Friday, February 22, 2008

Your Client-Side Security Sucks

Last night I presented at the local OWASP chapter titled "Your Client-Side Security Sucks: STOP USING IT (as your only method of security)" and the turn-out was great. I met some really awesome people and the subject matter, while not cutting-edge research, appeared to hit home.

We, as Web Application people, are still making some simple mistakes. This presentation highlighted three REAL WORLD examples of client-side security done incorrectly.

The PDF slides are available here and soon I'll have a QuickTime video with a voiceover. I LOOOOOVE Keynote now! It has such useless transformations that you must pull back or else the content will be lost. How awesome is that? Plus exporting to a QuickTime so others can enjoy your ego-boosting flame build-in!

Rumor has it there will be an OWASP regional conference in the near future so hopefully I'll present this again with some improved slides and other real world examples. If you have any examples but don't want to "go public" yourself, let me know and I'll share them. This is one of the first things you're supposed to learn as a web developer so I have no problem exposing others. JavaScript, Java and Flash do not equate to protection! Shoot me an e-mail.

The second presenter, as luck would have it, is working on a tool exactly like I had done for NTLM relay attacks! We had a good chat about where we both saw our tools going in the future. It has renewed my energy in completing the PokeHashBall tools
at least. Thanks, eric!

No comments: