October 11th - Web 2.0 Security - Defending Next Generation Applications

Client-side attack vectors are on the rise - from XSS to RSS, from Widget injections to Mashup manipulations. At the same time, various new attack vectors are evolving around SOA by attacking SOAP, XML-RPC and REST. At the workshop, you will experience real-life cases, hands-on exercises, new scanning tools and critical defense mechanisms by Mr. Shreeraj Shah.

Topics Covered

• Web 2.0 security fundamentals and protocols.
• Application architecture: .NET and J2EE application frameworks, Web 2.0 application architecture, Widgets framework, application layers and components, resources and interactions, other languages.
• Application attack vectors: SQL injection, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), path traversal, session hijacking, LDAP/XPATH/Command injection, buffer overflow, input validation bypassing, database hacks and blind SQL injections.
• Advanced attacks: Ajax-based XSS, CSRF with Web services, decompiling Flash and RIA apps, WSDL scanning, XML poisoning, SQL injections through XML, external entity attacks, Widget exploitation, RSS injections, Cross Domain bypass, and many more.
• Advanced application foot printing and discovery: leveraging search engines, cross domain mashup discovery and Web 2.0 application domain enumeration .
• Methodologies: fingerprinting Web and application server, Ajax framework, Flash-based application and technology fingerprinting, advanced browser-based attacks and vulnerability detection.
• Scanning Web services (including XML-RPC, SOAP and REST-based applications) for vulnerabilities through source code by looking at function and method signature mapping, entry point identification, data access layer calls, tracing variables and functions.
• Applying validations: input, output, data access filtering, and authentication validations, as well as advanced content filtering.

Who should attend?

Developers, Web Administrators, Security Auditors, Pen-Testers and Program Managers.

Event details

View the Pics

The Presentation

	Name	Size	Creator (Last Modifier)	Creation Date	Last Mod Date	Comment
	ShreerajTechCamp.pdf	1.97 Mb	Anusha Pinto (modified by Anusha Pinto)	Oct 14, 2008	Oct 14, 2008

How can you attend the event?

Simply fill in your details below.

• Please note that you will be added to the Techcamp mailing list to be notified about future TechCamp events.

About the Speaker

Shreeraj Shah, B.E., MSCS, MBA, is the founder of Blueinfy, a company that provides application security services. Prior to founding Blueinfy, he was founder and board member at Net Square. He also worked with Foundstone (McAfee), Chase Manhattan Bank and IBM in security space.

He is also the author of popular books like Hacking Web Services (Thomson 06) and Web Hacking: Attacks and Defense (Addison-Wesley 03). In addition, he has published several advisories, tools, and whitepapers, and has presented at numerous conferences including RSA, AusCERT, InfosecWorld (Misti), HackInTheBox, Blackhat, OSCON, Bellua, Syscan, ISACA etc. His articles are regularly published on Securityfocus, InformIT, DevX, O'reilly, HNS. His work has been quoted on BBC, Dark Reading, Bank Technology as an expert.

Shreeraj was instrumental in product development, researching new methodologies and training designs. He has performed several security consulting assignments in the area of penetration testing, code reviews, web application assessments, security architecture reviews and managing projects