�ݺ�ߣshows by User: kkotowicz

�ݺ�ߣshows by User: kkotowicz / http://www.slideshare.net/images/logo.gif �ݺ�ߣshows by User: kkotowicz / Fri, 07 Jun 2019 09:36:05 GMT �ݺ�ߣShare feed for �ݺ�ߣshows by User: kkotowicz Trusted Types - Securing the DOM from the bottom up (JSNation Amsterdam) /slideshow/trusted-types-securing-the-dom-from-the-bottom-up-jsnation-amsterdam/149034996 securingthedomfromthebottomup-jsnation-190607093605
18 years have passed since Cross-Site Scripting (XSS) has been identified as a web vulnerability class. Since then, numerous efforts have been proposed to detect, fix or mitigate it. We've seen vulnerability scanners, fuzzers, static & dynamic code analyzers, taint tracking engines, linters, and finally XSS filters, WAFs and all various flavours of Content Security Policy. Various libraries have been created to minimize or eliminate the risk of XSS: HTML sanitizers, templating libraries, sandboxing solutions - and yet XSS is still one of the most prevalent vulnerabilities plaguing web applications. It seems like, while we have a pretty good grasp on how to address stored & reflected XSS, "solving" DOM XSS remains an open question. DOM XSS is caused by ever-growing complexity of client-side JavaScript code (see script gadgets), but most importantly - the lack of security in DOM API design. But perhaps we have a chance this time? Trusted Types is a new browser API that allows a web application to limit its interaction with the DOM, with the goal of obliterating DOM XSS. Based on the battle-tested design that prevents XSS in most of the Google web applications, Trusted Types add the DOM XSS prevention API to the browsers. Trusted Types allow to isolate the application components that may potentially introduce DOM XSS into tiny, reviewable pieces, and guarantee that the rest of the code is DOM-XSS free. They can also leverage existing solutions like autoescaping templating libraries, or client-side sanitizers to use them as building blocks of a secure application. Trusted Types have a working polyfill, an implementation in Chrome and integrate well with existing JS frameworks and libraries. Oddly similar to both XSS filters and CSP, they are also fundamentally different, and in our opinion have a reasonable chance of eliminating DOM XSS - once and for all.]]>
18 years have passed since Cross-Site Scripting (XSS) has been identified as a web vulnerability class. Since then, numerous efforts have been proposed to detect, fix or mitigate it. We've seen vulnerability scanners, fuzzers, static & dynamic code analyzers, taint tracking engines, linters, and finally XSS filters, WAFs and all various flavours of Content Security Policy. Various libraries have been created to minimize or eliminate the risk of XSS: HTML sanitizers, templating libraries, sandboxing solutions - and yet XSS is still one of the most prevalent vulnerabilities plaguing web applications. It seems like, while we have a pretty good grasp on how to address stored & reflected XSS, "solving" DOM XSS remains an open question. DOM XSS is caused by ever-growing complexity of client-side JavaScript code (see script gadgets), but most importantly - the lack of security in DOM API design. But perhaps we have a chance this time? Trusted Types is a new browser API that allows a web application to limit its interaction with the DOM, with the goal of obliterating DOM XSS. Based on the battle-tested design that prevents XSS in most of the Google web applications, Trusted Types add the DOM XSS prevention API to the browsers. Trusted Types allow to isolate the application components that may potentially introduce DOM XSS into tiny, reviewable pieces, and guarantee that the rest of the code is DOM-XSS free. They can also leverage existing solutions like autoescaping templating libraries, or client-side sanitizers to use them as building blocks of a secure application. Trusted Types have a working polyfill, an implementation in Chrome and integrate well with existing JS frameworks and libraries. Oddly similar to both XSS filters and CSP, they are also fundamentally different, and in our opinion have a reasonable chance of eliminating DOM XSS - once and for all.]]> Fri, 07 Jun 2019 09:36:05 GMT /slideshow/trusted-types-securing-the-dom-from-the-bottom-up-jsnation-amsterdam/149034996 kkotowicz@slideshare.net(kkotowicz) Trusted Types - Securing the DOM from the bottom up (JSNation Amsterdam) kkotowicz 18 years have passed since Cross-Site Scripting (XSS) has been identified as a web vulnerability class. Since then, numerous efforts have been proposed to detect, fix or mitigate it. We've seen vulnerability scanners, fuzzers, static & dynamic code analyzers, taint tracking engines, linters, and finally XSS filters, WAFs and all various flavours of Content Security Policy. Various libraries have been created to minimize or eliminate the risk of XSS: HTML sanitizers, templating libraries, sandboxing solutions - and yet XSS is still one of the most prevalent vulnerabilities plaguing web applications. It seems like, while we have a pretty good grasp on how to address stored & reflected XSS, "solving" DOM XSS remains an open question. DOM XSS is caused by ever-growing complexity of client-side JavaScript code (see script gadgets), but most importantly - the lack of security in DOM API design. But perhaps we have a chance this time? Trusted Types is a new browser API that allows a web application to limit its interaction with the DOM, with the goal of obliterating DOM XSS. Based on the battle-tested design that prevents XSS in most of the Google web applications, Trusted Types add the DOM XSS prevention API to the browsers. Trusted Types allow to isolate the application components that may potentially introduce DOM XSS into tiny, reviewable pieces, and guarantee that the rest of the code is DOM-XSS free. They can also leverage existing solutions like autoescaping templating libraries, or client-side sanitizers to use them as building blocks of a secure application. Trusted Types have a working polyfill, an implementation in Chrome and integrate well with existing JS frameworks and libraries. Oddly similar to both XSS filters and CSP, they are also fundamentally different, and in our opinion have a reasonable chance of eliminating DOM XSS - once and for all. <img style="border:1px solid #C3E6D8;float:right;" alt="" src="https://cdn.slidesharecdn.com/ss_thumbnails/securingthedomfromthebottomup-jsnation-190607093605-thumbnail.jpg?width=120&height=120&fit=bounds" /> 18 years have passed since Cross-Site Scripting (XSS) has been identified as a web vulnerability class. Since then, numerous efforts have been proposed to detect, fix or mitigate it. We've seen vulnerability scanners, fuzzers, static & dynamic code analyzers, taint tracking engines, linters, and finally XSS filters, WAFs and all various flavours of Content Security Policy. Various libraries have been created to minimize or eliminate the risk of XSS: HTML sanitizers, templating libraries, sandboxing solutions - and yet XSS is still one of the most prevalent vulnerabilities plaguing web applications. It seems like, while we have a pretty good grasp on how to address stored & reflected XSS, "solving" DOM XSS remains an open question. DOM XSS is caused by ever-growing complexity of client-side JavaScript code (see script gadgets), but most importantly - the lack of security in DOM API design. But perhaps we have a chance this time? Trusted Types is a new browser API that allows a web application to limit its interaction with the DOM, with the goal of obliterating DOM XSS. Based on the battle-tested design that prevents XSS in most of the Google web applications, Trusted Types add the DOM XSS prevention API to the browsers. Trusted Types allow to isolate the application components that may potentially introduce DOM XSS into tiny, reviewable pieces, and guarantee that the rest of the code is DOM-XSS free. They can also leverage existing solutions like autoescaping templating libraries, or client-side sanitizers to use them as building blocks of a secure application. Trusted Types have a working polyfill, an implementation in Chrome and integrate well with existing JS frameworks and libraries. Oddly similar to both XSS filters and CSP, they are also fundamentally different, and in our opinion have a reasonable chance of eliminating DOM XSS - once and for all.

