Billy Hoffman is a manager in HP’s Security Labs (via their SPI Dynamics purchase). He is also the co-author of AJAX Security which is how he ended up on Technometria. They ended up talking not only about AJAX but security in a rich environment in general covering Flash as well. I only paid about 60% attention, but here are my notes.
- Flare – a flash decompiler
- If you are doing crypto, don’t put the key in the flash object (see previous bullet for why)
- How many times do we have to mention don’t trust the client? Don’t people get this yet? Repeat after me: I will not put state information in the client nor will I make decisions based upon state in the client.
- Today’s tester needs to get familiar with tools like Wireshark and Ethereal to watch the protocol traffic as some errors are hidden by the browser.
- With the rush to SOA you have to make sure your architecture does not create a DoS vulnerability. For example, one service reserves a seat or ticket and another one releases it (if a payment failed). By calling the first service but not the other your inventory can disappear rapidly.
- JS comments are visible to the end user; make sure they are sanitized.
- <script> tags do not abide by same origin
- JSON hijacking
- There is a lot of uncertainty around the origin of a request; is it a browser, or a script? Right now you have to do a lot of log correlation but once that technique is commonplace the scripts will up their intelligence to outsmart that too.
- In CSS, the last definition of something is what wins. If you let users upload their own CSS they can do all sorts of nasty stuff
Direct link to MP3.