RSA Europe 2012, ASEC-303 Slides
Here are the slides for my presentation, Mitigating JavaScript Mistakes Using HTML5, at this year’s RSA Europe.
The goal is to show that the move towards more complex web apps demands more complex JavaScript, which in turn creates more potential for security bugs. Yet rather than audit every line of deployed JavaScript, we can apply controls like Cross-Origin Request Sharing, HTML5 sandboxes, and Content Security Policy headers to improve the security of apps within the browser. These countermeasures don’t fix server-side code, but they do help reduce the impact to users when hackers try to exploit vulns within a web site.
I’ll continue to post more articles here that expand and explain the slides. For example, the references to BeEF are intended to show the relation of variable scope, objects, prototypes, and hijacking content within JavaScript in a sort of hack-the-hacker approach. Since BeEF relies heavily on JavaScript, it’s a nice way to explore concepts with a real-life scenario that could attack any site, rather than show the concepts against some fake sites.
And thanks in advance to all who attended.