This event has ended

OWASP Helsinki chapter meeting #23

OWASP Helsinki

Tuesday, January 21, 2014 from 5:30 PM to 9:00 PM (EET)

Espoo, Finland

OWASP Helsinki chapter meeting #23

Ticket Information

Type End     Quantity
OWASP meeting #23 participation Ended Free  

Who's Going

Loading your connections...

Share OWASP Helsinki chapter meeting #23

Event Details

The next OWASP chapter meeting will be held on January 21st. Mario Heiderich appears as guest speaker. He is a researcher and Post-Doc (PhD thesis on client side security and defense), published author and international speaker specialized in HTML5, SVG security and JavaScript, XSS and client side attacks.
 
Location: HTC Keilaranta, Keilaranta 13, Espoo.
 
Agenda:
17:30 Coffee
18:00 Opening words /Petteri Arola, OWASP
18:05 Word from our sponsor /Nixu
18:20 The inner HTML Apocalypse - How MXSS attacks change everything we believed to know so far /Mario Heiderich

This talk introduces and discusses a novel, mostly unpublished technique to attack websites that are applied with state-of-the-art XSS protection. This attack labeled Mutation-XSS (mXSS) is capable of bypassing high-end filter systems by utilizing the browser and its often unknown capabilities - every single one of them.

We analyzed the type and number of websites that are affected by this kind of attack. Several live demos during the presentation will share these impressions and help understanding, what mXSS is, why mXSS is possible and why it is of importance for defenders as well as professional attackers to be understood and researched even further.

The talk wraps up several years of research on this field, shows the abhorrent findings, discusses the consequences and delivers a step-by-step guide on how to protect against this kind of mayhem - with a strong focus on feasibility and scalability.

19:15 JSMVCOMFG - To sternly look at JavaScript MVC and Templating Frameworks /Mario Heiderich

There is a way to build common, classic web applications. You know, servers, databases, some HTML and a bit of JavaScript. Ye olde way. Grandfather still knows. And there is a way to build hip and fancy, modern and light-weight, elastic and scalable client-side web applications. Sometimes with a server in the background, sometimes with a database - but all the hard work is done by something new: JavaScript Model-View-Controller and templating frameworks.

Angular, Ember and CanJS, Knockout, Handlebars and Underscore... those aren't names of famous wrestlers but modern JavaScript fame-works that offer a boost in performance and productivity by taking care of many things web-app right there in the browser, where the magic happens. And more and more people jump on the bandwagon and implement those frameworks with great success. High time for a stern look from the security perspective, ain't it not?

This talk will show you how those frameworks work, how secure their core is and what kind of security issues spawn from the generous feature cornucopia they offer. Do their authors really know the DOM well enough to enrich it with dozens of abstraction layers? Or did they open a gate straight to JavaScript hell introducing a wide range of new injection bugs and coding worst-practices? Well, you'll know after this talk. You'll know… 

20:15 QA
20.30 - 21.30 Discussion continues over snacks and refreshments.
 
Please register by Friday January 17th.
Have questions about OWASP Helsinki chapter meeting #23? Contact OWASP Helsinki

When & Where



HTC Keilaniemi
Keilaranta 13
02150 Espoo
Finland

Tuesday, January 21, 2014 from 5:30 PM to 9:00 PM (EET)


  Add to my calendar

Organizer

OWASP Helsinki

  • OWASP: https://www.owasp.org
  • OWASP Helsinki: https://www.owasp.org/index.php/Helsinki
  • petteri.arola(at)owasp.org
  Contact the Organizer

Please log in or sign up

In order to purchase these tickets in installments, you'll need an Eventbrite account. Log in or sign up for a free account to continue.