Trusted Types - Securing the DOM from the bottom up (JSNation Amsterdam) from Krzysztof Kotowicz

]]> 561 3 https://cdn.slidesharecdn.com/ss_thumbnails/securingthedomfromthebottomup-jsnation-190607093605-thumbnail.jpg?width=120&height=120&fit=bounds presentation Black http://activitystrea.ms/schema/1.0/post

http://activitystrea.ms/schema/1.0/posted

0 Trusted Types @ W3C TPAC 2018 /slideshow/trusted-types-w3c-tpac-2018/141719385 trustedtypesw3ctpac-190423082527
Trusted Types @ W3C TPAC 2018]]>
Trusted Types @ W3C TPAC 2018]]> Tue, 23 Apr 2019 08:25:27 GMT /slideshow/trusted-types-w3c-tpac-2018/141719385 kkotowicz@slideshare.net(kkotowicz) Trusted Types @ W3C TPAC 2018 kkotowicz Trusted Types @ W3C TPAC 2018 <img style="border:1px solid #C3E6D8;float:right;" alt="" src="https://cdn.slidesharecdn.com/ss_thumbnails/trustedtypesw3ctpac-190423082527-thumbnail.jpg?width=120&height=120&fit=bounds" /> Trusted Types @ W3C TPAC 2018

Trusted Types @ W3C TPAC 2018 from Krzysztof Kotowicz

]]> 219 2 https://cdn.slidesharecdn.com/ss_thumbnails/trustedtypesw3ctpac-190423082527-thumbnail.jpg?width=120&height=120&fit=bounds presentation Black http://activitystrea.ms/schema/1.0/post

http://activitystrea.ms/schema/1.0/posted

0 Trusted Types and the end of DOM XSS /slideshow/trusted-types-and-the-end-of-dom-xss/141131672 trustedtypesandtheendofdomxss-190418012319
LocoMocoSec 19]]>
LocoMocoSec 19]]> Thu, 18 Apr 2019 01:23:19 GMT /slideshow/trusted-types-and-the-end-of-dom-xss/141131672 kkotowicz@slideshare.net(kkotowicz) Trusted Types and the end of DOM XSS kkotowicz LocoMocoSec 19 <img style="border:1px solid #C3E6D8;float:right;" alt="" src="https://cdn.slidesharecdn.com/ss_thumbnails/trustedtypesandtheendofdomxss-190418012319-thumbnail.jpg?width=120&height=120&fit=bounds" /> LocoMocoSec 19

