Conference Program - OWASP AppSec USA 2011

surface and vectors to protect next generation applications.We have an enormous expansion of attack surface after inclusionof features like audio/video tags, drag/drop APIs, CSS-Opacity, localstorage, web workers, DOM selectors, Mousegesturing, native JSON, Cross Site access controls, offlinebrowsing, etc. This extension of attack surface and exposureof server side APIs allow attacker to perform following lethalattacks and abuses.••XHR abuse with attacking Cross Site accesscontrols using level 2 calls••JSON manipulations and poisoning••DOM API injections and script executions••Abusing HTML5 tag structure and attributes••Localstorage manipulation and foreign siteaccess••Attacking client side sandbox architectures••DOM scrubbing and logical abuse••Browser hijacking and exploitation throughadvanced DOM features••One-way CSRF and abusing vulnerable sites••DOM event injections and controlling (Clickjacking)••Hacking widgets, mashups and social networkingsites••Abusing client side Web 2.0 and RIA librariesWe will be covering the above attacks and their variants indetail along with some real life cases and demonstrations.Mobile Web ServicesGunnar PetersonThey’re not mobile applications, they’re mobile web applications.This distinction is important because some of the mostimportant vulnerabilities of mobile apps are found in the webservice layer. This talk explores the weird but crucial area ofserver side plumbing and shows how to defend your servers.Next Generation Web Attacks – HTML 5, DOM(L3) andXHR(L2)Shreeraj ShahBrowsers are escalating their feature set to accommodatenew specifications like HTML 5, XHR Level 2 and DOM Level3. It is forming the backbone of next generation applicationsrunning on mobile, PDA devices or desktops. The blend ofDOM (Remote Execution stack) , XHR L2 (Sockets for injections)and HTML5 (Exploit delivery platform) is becomingan easy victim for attackers and worms. We have alreadywitnessed these types of attacks on popular sites like Twitter,Facebook and Yahoo. It is of the essence to understand attackOWASP Codes of ConductColin WatsonThe new OWASP Codes of Conduct are a collection of documentsdefining a set of minimal requirements for other typesorganizations specifying what OWASP believes to be the mosteffective ways they could support OWASP’s mission. TheCodes were largely developed at working sessions duringthe OWASP Summit in Portugal earlier this year and theirscope includes government bodies, educational institutions,standards groups, trade organizations and certifying bodies.The Codes have now become a formal OWASP project andthis presentation will outline the objectives, requirements andfuture plans for the Codes.14