Web application security is hard, and getting harder. New technologies and techniques mean new vulnerabilities, and keeping on top of them all is a significant challenge. This talk will dive deep in to the underbelly of JavaScript security, exploring topics ranging from basic cross-site scripting to CSRF, social network worms, HTML sanitisation, securing JSON, safe cross-domain JavaScript and more besides. Presented at @media Ajax 2008 on the 16th of September.
Citation preview
1. When Ajax Attacks! Web application security fundamentals
Simon Willison, @media Ajax 2008
2. Im here to scare you XSS PDF CSRF XBL UTF-7 HTC
crossdomain.xml JSON and JSONP
3. A few years ago... Web application security tutorials tended
to boil down to three things: Dont trust input from users Avoid SQL
injection attacks Dont let people inject JS in to your pages
4. A few years ago... Web application security tutorials tended
to boil down to three things: Dont trust input from users Boring!
Avoid SQL injection attacks Dont let people inject JS in to your
pages
