TinyURL FS among Other Things
I guess I repeat myself but I wanted to inform you one more time about the current state of my public research. As I mentioned in my previous post, I am doing a talk on 6th OWASP conference about too many interesting things. I am not planning to talk on BlackHast or Defcon because I will be extremely busy at the time when they take place, so I will try to get out as mush information in a form of podcasts, screencasts and blog posts after OWASP.
The topics I will cover vary, although they all are related to JavaScript and Web security to one degree or another. On the conference I will show a few techniques that can be used to write polimorphic JavaScript which is helpful in a number of cases. I am also going to present several tricks and techniques to write JavaScript based tools for automatically testing websites for vulnerabilities. Security researchers will greatly benefit from the discussed concepts since these techniques will allow you to speed up the testing process to a great extend.
I will also cover topics such as services, mashups and decentralized code execution. I am going to present a solution called TinyURL FS which is 1-2k JavaScript that can be used to store and retrieve information to and from TinyURL. The solution is entirely based on JavaScript and does not require server-side support from my side. Also, it is not based on XSS vulnerabilities in TinyURL.com. The technique I use shows the power of web technologies at their best. These stuff can be used for bad as well as for good purposes. I will try to reduce the impact of my research by showing its benefit to whitehats.
So yes, there is a lot going on and I think that soon Web application security industry will outgrow its original purpose. Today you need to look at Web application security globally. I will show you why. Meanwhile, the XSS Book, I discussed here, will be out very soon. I may bring several copies and give them away to those who correctly answer a few simple questions.
Stay tuned. There is a lot going on that you cannot see.
vk responds:
Hi pdp,
I’m really looking forward to your talk at the AppSec Conference in Italy. Unfortunately I missed the CfP to give a speech there too but who knows, perhaps next year, I’m still young :)
By the way, do you know why the hell Dave (I think he’s done the agenda) placed your talk at the same time then the one by Stefano? From my point of view it would make much more sense to have the possibility to hear both speeches because these two talks are very interesting for other webappsec researchers.
Regards,
Sven