Security 2.0 at Web Builder 2.0

30 Nov 2006

I'll be giving a talk about Security 2.0 on Tuesday at Web Builder 2.0 in Las Vegas:

Web 2.0 has been described as many things. It's the Web as a platform, a network of networks, the architecture of participation. However you choose to define it, the way we build applications online has changed. Web sites do more by empowering users, but this has opened a Pandora's box. Cross-site scripting (XSS), cross-site request forgeries (CSRF), and Ajax are being combined in creative new ways to launch sophisticated attacks that penetrate firewalls, target users, and spread like worms. This talk examines this new threat, dubbed Security 2.0, by demonstrating some hypothetical and real exploits as well as discussing methods of safeguard and prevention.

Yes, I'm having a bit of fun with the whole "2.0" theme, but there is some truth to the notion that web application security is evolving. The focus on empowering users is a double-edged sword, and CSRF in particular is proving to be as dangerous as we predicted.

If you're wanting to stay on top of the evolution, check out Jeremiah's Browser Port Scanning without JavaScript as well as Ilia's follow-up.