Trusted Types and the end of DOM XSS from Krzysztof Kotowicz

]]> 3805 6 https://cdn.slidesharecdn.com/ss_thumbnails/trustedtypesandtheendofdomxss-190418012319-thumbnail.jpg?width=120&height=120&fit=bounds presentation Black http://activitystrea.ms/schema/1.0/post

http://activitystrea.ms/schema/1.0/posted

0 Lessons From Trusting Javascript Crypto /slideshow/biting-into-the-forbidden-fruit-lessons-from-trusting-javascript-crypto/37474054 bitingintotheforbiddenfruit-hackinparis-140729152614-phpapp01
Presentation slides from my OWASP Appsec EU 2014 and Hack in Paris 2014 talk.]]>
Presentation slides from my OWASP Appsec EU 2014 and Hack in Paris 2014 talk.]]> Tue, 29 Jul 2014 15:26:13 GMT /slideshow/biting-into-the-forbidden-fruit-lessons-from-trusting-javascript-crypto/37474054 kkotowicz@slideshare.net(kkotowicz) Biting into the forbidden fruit. Lessons from trusting Javascript crypto. kkotowicz Presentation slides from my OWASP Appsec EU 2014 and Hack in Paris 2014 talk. <img style="border:1px solid #C3E6D8;float:right;" alt="" src="https://cdn.slidesharecdn.com/ss_thumbnails/bitingintotheforbiddenfruit-hackinparis-140729152614-phpapp01-thumbnail.jpg?width=120&height=120&fit=bounds" /> Presentation slides from my OWASP Appsec EU 2014 and Hack in Paris 2014 talk.

Biting into the forbidden fruit. Lessons from trusting Javascript crypto. from Krzysztof Kotowicz

]]> 14790 16 https://cdn.slidesharecdn.com/ss_thumbnails/bitingintotheforbiddenfruit-hackinparis-140729152614-phpapp01-thumbnail.jpg?width=120&height=120&fit=bounds presentation Black http://activitystrea.ms/schema/1.0/post

http://activitystrea.ms/schema/1.0/posted

0 Hacking HTML5 offensive course (Zeronights edition) /slideshow/hacking-html5-offensive-course-zeronights-edition/32330130 zeronights-140314170815-phpapp02
]]>
]]> Fri, 14 Mar 2014 17:08:15 GMT /slideshow/hacking-html5-offensive-course-zeronights-edition/32330130 kkotowicz@slideshare.net(kkotowicz) Hacking HTML5 offensive course (Zeronights edition) kkotowicz <img style="border:1px solid #C3E6D8;float:right;" alt="" src="https://cdn.slidesharecdn.com/ss_thumbnails/zeronights-140314170815-phpapp02-thumbnail.jpg?width=120&height=120&fit=bounds" />

Hacking HTML5 offensive course (Zeronights edition) from Krzysztof Kotowicz

]]> 4165 4 https://cdn.slidesharecdn.com/ss_thumbnails/zeronights-140314170815-phpapp02-thumbnail.jpg?width=120&height=120&fit=bounds document Black http://activitystrea.ms/schema/1.0/post

http://activitystrea.ms/schema/1.0/posted

0 I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions /slideshow/im-in-ur-browser-pwning-your-stuff-attacking-with-google-chrome-extensions/25546902 iminurbrowserpwningyourstuff-owasp-130824064140-phpapp01
My OWASP AppSec Europe 2013 talk.]]>
My OWASP AppSec Europe 2013 talk.]]> Sat, 24 Aug 2013 06:41:40 GMT /slideshow/im-in-ur-browser-pwning-your-stuff-attacking-with-google-chrome-extensions/25546902 kkotowicz@slideshare.net(kkotowicz) I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions kkotowicz My OWASP AppSec Europe 2013 talk. <img style="border:1px solid #C3E6D8;float:right;" alt="" src="https://cdn.slidesharecdn.com/ss_thumbnails/iminurbrowserpwningyourstuff-owasp-130824064140-phpapp01-thumbnail.jpg?width=120&height=120&fit=bounds" /> My OWASP AppSec Europe 2013 talk.

I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions from Krzysztof Kotowicz

]]> 9758 7 https://cdn.slidesharecdn.com/ss_thumbnails/iminurbrowserpwningyourstuff-owasp-130824064140-phpapp01-thumbnail.jpg?width=120&height=120&fit=bounds presentation White http://activitystrea.ms/schema/1.0/post

http://activitystrea.ms/schema/1.0/posted

0 HTML5: Atak i obrona /slideshow/attack-withhtml5owasp/16600045 attack-with-html5-owasp-130218050636-phpapp01
Prezentacja z wrocławskiego spotkania OWASP Poland]]>
Prezentacja z wrocławskiego spotkania OWASP Poland]]> Mon, 18 Feb 2013 05:06:36 GMT /slideshow/attack-withhtml5owasp/16600045 kkotowicz@slideshare.net(kkotowicz) HTML5: Atak i obrona kkotowicz Prezentacja z wrocławskiego spotkania OWASP Poland <img style="border:1px solid #C3E6D8;float:right;" alt="" src="https://cdn.slidesharecdn.com/ss_thumbnails/attack-with-html5-owasp-130218050636-phpapp01-thumbnail.jpg?width=120&height=120&fit=bounds" /> Prezentacja z wrocławskiego spotkania OWASP Poland

