TinyURL FS among Other Things
I guess I repeat myself but I wanted to inform you one more time about the current state of my public research. As I mentioned in my previous post, I am doing a talk on 6th OWASP conference about too many interesting things. I am not planning to talk on BlackHast or Defcon because I will be extremely busy at the time when they take place, so I will try to get out as mush information in a form of podcasts, screencasts and blog posts after OWASP.
The topics I will cover vary, although they all are related to JavaScript and Web security to one degree or another. On the conference I will show a few techniques that can be used to write polimorphic JavaScript which is helpful in a number of cases. I am also going to present several tricks and techniques to write JavaScript based tools for automatically testing websites for vulnerabilities. Security researchers will greatly benefit from the discussed concepts since these techniques will allow you to speed up the testing process to a great extend.
I will also cover topics such as services, mashups and decentralized code execution. I am going to present a solution called TinyURL FS which is 1-2k JavaScript that can be used to store and retrieve information to and from TinyURL. The solution is entirely based on JavaScript and does not require server-side support from my side. Also, it is not based on XSS vulnerabilities in TinyURL.com. The technique I use shows the power of web technologies at their best. These stuff can be used for bad as well as for good purposes. I will try to reduce the impact of my research by showing its benefit to whitehats.
So yes, there is a lot going on and I think that soon Web application security industry will outgrow its original purpose. Today you need to look at Web application security globally. I will show you why. Meanwhile, the XSS Book, I discussed here, will be out very soon. I may bring several copies and give them away to those who correctly answer a few simple questions.
Stay tuned. There is a lot going on that you cannot see.
Comments
Hi pdp,
I’m really looking forward to your talk at the AppSec Conference in Italy. Unfortunately I missed the CfP to give a speech there too but who knows, perhaps next year, I’m still young :)
By the way, do you know why the hell Dave (I think he’s done the agenda) placed your talk at the same time then the one by Stefano? From my point of view it would make much more sense to have the possibility to hear both speeches because these two talks are very interesting for other webappsec researchers.
Regards,
Sven
hei Sven, I have no idea. I wanted to attend Stefano’s presentation too. Maybe you can speak with the guys and make them re organize the schedule a bit.
we discused the two presentation placement today too. We were very sorry that we cant’t be on both.
Ok, I’ve just sent a mail to Dave Wichers, who’s the OWASP Conferences Chair even if I don’t think, that something will be changed.
Regards,
Sven
cool, thanks for that.
Dave has just changed the agenda so that these two research speeches don’t interfere with each other :)
You can find the agenda still here:
http://www.owasp.org/index.php.....007/Agenda
Regards,
Sven
Are you planning to record a video and share it with all?
well, I am not planning to do it myself… but I hope that the OWASP folks has something arranged.
Good luck at 6th OWASP conference, pdp!
Polymorphic JavaScript and TinyURL FS are sound nice, so you need to tell more about these things after the conference (and to show them to the security community). And don’t forget to write summary about OWASP conference.
P.S.
It is good idea with recording video of (some)
presentations at conference. If there will be such videos, pdp, you certainly post about them at your site.