Web Application Security

A few people asked for slides and links from the security talk from The Ajax Experience last week:

| View | Upload your own

General Links:

OWASP: Open Web App Security Project
Security Resources from the OpenAjax Alliance Wiki
Mozilla on Same-Origin Policy

XSS:

Introductions from: Wikipedia and Apache
Cheat Sheet: Long list of XSS vectors from RSnake
Explanation of DOM Based XSS
Explanation of Samy is my Hero worm
Fairly old FAQ at CGI Security
List of XSS holes in popular web applications

CSRF:

Introduction from: Wikipedia and here
Article by Chris Shiflett and CSRF Redirector test tool
CSRF FAQ at CGI Security
Array constructor overriding and setter overriding
A solution: SameRefererOnly
Protecting a JSON or JavaScript Service

Blogs:

Responses[6]

Posted by Joe Walker on 29 October 2007 11:00:51 GMT #

Re: Web Application Security

Comment from Marc on 29 October 2007 20:48:39 GMT #

Thank you Joe for your presentation - I am glad I didn't open up my website to HTML comments before understanding the security risks. I now know to whitelist instead of blacklist user input, thank you!

I also exposed the company I work for to DWR and at first pass they seem very intrigued. I am hoping it opens up the corporate door to Ajax.

Re: Web Application Security

Comment from Simon Gow on 30 October 2007 16:07:54 GMT #

I understand most of these concepts and have been building what I thought was the most secure login script I could. Thanks for opening up a few new things I hadn't thought about just yet :)

Re: Web Application Security

Comment from Andre on 30 October 2007 13:25:49 GMT #

Is there a video available for this presentation?

Re: Web Application Security

Comment from Anonymous on 30 October 2007 14:36:08 GMT #

Thanks for your good work. Getahead = quality, if that was not already obvious.

Re: Web Application Security

Comment from vmmello on 03 December 2007 16:14:59 GMT #

the best web security presentation I've seen.

Re: Web Application Security

Comment from Developer4lease on 06 November 2008 06:07:51 GMT #

Thank you for sharing useful information.Do exposed stack traces in a live web application present potential security flaws? Can anyone share their opinion in it. http://www.developer4lease.com/

Add a comment Send a TrackBack

2009 July (0) June (0) May (1) April (1) March (0) February (3) January (0)	2008 December (2) November (1) October (0) September (0) August (0) July (2) June (0) May (2) April (1) March (5) February (2) January (1)
2007 December (4) November (3) October (2) September (0) August (3) July (2) June (1) May (2) April (8) March (11) February (4) January (7)	2006 December (4) November (2) October (4) September (3) August (7) July (3) June (3) May (10) April (3) March (4) February (5) January (3)
2005 December (1) November (7) October (8) September (10) August (5) July (7) June (11) May (6) April (2)

Re: Web Application Security Comment from Anonymous on 04 July 2009 07:07:16 BST #
Title
Body	HTML : b, strong, i, em, blockquote, br, p, pre, a href="", ul, ol, li, sub, sup
Name
E-mail address
Website
Remember me	Yes No
E-mail addresses are not publicly displayed, so please only leave your e-mail address if you would like to be notified when new comments are added to this blog entry (you can opt-out later).

Username
Password
Remember me