SIGINT10 - final10
SIGINT 2010
Konferenz für Netzbewohner, Hacker und Aktivisten
Speakers | |
---|---|
Dan Kaminsky |
Schedule | |
---|---|
Day | Day 1 - 2010-05-22 |
Room | KOMED Saal (MP7) |
Start time | 21:00 |
Duration | 00:45 |
Info | |
ID | 3906 |
Event type | Lecture |
Track | Hacker |
Language used for presentation | English |
Feedback | |
---|---|
Did you attend this event? Give Feedback |
The Fine Art of Hari Kari (.JS)
And Other Approaches For The Strange Reality Of Web Defense
The web is remarkably difficult to secure. Browsers are ornery, powerful creations, and we security people demand all sorts of things of developers to make them behave. By in large, the developers ignore us. Our asks, they say, are too expensive. Rather than just guilting them, could we make better asks -- of both web developers, and browser manufacturers? Possibly.
In this talk, I explore a couple of interesting techniques for easily mitigating entire classes of Cross Site Scripting and Cross Site Request Forgery attacks. They aren't perfect, but they work, and more importantly they represent a new class of ask for browser manufacturers that might even be implementable past the genuinely more powerful forces of application compatibility, performance, and developer compliance. I will also discuss Treelocking, a generic mechanism for mitigating injections into protocols as diverse as SQL, LDAP, XML, and JSON.