About the Author

Chris Shiflett

Chris Shiflett is an author and speaker who leads the web application security practice at OmniTI.

Security 2.0 at Web Builder 2.0

I'll be giving a talk about Security 2.0 on Tuesday at Web Builder 2.0 in Las Vegas:

Web 2.0 has been described as many things. It's the Web as a platform, a network of networks, the architecture of participation. However you choose to define it, the way we build applications online has changed. Web sites do more by empowering users, but this has opened a Pandora's box. Cross-site scripting (XSS), cross-site request forgeries (CSRF), and Ajax are being combined in creative new ways to launch sophisticated attacks that penetrate firewalls, target users, and spread like worms. This talk examines this new threat, dubbed Security 2.0, by demonstrating some hypothetical and real exploits as well as discussing methods of safeguard and prevention.

Yes, I'm having a bit of fun with the whole "2.0" theme, but there is some truth to the notion that web application security is evolving. The focus on empowering users is a double-edged sword, and CSRF in particular is proving to be as dangerous as we predicted.

If you're wanting to stay on top of the evolution, check out Jeremiah's Browser Port Scanning without JavaScript as well as Ilia's follow-up.

About This Post

Security 2.0 at Web Builder 2.0 was posted on Thu, 30 Nov 2006 at 19:14:04 GMT.

3 Comments

1. Ivan Markovic's GravatarIvan Markovic said:

As you say Web 2.0 Security is based on XSS, AJAX and CSRF. But I wish to mention, there is more interesting fields (where I experimenting) like XML poisoning, RSS & Atom injection and WSDL enumeration ...

Sat, 02 Dec 2006 at 02:10:44 GMT Link

2. Chris Shiflett's GravatarChris Shiflett said:

Hi Ivan,

I don't think I'm saying that at all. Those are just the topics that I've chosen to talk about, and I think they're interesting, important, and relevant.

I'd be very interested to hear more about your research.

Sat, 02 Dec 2006 at 04:23:50 GMT Link

3. Chris Shiflett's GravatarChris Shiflett said:

A recap of the conference and link to the slides is available here:

http://shiflett.org/archive/282

Tue, 12 Dec 2006 at 16:22:40 GMT Link

Post A Comment

Personal Details and Comment

Style Guide

Line breaks are converted to paragraphs. Also use:

  • <a href="" title="">text</a>1
  • <em>text</em>
  • <blockquote><p>text</p></blockquote>
  • <code>2  <?php  if ($foo) {      $foo = TRUE;  }  ?></code>
  1. Note: <code> can be used inline (e.g. in paragraphs) or in a block as shown. Include whitespace and newlines in blocks.

Please enter Chris (my first name) below. This is a primitive spam prevention technique, and I apologize for the inconvenience.

Preview and Submit

Upcoming Talks

O'Reilly Open Source Convention

21 - 25 Jul 2008

At Oregon Convention Center, Portland, Oregon.

ZendCon

15 - 18 Sep 2008

In Santa Clara, California.

PHP Appalachia

11 - 14 Oct 2008

At Big Bear Lodge, Gatlinburg, Tennessee.

New Comments

Ash Searle wrote:

It might be worth changing your example code from using htmlentities to htmlspecialchars. Runn...

Posted in Allowing HTML and Preventing XSS
Chris Shiflett wrote:

Hi Steve, According to the NYT Manual of Style and Usage, it's push-up: Most but not all co...

Posted in Miscellaneous
steve wrote:

so, is it push up, pushup or push-up? just curious... --steve --www.hundredpushups.com

Posted in Miscellaneous
Walter Lawless wrote:

It's sad to think that even now, nearly 4 years after this was originally written, that there are...

Posted in
Asanka Dewage wrote:

I've been a Mac user for over a year now and I didn't know about the [say] command! What a nifty ...

Posted in Miscellaneous

Browse Comments