Web application security is hard, and getting harder. New technologies and techniques mean new vulnerabilities, and keeping on top of them all is a significant challenge. This talk will dive deep in to the underbelly of JavaScript security, exploring topics ranging from basic cross-site scripting to CSRF, social network worms, HTML sanitisation, securing JSON, safe cross-domain JavaScript and more besides.
Presented at @media Ajax 2008 on the 16th of September.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
1. When Ajax Attacks! Web application security fundamentals
Simon Willison, @media Ajax 2008
2. Im here to scare you XSS PDF CSRF XBL UTF-7 HTC
crossdomain.xml JSON and JSONP
3. A few years ago... Web application security tutorials tended
to boil down to three things: Dont trust input from users Avoid SQL
injection attacks Dont let people inject JS in to your pages
4. A few years ago... Web application security tutorials tended
to boil down to three things: Dont trust input from users Boring!
Avoid SQL injection attacks Dont let people inject JS in to your
pages