
Electronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploitElectronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploit
niftliyevhuseyn
 
Procurement Insights Cost To Value Guide.pptx
Procurement Insights Cost To Value Guide.pptxProcurement Insights Cost To Value Guide.pptx
Procurement Insights Cost To Value Guide.pptx
Jon Hansen
 
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul
 
2025-05-Q4-2024-Investor-Presentation.pptx
2025-05-Q4-2024-Investor-Presentation.pptx2025-05-Q4-2024-Investor-Presentation.pptx
2025-05-Q4-2024-Investor-Presentation.pptx
Samuele Fogagnolo
 
Generative Artificial Intelligence (GenAI) in Business
Generative Artificial Intelligence (GenAI) in BusinessGenerative Artificial Intelligence (GenAI) in Business
Generative Artificial Intelligence (GenAI) in Business
Dr. Tathagat Varma
 
Big Data Analytics Quick Research Guide by Arthur Morgan
Big Data Analytics Quick Research Guide by Arthur MorganBig Data Analytics Quick Research Guide by Arthur Morgan
Big Data Analytics Quick Research Guide by Arthur Morgan
Arthur Morgan
 
HCL Nomad Web – Best Practices and Managing Multiuser Environments
HCL Nomad Web – Best Practices and Managing Multiuser EnvironmentsHCL Nomad Web – Best Practices and Managing Multiuser Environments
HCL Nomad Web – Best Practices and Managing Multiuser Environments
panagenda
 
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Aqusag Technologies
 
Mobile App Development Company in Saudi Arabia
Mobile App Development Company in Saudi ArabiaMobile App Development Company in Saudi Arabia
Mobile App Development Company in Saudi Arabia
Steve Jonas
 
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdfSAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
Precisely
 
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc
 
Greenhouse_Monitoring_Presentation.pptx.
Greenhouse_Monitoring_Presentation.pptx.Greenhouse_Monitoring_Presentation.pptx.
Greenhouse_Monitoring_Presentation.pptx.
hpbmnnxrvb
 
TrsLabs - Fintech Product & Business Consulting
TrsLabs - Fintech Product & Business ConsultingTrsLabs - Fintech Product & Business Consulting
TrsLabs - Fintech Product & Business Consulting
Trs Labs
 
tecnologias de las primeras civilizaciones.pdf
tecnologias de las primeras civilizaciones.pdftecnologias de las primeras civilizaciones.pdf
tecnologias de las primeras civilizaciones.pdf
fjgm517
 
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
SOFTTECHHUB
 
Role of Data Annotation Services in AI-Powered Manufacturing
Role of Data Annotation Services in AI-Powered ManufacturingRole of Data Annotation Services in AI-Powered Manufacturing
Role of Data Annotation Services in AI-Powered Manufacturing
Andrew Leo
 
Build Your Own Copilot & Agents For Devs
Build Your Own Copilot & Agents For DevsBuild Your Own Copilot & Agents For Devs
Build Your Own Copilot & Agents For Devs
Brian McKeiver
 
Special Meetup Edition - TDX Bengaluru Meetup #52.pptx
Special Meetup Edition - TDX Bengaluru Meetup #52.pptxSpecial Meetup Edition - TDX Bengaluru Meetup #52.pptx
Special Meetup Edition - TDX Bengaluru Meetup #52.pptx
shyamraj55
 
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In FranceManifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
chb3
 
How Can I use the AI Hype in my Business Context?
How Can I use the AI Hype in my Business Context?How Can I use the AI Hype in my Business Context?
How Can I use the AI Hype in my Business Context?
Daniel Lehner
 
Electronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploitElectronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploit
niftliyevhuseyn
 
Procurement Insights Cost To Value Guide.pptx
Procurement Insights Cost To Value Guide.pptxProcurement Insights Cost To Value Guide.pptx
Procurement Insights Cost To Value Guide.pptx
Jon Hansen
 
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul
 
2025-05-Q4-2024-Investor-Presentation.pptx
2025-05-Q4-2024-Investor-Presentation.pptx2025-05-Q4-2024-Investor-Presentation.pptx
2025-05-Q4-2024-Investor-Presentation.pptx
Samuele Fogagnolo
 

