【演講主題】 Web Application Security Attacks and Defenses
【演講時間】 2010 年 01 月 07 日(四) 10:00 ~ 12:00
【演講地點】 北群國際會議廳、中群大會議室、南群多媒體
【演講摘要】
網頁應用程式(Web Application)為雲端運算面對使用者最直接的一環,然而如何確保網頁應用程式的安全性,卻往往容易被開發者所忽略。此次演講邀請 Kristian Erik Hermansen 簡介網頁應用程式的攻擊方法與該如何採取防禦手段,相信對開發網頁應用程式之相關同仁有所啟發。
此外,Kristian Erik Hermansen 長期以來一直到處巡迴幫國網中心『再生龍(Clonezilla)』進行宣傳,曾演講多場『Clonezilla is better than Ghost』,對推廣企鵝龍與再生龍不遺餘力。因此,在此廣邀中心同仁共襄盛舉,一同歡迎這位國際友人。
While network layer attacks are still important to secure against, most malware today is easily propagated via web applications vulnerabilities and client-side flaws. We will present many scenarios that demonstrate real-world attacks, utilizing actual examples the presenter has encountered or authored in his professional research. Some of the topics covered will include SQL Injection (SQLi), Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), and web browser attacks. The presenter will also discuss some tools that can help thwart such attempts utilized by malicious users and programs.
【演者簡歷】
Kristian Erik Hermansen is an Information Security Expert with Experian. He helps to build cutting-edge solutions that protect 300+ million consumers globally. His expertise encompasses threat modeling, risk management, penetration testing, and web application security assessment.
Kristian has over ten years of experience in the field of information and network security. He began his career as a network engineer with EMC in Boston, Massachusetts working with the Celerra and Symmetrix product lines. He has also worked for Fortune 100 companies such as IBM and Cisco Systems. He joined Experian in early 2008 and was immediately tasked with several difficult problems tied to Information Security analysis. One successful customized statistical monitoring model he developed has been heralded as a major differentiator that allows the business to make more accurate technology decisions.
Kristian currently lives in the Los Angeles, California area and contributes regularly to many professional and non-profit organizations. He greatly enjoys interacting with the open source community. He is also on the advisory panel for Linux Journal magazine.
Kristian holds a B.S. in Computer Science from the University of Massachusetts Amherst and attended Harvard University for a short time before moving to California. He is currently a graduate student at the University of California Irvine's Paul Merage school of Business as an MBA-candidate.
【演講筆記】
感謝北、中、南三群同仁的熱情參與,本次演講的講者 Kristian Erik Hermansen 此行是自費來台灣旅行,我們特別邀請他順便來給一場演講,不過礙於時間有限,很可惜無法跟大家做完整的分享,若對於講者準備的一百七十多張投影片內容有興趣者,歡迎自行下載附件檔案。
其次 ,關於 Kristian 展示的兩個示範攻擊行為的網址分別為:
攻擊示範:
- http://testfire.net/ 的搜尋欄 - 輸入
'><script>alert("hello");</script>
- http://testfire.net/ 的登入 -帳號輸入如下,密碼亂打
admin ' or 1=1--
- 開啟 http://session-destroyer.weebly.com/ 後登入任何使用 session 的網頁(Ex. GMail) 數秒後會被強制登出
Kristian 演講最後提到的檢測工具,可參考 http://code.google.com/p/ratproxy/
Attachments (1)
- attacking.web.apps.ppt (5.1 MB) - added by jazz 15 years ago.