HTML5: Atak i obrona from Krzysztof Kotowicz

]]> 1772 3 https://cdn.slidesharecdn.com/ss_thumbnails/attack-with-html5-owasp-130218050636-phpapp01-thumbnail.jpg?width=120&height=120&fit=bounds presentation White http://activitystrea.ms/schema/1.0/post

http://activitystrea.ms/schema/1.0/posted

0 I'm in your browser, pwning your stuff /kkotowicz/im-in-your-browser-pwning-your-stuff iminyourbrowserpwningyourstuff-121013081507-phpapp02
Security B-Sides Polska, 2012 https://github.com/koto/xsschef/ http://blog.kotowicz.net]]>
Security B-Sides Polska, 2012 https://github.com/koto/xsschef/ http://blog.kotowicz.net]]> Sat, 13 Oct 2012 08:15:06 GMT /kkotowicz/im-in-your-browser-pwning-your-stuff kkotowicz@slideshare.net(kkotowicz) I'm in your browser, pwning your stuff kkotowicz Security B-Sides Polska, 2012 https://github.com/koto/xsschef/ http://blog.kotowicz.net <img style="border:1px solid #C3E6D8;float:right;" alt="" src="https://cdn.slidesharecdn.com/ss_thumbnails/iminyourbrowserpwningyourstuff-121013081507-phpapp02-thumbnail.jpg?width=120&height=120&fit=bounds" /> Security B-Sides Polska, 2012 https://github.com/koto/xsschef/ http://blog.kotowicz.net

I'm in your browser, pwning your stuff from Krzysztof Kotowicz

]]> 1586 8 https://cdn.slidesharecdn.com/ss_thumbnails/iminyourbrowserpwningyourstuff-121013081507-phpapp02-thumbnail.jpg?width=120&height=120&fit=bounds presentation White http://activitystrea.ms/schema/1.0/post

http://activitystrea.ms/schema/1.0/posted

0 Advanced Chrome extension exploitation /slideshow/advanced-chrome-extension-exploitation/14500837 advanced-chrome-extension-exploitation-final-120928051620-phpapp02
�ݺ�ߣs from BruCON 2012 workshops "Advanced Chrome Extension exploitation" by Kyle Osborn and Krzysztof Kotowicz]]>
�ݺ�ߣs from BruCON 2012 workshops "Advanced Chrome Extension exploitation" by Kyle Osborn and Krzysztof Kotowicz]]> Fri, 28 Sep 2012 05:16:18 GMT /slideshow/advanced-chrome-extension-exploitation/14500837 kkotowicz@slideshare.net(kkotowicz) Advanced Chrome extension exploitation kkotowicz �ݺ�ߣs from BruCON 2012 workshops "Advanced Chrome Extension exploitation" by Kyle Osborn and Krzysztof Kotowicz <img style="border:1px solid #C3E6D8;float:right;" alt="" src="https://cdn.slidesharecdn.com/ss_thumbnails/advanced-chrome-extension-exploitation-final-120928051620-phpapp02-thumbnail.jpg?width=120&height=120&fit=bounds" /> �ݺ�ߣs from BruCON 2012 workshops "Advanced Chrome Extension exploitation" by Kyle Osborn and Krzysztof Kotowicz

Advanced Chrome extension exploitation from Krzysztof Kotowicz

]]> 9782 14 https://cdn.slidesharecdn.com/ss_thumbnails/advanced-chrome-extension-exploitation-final-120928051620-phpapp02-thumbnail.jpg?width=120&height=120&fit=bounds presentation Black http://activitystrea.ms/schema/1.0/post

http://activitystrea.ms/schema/1.0/posted

0 Html5: Something wicked this way comes (Hack in Paris) /slideshow/html5-something-wicked-this-way-comes-hack-in-paris/13491300 html5-somethingwickedthiswaycomeshackinparis-120629030137-phpapp02
The talk given in Hack In Paris 2012 conference]]>
The talk given in Hack In Paris 2012 conference]]> Fri, 29 Jun 2012 03:01:36 GMT /slideshow/html5-something-wicked-this-way-comes-hack-in-paris/13491300 kkotowicz@slideshare.net(kkotowicz) Html5: Something wicked this way comes (Hack in Paris) kkotowicz The talk given in Hack In Paris 2012 conference <img style="border:1px solid #C3E6D8;float:right;" alt="" src="https://cdn.slidesharecdn.com/ss_thumbnails/html5-somethingwickedthiswaycomeshackinparis-120629030137-phpapp02-thumbnail.jpg?width=120&height=120&fit=bounds" /> The talk given in Hack In Paris 2012 conference

Html5: Something wicked this way comes (Hack in Paris) from Krzysztof Kotowicz

]]> 15461 18 https://cdn.slidesharecdn.com/ss_thumbnails/html5-somethingwickedthiswaycomeshackinparis-120629030137-phpapp02-thumbnail.jpg?width=120&height=120&fit=bounds presentation Black http://activitystrea.ms/schema/1.0/post

http://activitystrea.ms/schema/1.0/posted

0 Something wicked this way comes - CONFidence /slideshow/something-wicked-this-way-comes-confidence/13060887 html5-somethingwickedthiswaycomesconfidence-120524091708-phpapp02
"Something wicked this way comes" talk given at CONFidence 2012]]>
"Something wicked this way comes" talk given at CONFidence 2012]]> Thu, 24 May 2012 09:17:05 GMT /slideshow/something-wicked-this-way-comes-confidence/13060887 kkotowicz@slideshare.net(kkotowicz) Something wicked this way comes - CONFidence kkotowicz "Something wicked this way comes" talk given at CONFidence 2012 <img style="border:1px solid #C3E6D8;float:right;" alt="" src="https://cdn.slidesharecdn.com/ss_thumbnails/html5-somethingwickedthiswaycomesconfidence-120524091708-phpapp02-thumbnail.jpg?width=120&height=120&fit=bounds" /> "Something wicked this way comes" talk given at CONFidence 2012