Owasp2013 johannesullrich

  • 1. HTML5: Risky Business or Hidden Security Tool Chest Johannes B. Ullrich, Ph.D. [email protected]
  • 2. About Me • Dean of Research, SANS Technology Institute • Living in Jacksonville FL (aka Southern GA) • SANS Internet Storm Center https://isc.sans.edu • Created DShield.org • Instructor for SANS • Past: Physicist, Web Developer Hosted by OWASP & the NYC Chapter
  • 3. What is HTML5 • Collection of JavaScript APIs supported by some modern browsers in some ways and sometimes they even work. • Features to enable modern desktop like applications and support mobile devices • 5th Revision of the HTML Standard
  • 4. What is this talk about? • Ideas to improve security by using HTML5 responsibly • What are some of the security challenges that HTML5 addresses well (or doesn’t) • What are some of the limitations we have to consider
  • 5. Authentication • Exclusive vs. Inclusive Authentication Methods: – Inclusive: Proof the identity of the user – Exclusive: Disproof the identity of the user
  • 6. What the Factor? Segway: Multi Factor Authentication • Single Factor: Password • Two Factor: Password AND (Token|Biometric) • 1 ½ Factor: Password and Cookie • ½ Factor: Password OR (Token|Biometric)
  • 7. HTML5 Components • • • • • • • Local Storage / Session Storage Canvas Geolocation Media Capture Notifications Accelerometer Encryption
  • 8. Local and Session Storage • New JavaScript API to store data on client • Protected by “same origin” • Local Storage: – No defined expiration – Accessible by all browser windows • Session Storage: – Expired when window is closed – Scope limited to current window
  • 9. Local Storage: Persistent Cookie • Alternative to Flash cookie for “1 ½ Factor” login • Part of an “Evercookie” • Can be used for good (additional authentication) or evil (more user tracking) • Exposed to XSS attacks • Similar to cookies in scope and security
  • 10. Session Storage: Identifying users • Can be used to store session token • Breaks CSRF (good!) • User is logged out when they close the browser window (not entire browser) • Multiple users can use the same browser (is this a good thing?) • Easier log out, more secure session tracking, can be used alongside cookies.
  • 11. Risks • Risks: Storing too much data on the client! Can’t enforce “secure” transmission over SSL Can’t protect from JavaScript/XSS (no httponly) Examples: – storing confidential data on mobile devices – Pushing data to the client the client is not authorized to see.
  • 12. Can I use it? http://caniuse.com/#feat=namevalue-storage
  • 13. Canvas • Allows drawing in the browser • Interactive image applications • Can be used for graphical login schemes – CAPTCHAs – Pattern based login
  • 14. Image Login • Display image, user identifies features • Done in Windows 8/RT for mobile login (“Pattern Login”, “Picture Password”) Image: Microsoft
  • 15. “Connect the Dots” • Implemented in Android • Good user acceptance for mobile login • No good studies yet as to how users select patterns Image: Extremetech.com
  • 16. Demo • Demo: “Connect the Dots” for the web • http://authonthemove.com • See Github for code repository
  • 17. Can I use it? http://caniuse.com/#feat=canvas
  • 18. Geolocation • JavaScript API provides access to devices built in sensors like GPS • Can be very accurate • Can also be spoofed easily Image: Mozilla.org
  • 19. Geolocation for Authentication • Only useful on mobile devices • Can be used to exclude users, but not to replace traditional authentication • Observe sudden changes in location • Combine with careful browser fingerprinting techniques
  • 20. Can I use it?
  • 21. Media Capture • aka getUserMedia/Stream API • Limited support (Chrome, Firefox, Blackberry) • Some potential for biometrics: – Face recognition – Hand signals / gestures – Fingerprint?
  • 22. Implementations • Face recognition libraries: – http://neave.github.io/face-detection/
  • 23. Difficulties • Hard to acquire sufficient detail • So far, in particular on mobile devices, more of a gimmick then a serious authentication feature • Possibility to use “finger print”, but current cameras not sufficient to acquire image
  • 24. Can I use it? http://caniuse.com/#feat=stream
  • 25. Accelerometer • • • • • • • Only useful for mobile devices Move the phone in a pattern to authenticate Detect step/walking pattern Detect if user/phone is at rest or on the move Can be spoofed (but not readily) Not easy to reproduce Adding sensors like compass may help.
  • 26. Can I use it? http://caniuse.com/#feat=deviceorientation
  • 27. Notifications • Popup Notifications sent by the server to notify the user • Initiated by server – Local Notifications: Require browser to be open, widely supported – Push Notifications: Safari Only
  • 28. Bad stuff happened! • Notify the user of security relevant events: – “Someone is trying to log in as you” • • • • User needs to accept notifications Notifications no 100% reliable Not “out of band” (can be faked, intercepted) Safari Notifications may be useful for one time passwords (OTP)
  • 29. Can I use it? http://caniuse.com/#feat=notifications
  • 30. Encryption • Client side encryption • Allows encryption of specific sensitive fields (e.g. payment data, passwords) • Intermediate services (proxies, web services) don’t need to know the information • Upcoming: CryptoAPI (June 2013) http://www.w3.org/TR/WebCryptoAPI/ • Until then: https://www.pidder.de/pidcrypt/
  • 31. Client side password hashing • Server sends random “nonce” as part of login form. • Client calculates hash from password/nonce • Passes hash to server • Server verifies hash • Advantage: Server never gets to know the “real” password.
  • 32. Signup • • • • • Use enters password Client hashes password Password hash transmitted to server Salt: Username? Provided by server? Changing password: Same procedure, salt may change.
  • 33. Summary • Lots of cool and useful tools in HTML5 • Use them as appropriate • “HTML5” itself isn’t the risk. Bad coding is the risk • Understand privacy issues • Understand user behavior • Share your code an experiences (OWASP!!)