|
|
|
CONFidence 2014 Security Implications of the Cross-Origin Resource Sharing - Gergely Revay |
Si vous voulez bloquer ce service sur vos fils RSS
Si vous voulez nous contacter ou nous proposer un fil RSS
Menu > Articles de la revue de presse : - l'ensemble [ tous | francophone] - par mots clé [ tous] - par site [ tous] - le tagwall [ voir] - Top bi-hebdo de la revue de presse [ Voir]
CONFidence 2014 Security Implications of the Cross-Origin Resource Sharing - Gergely Revay Par SecurityTube.NetLe [2014-07-18] à 08:00:31
Présentation : HTML5 has been on the way for a couple of years now. There have been many discussions about its security implications and how they should be handled however, these discussions usually stop at showing the most hyped and scariest vulnerabilities and their countermeasures. This presentation will continue the discussion on another level. To create state-of-the-art web applications with HTML5, all of its features should be analysed to see the risks they introduce and how they should be used properly. This presentation will analyse the Cross-Origin Resource Sharing CORS . This HTML5 feature allows websites to load resources from other domains, even from restricted environments, using the authentication tokens saved by the browser. This has interesting effects on various actors of the Internet. It affects the clients and the servers alike bringing a whole new trust relationships in the game. It also breaks with the relevant parts of the same-origin policy, one of the most important security features of web browsers and all of these happened without most people noticing. The first part of my analysis will introduce the Cross-Origin Resource Sharing, how it works, how JSON-P, it's predecessor, was used and why CORS is interesting from a security perspective. The functional introduction will be followed with a threat analyses to show how CORS affects the traditional usage of XmlHttpRequests XHR . Because it introduces a change in the way how websites communicate with each other it has an effect on pre-CORS websites as well. Most importantly it introduces a new way to attack web applications and overturns well known attacks such as Cross-Site Request Forgery and Cross-Site Tracing and gives them whole new possibilities. Examples for these will be presented in live demos. The presentation will be concluded with outlining the methods to mitigate the security risks of Cross-Origin Resource Sharing. The methods will include ways to prepare a site to handle CORS properly and to build new web applications enjoying the new features of CORS without risking the data of our users. For More Information please visit - http 2014.confidence.org.pl en
Les mots clés de la revue de presse pour cet article : security resource
Les videos sur SecuObs pour les mots clés : security
Les mots clés pour les articles publiés sur SecuObs : security
Les éléments de la revue Twitter pour les mots clé : security resource
Les derniers articles du site "SecurityTube.Net" :
- TROOPERSCON - Crypto code the 9 circles of testing
- TROOPERSCON - Towards a LangSec Aware SDLC
- TROOPERSCON - Deep dive into SAP archive file formats
- TROOPERSCON - Thanks SAP for the vulnerabilities. Exploiting the unexploitable
- TROOPERSCON - An easy way into your multi-million dollar SAP systems An unknown default SAP account
- TROOPERSCON - One Tool To Rule Them All
- TROOPERSCON - Mind The Gap - Exploit Free Whitelisting Evasion Tactics
- TROOPERSCON - The Chimaera Processor
- TROOPERSCON - Lets Play Hide and Seek in the Cloud
- TROOPERSCON - Planes, Trains and Automobiles The Internet of Deadly Things
Menu > Articles de la revue de presse : - l'ensemble [ tous | francophone] - par mots clé [ tous] - par site [ tous] - le tagwall [ voir] - Top bi-hebdo de la revue de presse [ Voir]
Si vous voulez bloquer ce service sur vos fils RSS :
- avec iptables "iptables -A INPUT -s 88.190.17.190 --dport 80 -j DROP"
- avec ipfw et wipfw "ipfw add deny from 88.190.17.190 to any 80"
- Nous contacter par mail
| Mini-Tagwall des articles publiés sur SecuObs : | | | | sécurité, exploit, windows, attaque, outil, microsoft, réseau, audit, metasploit, vulnérabilité, système, virus, internet, usbsploit, données, source, linux, protocol, présentation, scanne, réseaux, scanner, bluetooth, conférence, reverse, shell, meterpreter, vista, rootkit, détection, mobile, security, malicieux, engineering, téléphone, paquet, trames, https, noyau, utilisant, intel, wishmaster, google, sysun, libre |
| Mini-Tagwall de l'annuaire video : | | | | curit, security, biomet, metasploit, biometric, cking, password, windows, botnet, defcon, tutorial, crypt, xploit, exploit, lockpicking, linux, attack, wireshark, vmware, rootkit, conference, network, shmoocon, backtrack, virus, conficker, elcom, etter, elcomsoft, server, meterpreter, openvpn, ettercap, openbs, iphone, shell, openbsd, iptables, securitytube, deepsec, source, office, systm, openssh, radio |
| Mini-Tagwall des articles de la revue de presse : | | | | security, microsoft, windows, hacker, attack, network, vulnerability, google, exploit, malware, internet, remote, iphone, server, inject, patch, apple, twitter, mobile, virus, ebook, facebook, vulnérabilité, crypt, source, linux, password, intel, research, virtual, phish, access, tutorial, trojan, social, privacy, firefox, adobe, overflow, office, cisco, conficker, botnet, pirate, sécurité |
| Mini-Tagwall des Tweets de la revue Twitter : | | | | security, linux, botnet, attack, metasploit, cisco, defcon, phish, exploit, google, inject, server, firewall, network, twitter, vmware, windows, microsoft, compliance, vulnerability, python, engineering, source, kernel, crypt, social, overflow, nessus, crack, hacker, virus, iphone, patch, virtual, javascript, malware, conficker, pentest, research, email, password, adobe, apache, proxy, backtrack |
|
|
|
|
|