Something wicked this way comes - CONFidence from Krzysztof Kotowicz

]]> 2786 10 https://cdn.slidesharecdn.com/ss_thumbnails/html5-somethingwickedthiswaycomesconfidence-120524091708-phpapp02-thumbnail.jpg?width=120&height=120&fit=bounds presentation White http://activitystrea.ms/schema/1.0/post

http://activitystrea.ms/schema/1.0/posted

0 Html5: something wicked this way comes - HackPra /slideshow/html5-something-wicked-this-way-comes-hackpra/10271100 html5-somethingwickedthiswaycomeshackpra-111122071515-phpapp01
Video recording of the talk: https://connect.ruhr-uni-bochum.de/p3g2butmrt4/ HTML5 is quickly gaining media attention and popularity among browser vendors and web developers. Having tremendous features, together with its sister specifications like Drag & Drop API, File API or Geolocation it allows developers to build rich web applications that easily blend with desktop & mobile environments. The talk will be focused on finding the weakest link and combining several recent attack techniques to turn a security vulnerability into a successful exploit. We'll show how to build a successful advanced UI-Redressing attack (also known as clickjacking), presenting the latest findings in this field, including malicious games and quizes. We'll work on file upload functionalities in current web applications and see how attackers might use HTML5 APIs for their advantage. Putting all these building blocks together will enable us to launch an attack and exploit even the otherwise unexploitable vulnerabilities. ]]>
Video recording of the talk: https://connect.ruhr-uni-bochum.de/p3g2butmrt4/ HTML5 is quickly gaining media attention and popularity among browser vendors and web developers. Having tremendous features, together with its sister specifications like Drag & Drop API, File API or Geolocation it allows developers to build rich web applications that easily blend with desktop & mobile environments. The talk will be focused on finding the weakest link and combining several recent attack techniques to turn a security vulnerability into a successful exploit. We'll show how to build a successful advanced UI-Redressing attack (also known as clickjacking), presenting the latest findings in this field, including malicious games and quizes. We'll work on file upload functionalities in current web applications and see how attackers might use HTML5 APIs for their advantage. Putting all these building blocks together will enable us to launch an attack and exploit even the otherwise unexploitable vulnerabilities. ]]> Tue, 22 Nov 2011 07:15:11 GMT /slideshow/html5-something-wicked-this-way-comes-hackpra/10271100 kkotowicz@slideshare.net(kkotowicz) Html5: something wicked this way comes - HackPra kkotowicz Video recording of the talk: https://connect.ruhr-uni-bochum.de/p3g2butmrt4/ HTML5 is quickly gaining media attention and popularity among browser vendors and web developers. Having tremendous features, together with its sister specifications like Drag & Drop API, File API or Geolocation it allows developers to build rich web applications that easily blend with desktop & mobile environments. The talk will be focused on finding the weakest link and combining several recent attack techniques to turn a security vulnerability into a successful exploit. We'll show how to build a successful advanced UI-Redressing attack (also known as clickjacking), presenting the latest findings in this field, including malicious games and quizes. We'll work on file upload functionalities in current web applications and see how attackers might use HTML5 APIs for their advantage. Putting all these building blocks together will enable us to launch an attack and exploit even the otherwise unexploitable vulnerabilities. <img style="border:1px solid #C3E6D8;float:right;" alt="" src="https://cdn.slidesharecdn.com/ss_thumbnails/html5-somethingwickedthiswaycomeshackpra-111122071515-phpapp01-thumbnail.jpg?width=120&height=120&fit=bounds" /> Video recording of the talk: https://connect.ruhr-uni-bochum.de/p3g2butmrt4/ HTML5 is quickly gaining media attention and popularity among browser vendors and web developers. Having tremendous features, together with its sister specifications like Drag & Drop API, File API or Geolocation it allows developers to build rich web applications that easily blend with desktop & mobile environments. The talk will be focused on finding the weakest link and combining several recent attack techniques to turn a security vulnerability into a successful exploit. We'll show how to build a successful advanced UI-Redressing attack (also known as clickjacking), presenting the latest findings in this field, including malicious games and quizes. We'll work on file upload functionalities in current web applications and see how attackers might use HTML5 APIs for their advantage. Putting all these building blocks together will enable us to launch an attack and exploit even the otherwise unexploitable vulnerabilities.

Html5: something wicked this way comes - HackPra from Krzysztof Kotowicz

]]> 5699 11 https://cdn.slidesharecdn.com/ss_thumbnails/html5-somethingwickedthiswaycomeshackpra-111122071515-phpapp01-thumbnail.jpg?width=120&height=120&fit=bounds presentation White http://activitystrea.ms/schema/1.0/post

http://activitystrea.ms/schema/1.0/posted

0 Html5: something wicked this way comes /slideshow/html5-something-wicked-this-way-comes/9258814 html5-somethingwickedthiswaycomes-110914134541-phpapp02
Talk given at SecurityByte 2011 conference. All the demos can be searched for in http://blog.kotowicz.net]]>
Talk given at SecurityByte 2011 conference. All the demos can be searched for in http://blog.kotowicz.net]]> Wed, 14 Sep 2011 13:45:38 GMT /slideshow/html5-something-wicked-this-way-comes/9258814 kkotowicz@slideshare.net(kkotowicz) Html5: something wicked this way comes kkotowicz Talk given at SecurityByte 2011 conference. All the demos can be searched for in http://blog.kotowicz.net <img style="border:1px solid #C3E6D8;float:right;" alt="" src="https://cdn.slidesharecdn.com/ss_thumbnails/html5-somethingwickedthiswaycomes-110914134541-phpapp02-thumbnail.jpg?width=120&height=120&fit=bounds" /> Talk given at SecurityByte 2011 conference. All the demos can be searched for in http://blog.kotowicz.net

