Protection From Next Generation Web Attacks is Going to Take More Than Just SSL

Utrecht, The Netherlands, 23 March 2011 – On the 17th till the 20th of May the Grand Krasnapolsky in Amsterdam will be home to the second annual Hack In The Back deep knowledge security conference, HITB2011AMS. Bringing together a unique mix of security professionals, researchers, law enforcement and members of the hacker underground, this years conference will yet again provide attendees with an inside look at the next generation of Web 2.0 attacks

With browsers escalating their feature set to accommodate new specifications like HTML 5, XHR Level 2 and DOM Level 3, browsers now form the backbone of next generation applications running on mobiles, tablets and desktops. The blend of DOM (Remote execution stack), XHR L2 (Sockets for injection) and HTML5 (Exploit delivery platform) together with the exposure of server side APIs, makes for easy access to a victims cookie jar. Additionally, with new features like audio/video tags, drag/drop APIs, CSS-Opacity, local storage, web workers and DOM selectors, the attack surface has increased significantly. Shreeraj Shah will explore all this and much more during his talk on Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2). In addition, details on how to detect and identify these types of vulnerabilities in order to protect next generation web applications will also be discussed.

Clickjacking attacks have been widely adopted by attackers as means to steal credentials or to perform drive-by download attacks. New UI redressing attacks have also shown that the the possibility to steal contents from a web session is very real. In CookieJacking, Rosario Valotta, will demonstrate a new attack vector that can be used to exploit a 0-day vulnerability currently affecting all Internet Explorer versions. The attack leverages a UI redressing approach and allows an attacker to steal session cookies from any site a victim is visiting.

In addition to these presentations on web and browser vulnerabilities, Ivan Ristic will give attendees an insight into the world of Secure Socket Layers – that little ‘lock’ in your browser window that secures everything from your e-mails to your online banking sessions. in his presentation A Real-Life Study of What Really Breaks SSL, Ristic will examine the problems of insecure session cookies, mixed content types, incorrect site configurations and distribution of trust to third-party sites. Ivan has also built a custom site crawler, which is currently being run against the world’s 1 million+ most high traffic sites and details of this study will also be discussed.

For further event details please see http://conference.hitb.nl/hitbsecconf2011ams/

About HITBSecConf

HITBSecConf is run as a community-backed not-for-profit effort endorsed by the Malaysian Communications and Multimedia Commission (MCMC), Malaysian National Computer Confederation (MNCC), Multimedia Development Corporation (MDeC), MSC Malaysia and the Malaysian International Chamber of Commerce and Industry (MICCI).

Suzanne Heerschop
Media Officer

Hack In The Box
Suite 26.3, Level 26, Menara IMC
No. 8 Jalan Sultan Ismail,
50250 Kuala Lumpur, Malaysia

Tel: +31-(0)6-44554677
Mail: suzanne@hackinthebox.nl

This release was published on openPR.