Loading…
This event has ended. View the official site or create your own event → Check it out
This event has ended. Create your own
View analytic
Thursday, July 30 • 1:45pm - 2:10pm
Bryan Sullivan: Defensive Rewriting

Sign up or log in to save this to your schedule and see who's attending!

Attacks like cross-site scripting (XSS), cross-site request forgery (XSRF), and open-redirect phishing are routinely propagated through malicious hyperlinks sent in e-mail messages. We could mitigate much of the risk of these vulnerabilities by frequently changing our URLs, not once every 200 years like Tim Berners-Lee suggests, but once every 10 minutes. Attackers would no longer be able to exploit application vulnerabilities by mass e-mailing poisoned hyperlinks because the links would be broken and invalid by the time the messages reached their intended victims.
This presentation will explore the possibilities of using various forms of URL rewriting techniques as defensive measures against XSS, XSRF and any other known or 0-day attack methods that use email as a propagation vector. I will release source and binaries for an ASP.NET rewriting module and will demonstrate source/pseudocode to accomplish the same functionality for other platforms.
http://www.blackhat.com/html/bh-usa-09/bh-usa-09-speakers.html#Sullivan

Thursday July 30, 2009 1:45pm - 2:10pm
Roman Ballroom

Attendees (60)