Html5: something wicked this way comes from Krzysztof Kotowicz

]]> 2498 7 https://cdn.slidesharecdn.com/ss_thumbnails/html5-somethingwickedthiswaycomes-110914134541-phpapp02-thumbnail.jpg?width=120&height=120&fit=bounds presentation White http://activitystrea.ms/schema/1.0/post

http://activitystrea.ms/schema/1.0/posted

0 Creating, obfuscating and analyzing malware JavaScript /slideshow/owaspmaliciousjavascripten/5156593 owasp-malicious-javascript-en-100908112334-phpapp02
Malware attacks on unaware Internet users' browsers are becoming more and more common. New techniques for bypassing filters used by security vendors emerge. In turn, the filters are getting better, new analyzing tools are developed - the war continues. At the presentation you will learn how crackers are trying to hamper the work of security engineers, and how reversers are overcoming those problems. Emphasis will be placed on the weaknesses of automated tools - we'll try to avoid detection by jsunpack and Capture-HPC, we'll also trick Dean Edwards' Unpacker.]]>
Malware attacks on unaware Internet users' browsers are becoming more and more common. New techniques for bypassing filters used by security vendors emerge. In turn, the filters are getting better, new analyzing tools are developed - the war continues. At the presentation you will learn how crackers are trying to hamper the work of security engineers, and how reversers are overcoming those problems. Emphasis will be placed on the weaknesses of automated tools - we'll try to avoid detection by jsunpack and Capture-HPC, we'll also trick Dean Edwards' Unpacker.]]> Wed, 08 Sep 2010 11:23:23 GMT /slideshow/owaspmaliciousjavascripten/5156593 kkotowicz@slideshare.net(kkotowicz) Creating, obfuscating and analyzing malware JavaScript kkotowicz Malware attacks on unaware Internet users' browsers are becoming more and more common. New techniques for bypassing filters used by security vendors emerge. In turn, the filters are getting better, new analyzing tools are developed - the war continues. At the presentation you will learn how crackers are trying to hamper the work of security engineers, and how reversers are overcoming those problems. Emphasis will be placed on the weaknesses of automated tools - we'll try to avoid detection by jsunpack and Capture-HPC, we'll also trick Dean Edwards' Unpacker. <img style="border:1px solid #C3E6D8;float:right;" alt="" src="https://cdn.slidesharecdn.com/ss_thumbnails/owasp-malicious-javascript-en-100908112334-phpapp02-thumbnail.jpg?width=120&height=120&fit=bounds" /> Malware attacks on unaware Internet users' browsers are becoming more and more common. New techniques for bypassing filters used by security vendors emerge. In turn, the filters are getting better, new analyzing tools are developed - the war continues. At the presentation you will learn how crackers are trying to hamper the work of security engineers, and how reversers are overcoming those problems. Emphasis will be placed on the weaknesses of automated tools - we'll try to avoid detection by jsunpack and Capture-HPC, we'll also trick Dean Edwards' Unpacker.

Creating, obfuscating and analyzing malware JavaScript from Krzysztof Kotowicz

]]> 1423 4 https://cdn.slidesharecdn.com/ss_thumbnails/owasp-malicious-javascript-en-100908112334-phpapp02-thumbnail.jpg?width=120&height=120&fit=bounds presentation Black http://activitystrea.ms/schema/1.0/post

