RSA US 2013, ASEC-F41 Slides

Here are the slides for my presentation, Using HTML5 WebSockets Securely, at this year’s RSA US conference in San Francisco. It’s a continuation of the content created for last year’s BlackHat and BayThreat presentations. RSA wants slides to be in a specific template. So, these slides are less visually stimulating than I usually have the […]

B-Sides SF 2013: JavaScript Security & HTML5

I’ve emerged from the gloomy dungeon of C++ and book writing long enough to venture into the gloomy dungeon of the DNA Lounge for B-Sides San Francisco. It’s the perfect venue to talk about the building blocks of web apps: the twin strands of JavaScript and HTML5. As noted at the end of my talk, […]

Implicit HTML, Explicit Injection

When designing security filters against HTML injection you need to outsmart the attacker, not the browser. HTML’s syntax is more forgiving of mis-nested tags, unterminated elements, and entity-encoding compared to formats like XML. This is a good thing, because it ensures a User-Agent renders a best-effort layout for a web page rather than bailing on […]

Know Your JavaScript (Injections)

HTML injection vulnerabilities make a great Voigt-Kampff test for proving you care about security. We need some kind of tool to deal with developers who take refuge in the excuse, “But it’s not exploitable.” Companies like MasterCard and VISA created the PCI standard to make sure web sites care about vulns like XSS. Parts of […]

User Agent. Secret Agent. Double Agent.

We hope our browsers are secure in light of the sites we choose to visit. What we often forget, is whether we are secure in light of the sites our browsers choose to visit. Sometimes it’s hard to even figure out whose side our browsers are on. Browsers act on our behalf, hence the term […]

A Lesser XSS Attack Greater Than Your Regex Security

I know what you’re thinking. “Did my regex block six XSS attacks or five?” You’ve got to ask yourself one question: “Do I feel lucky?” Well, do ya, punk? Maybe you read a few HTML injection (cross-site scripting) tutorials and think a regex solves this problem. Maybe. Let’s revisit that thinking. We’ll need an attack […]

BayThreat 2012 WebSocket Presentation

BayThreat held its 2012 conference this December in Sunnyvale, CA. Yes, I was sorely disappointed it wasn’t actually in Sunnydale (with a ‘d’). My colleagues, @sshekyan and @tukharian, and I gave an overview on the security of WebSockets. The presentation slides are available now. Reading slides is always a hazardous approach to understanding a presentation. […]