We're seeing record temperatures across the United States, and Las Vegas is no exception. Hopefully it'll cool down a tad by the end of the month, but some of these web application security Briefings we've got lined up are so hot that they'll probably just exacerbate the problem. Oh well, that's what AC is for.
SQL injection is a mainstay of website attacks, allowing attackers access to more data than the targeted database is intended to offer. In ') UNION SELECT `This_Talk` AS ('New Optimization and Obfuscation Techniquesí)%00 Roberto Salgado will explore a number of ways to evade these firewalls by optimizing or hiding SQL injection commands. He'll also share the updated Leapfrog 2.0, a pentest tool that can bypass various firewalls and help admins develop new, more secure firewall rules.
Bonus! If you're really into SQL injection, Jeff Forristal aka ‘Rain Forrest Puppy’, credited with the discovery of the technique, will be presenting Android: One Root to Own Them All, demonstrating an Android crypto weakness that leads to root access.
Next up, a Turbo Talk. An application's security posture is directly proportional to the amount of information known about the application, so "more" is often better. Big data techniques allow the combing through of mountains of data to identify trends, and these techniques can be applied to web application security as easily as shopping habits. Big Data for Web Application Security will explore the kinds of security problems big data can help solve, and rule out some it can't. Come see how Etsy applies data analytics to increase customer security.
Lastly, Cross Site Request Forgery (CSRF) remains a significant threat to web apps and user data, snagging potentially sensitive data from the browser's other open sessions. Dissecting CSRF Attacks & Countermeasures will cover types of testing and countermeasures that can help determine if CSRF protections are in place, including a tool (which will be released with code) that helps do so. Then they'll explore a new concept called Storage Origin Security (SOS) that foils many types of CRSF attacks without requiring bothersome HTML modifications.