http://activitystrea.ms/schema/1.0/posted

0 Tworzenie, zaciemnianie i analiza złośliwego kodu JavaScript /slideshow/malicious-javascript/4446174 owasp-malicious-javascript-100608195227-phpapp01
Ataki malware'u na przeglądarki nieświadomych internautów stają się coraz powszechniejsze. Wciąż powstają nowe techniki pozwalające obejść filtry stosowane przez producentów oprogramowania zabezpieczającego. Z kolei filtry są coraz lepsze, powstają też nowe narzędzia - walka trwa. Na prezentacji dowiecie się, jak włamywacze usiłują utrudnić pracę analizatorom ich kodu i jak reverserzy sobie z tym radzą. Nacisk zostanie położony na słabości narzędzi automatycznych - będziemy usiłowali uniknąć wykrycia przez jsunpack i Capture-HPC, oszukamy też popularny unpacker Deana Edwardsa.]]>
Ataki malware'u na przeglądarki nieświadomych internautów stają się coraz powszechniejsze. Wciąż powstają nowe techniki pozwalające obejść filtry stosowane przez producentów oprogramowania zabezpieczającego. Z kolei filtry są coraz lepsze, powstają też nowe narzędzia - walka trwa. Na prezentacji dowiecie się, jak włamywacze usiłują utrudnić pracę analizatorom ich kodu i jak reverserzy sobie z tym radzą. Nacisk zostanie położony na słabości narzędzi automatycznych - będziemy usiłowali uniknąć wykrycia przez jsunpack i Capture-HPC, oszukamy też popularny unpacker Deana Edwardsa.]]> Tue, 08 Jun 2010 19:52:16 GMT /slideshow/malicious-javascript/4446174 kkotowicz@slideshare.net(kkotowicz) Tworzenie, zaciemnianie i analiza złośliwego kodu JavaScript kkotowicz Ataki malware'u na przeglądarki nieświadomych internautów stają się coraz powszechniejsze. Wciąż powstają nowe techniki pozwalające obejść filtry stosowane przez producentów oprogramowania zabezpieczającego. Z kolei filtry są coraz lepsze, powstają też nowe narzędzia - walka trwa. Na prezentacji dowiecie się, jak włamywacze usiłują utrudnić pracę analizatorom ich kodu i jak reverserzy sobie z tym radzą. Nacisk zostanie położony na słabości narzędzi automatycznych - będziemy usiłowali uniknąć wykrycia przez jsunpack i Capture-HPC, oszukamy też popularny unpacker Deana Edwardsa. <img style="border:1px solid #C3E6D8;float:right;" alt="" src="https://cdn.slidesharecdn.com/ss_thumbnails/owasp-malicious-javascript-100608195227-phpapp01-thumbnail.jpg?width=120&height=120&fit=bounds" /> Ataki malware'u na przeglądarki nieświadomych internautów stają się coraz powszechniejsze. Wciąż powstają nowe techniki pozwalające obejść filtry stosowane przez producentów oprogramowania zabezpieczającego. Z kolei filtry są coraz lepsze, powstają też nowe narzędzia - walka trwa. Na prezentacji dowiecie się, jak włamywacze usiłują utrudnić pracę analizatorom ich kodu i jak reverserzy sobie z tym radzą. Nacisk zostanie położony na słabości narzędzi automatycznych - będziemy usiłowali uniknąć wykrycia przez jsunpack i Capture-HPC, oszukamy też popularny unpacker Deana Edwardsa.

Tworzenie, zaciemnianie i analiza zナＰナ嬪iwego kodu JavaScript from Krzysztof Kotowicz

]]> 2834 5 https://cdn.slidesharecdn.com/ss_thumbnails/owasp-malicious-javascript-100608195227-phpapp01-thumbnail.jpg?width=120&height=120&fit=bounds presentation Black http://activitystrea.ms/schema/1.0/post

http://activitystrea.ms/schema/1.0/posted

0 Jak ocalić swoje dane przed SQL injection? /slideshow/ocal-swoje-dane-przed/4427692 krakspot-sql-injection-100607052053-phpapp01
Co to jest SQL injection i jak wyglądają współczesne ataki na serwisy? Dlaczego SQL injection jest takie groźne? Jak w praktyce obronić się przed tą luką w bezpieczeństwie i ocalić swoje dane? ]]>
Co to jest SQL injection i jak wyglądają współczesne ataki na serwisy? Dlaczego SQL injection jest takie groźne? Jak w praktyce obronić się przed tą luką w bezpieczeństwie i ocalić swoje dane? ]]> Mon, 07 Jun 2010 05:20:47 GMT /slideshow/ocal-swoje-dane-przed/4427692 kkotowicz@slideshare.net(kkotowicz) Jak ocalić swoje dane przed SQL injection? kkotowicz Co to jest SQL injection i jak wyglądają współczesne ataki na serwisy? Dlaczego SQL injection jest takie groźne? Jak w praktyce obronić się przed tą luką w bezpieczeństwie i ocalić swoje dane? <img style="border:1px solid #C3E6D8;float:right;" alt="" src="https://cdn.slidesharecdn.com/ss_thumbnails/krakspot-sql-injection-100607052053-phpapp01-thumbnail.jpg?width=120&height=120&fit=bounds" /> Co to jest SQL injection i jak wyglądają współczesne ataki na serwisy? Dlaczego SQL injection jest takie groźne? Jak w praktyce obronić się przed tą luką w bezpieczeństwie i ocalić swoje dane?

Jak ocalić swoje dane przed SQL injection? from Krzysztof Kotowicz

]]> 2206 4 https://cdn.slidesharecdn.com/ss_thumbnails/krakspot-sql-injection-100607052053-phpapp01-thumbnail.jpg?width=120&height=120&fit=bounds presentation Black http://activitystrea.ms/schema/1.0/post

http://activitystrea.ms/schema/1.0/posted

0 SQL Injection: complete walkthrough (not only) for PHP developers /slideshow/sql-injection-complete-walktrough-not-only-for-php-developers/3459190 owasp-sql-injection-en-100317143725-phpapp02
Learn what is SQL injection, how to use prepared statements, how to escape and write secure stored procedures. Many PHP projects are covered - PDO, Propel, Doctrine, Zend Framework and MDB2. Multiple gotchas included.]]>
Learn what is SQL injection, how to use prepared statements, how to escape and write secure stored procedures. Many PHP projects are covered - PDO, Propel, Doctrine, Zend Framework and MDB2. Multiple gotchas included.]]> Wed, 17 Mar 2010 14:37:24 GMT /slideshow/sql-injection-complete-walktrough-not-only-for-php-developers/3459190 kkotowicz@slideshare.net(kkotowicz) SQL Injection: complete walkthrough (not only) for PHP developers kkotowicz Learn what is SQL injection, how to use prepared statements, how to escape and write secure stored procedures. Many PHP projects are covered - PDO, Propel, Doctrine, Zend Framework and MDB2. Multiple gotchas included. <img style="border:1px solid #C3E6D8;float:right;" alt="" src="https://cdn.slidesharecdn.com/ss_thumbnails/owasp-sql-injection-en-100317143725-phpapp02-thumbnail.jpg?width=120&height=120&fit=bounds" /> Learn what is SQL injection, how to use prepared statements, how to escape and write secure stored procedures. Many PHP projects are covered - PDO, Propel, Doctrine, Zend Framework and MDB2. Multiple gotchas included.

SQL Injection: complete walkthrough (not only) for PHP developers from Krzysztof Kotowicz

]]> 17968 34 https://cdn.slidesharecdn.com/ss_thumbnails/owasp-sql-injection-en-100317143725-phpapp02-thumbnail.jpg?width=120&height=120&fit=bounds presentation Black http://activitystrea.ms/schema/1.0/post

http://activitystrea.ms/schema/1.0/posted

0 Kompletny przewodnik po SQL injection dla developerów PHP (i nie tylko) /kkotowicz/owasp-sql-injection owasp-sql-injection-100225191337-phpapp01
W trakcie prezentacji zademonstrujemy szkody, na jesteście narażeni nie myśląc o SQL injection. Dowiecie się, jak się przed nim bronić - zarówno w teorii, jak i na konkretnych przykładach. Nauczymy się pisać bezpiecznie w PHP 5 - sprawdzimy Zend Framework i Symfony, przenalizujemy Propel, Doctrine, PDO i mdb2. Omówimy wszystkie kruczki i różnice między różnymi systemami baz danych (Oracle, MS SQL Server, MySQL) oraz nauczymy się pisać procedury składowane odporne na SQL injection.]]>
W trakcie prezentacji zademonstrujemy szkody, na jesteście narażeni nie myśląc o SQL injection. Dowiecie się, jak się przed nim bronić - zarówno w teorii, jak i na konkretnych przykładach. Nauczymy się pisać bezpiecznie w PHP 5 - sprawdzimy Zend Framework i Symfony, przenalizujemy Propel, Doctrine, PDO i mdb2. Omówimy wszystkie kruczki i różnice między różnymi systemami baz danych (Oracle, MS SQL Server, MySQL) oraz nauczymy się pisać procedury składowane odporne na SQL injection.]]> Thu, 25 Feb 2010 19:13:31 GMT /kkotowicz/owasp-sql-injection kkotowicz@slideshare.net(kkotowicz) Kompletny przewodnik po SQL injection dla developerów PHP (i nie tylko) kkotowicz W trakcie prezentacji zademonstrujemy szkody, na jesteście narażeni nie myśląc o SQL injection. Dowiecie się, jak się przed nim bronić - zarówno w teorii, jak i na konkretnych przykładach. Nauczymy się pisać bezpiecznie w PHP 5 - sprawdzimy Zend Framework i Symfony, przenalizujemy Propel, Doctrine, PDO i mdb2. Omówimy wszystkie kruczki i różnice między różnymi systemami baz danych (Oracle, MS SQL Server, MySQL) oraz nauczymy się pisać procedury składowane odporne na SQL injection. <img style="border:1px solid #C3E6D8;float:right;" alt="" src="https://cdn.slidesharecdn.com/ss_thumbnails/owasp-sql-injection-100225191337-phpapp01-thumbnail.jpg?width=120&height=120&fit=bounds" /> W trakcie prezentacji zademonstrujemy szkody, na jesteście narażeni nie myśląc o SQL injection. Dowiecie się, jak się przed nim bronić - zarówno w teorii, jak i na konkretnych przykładach. Nauczymy się pisać bezpiecznie w PHP 5 - sprawdzimy Zend Framework i Symfony, przenalizujemy Propel, Doctrine, PDO i mdb2. Omówimy wszystkie kruczki i różnice między różnymi systemami baz danych (Oracle, MS SQL Server, MySQL) oraz nauczymy się pisać procedury składowane odporne na SQL injection.

Kompletny przewodnik po SQL injection dla developer坦w PHP (i nie tylko) from Krzysztof Kotowicz

]]> 6441 6 https://cdn.slidesharecdn.com/ss_thumbnails/owasp-sql-injection-100225191337-phpapp01-thumbnail.jpg?width=120&height=120&fit=bounds presentation Black http://activitystrea.ms/schema/1.0/post

http://activitystrea.ms/schema/1.0/posted

0 https://cdn.slidesharecdn.com/profile-photo-kkotowicz-48x48.jpg?cb=1560890099 Web security researcher specialized in discovery and exploitation of HTML5 vulnerabilities. Author of multiple recognized HTML5/UI redressing attack vectors. http://blog.kotowicz.net https://cdn.slidesharecdn.com/ss_thumbnails/securingthedomfromthebottomup-jsnation-190607093605-thumbnail.jpg?width=320&height=320&fit=bounds slideshow/trusted-types-securing-the-dom-from-the-bottom-up-jsnation-amsterdam/149034996 Trusted Types - Securi... https://cdn.slidesharecdn.com/ss_thumbnails/trustedtypesw3ctpac-190423082527-thumbnail.jpg?width=320&height=320&fit=bounds slideshow/trusted-types-w3c-tpac-2018/141719385 Trusted Types @ W3C TP... https://cdn.slidesharecdn.com/ss_thumbnails/trustedtypesandtheendofdomxss-190418012319-thumbnail.jpg?width=320&height=320&fit=bounds slideshow/trusted-types-and-the-end-of-dom-xss/141131672 Trusted Types and the ...