JS Suicide: Using JavaScript Security Features to Kill JS Security

Presented at Black Hat Asia 2014, Unknown date/time (Unknown duration)

JavaScript today has a presence in almost every single website across the Internet. Aggressive research is in progress in the security community to come up with better security features in JavaScript everyday. Unfortunately, many security features of JS are a double-edged sword. In this presentation, we will show how some of the security features in JavaScript can be used maliciously by an attacker to kill other security features in any website. More specifically, we will see how the sandboxing features of ECMAScript 5 can break and make security in modern day applications. We also take a few real world examples like OWASP CSRFGUARD and use some of the major security features of JS to bypass CSRF protection offered by this OWASP library in many different ways.

Presenters:

• Ahamed Nafeez - Citrix Systems
  Ahamed Nafeez is a Security Engineer at Citrix Systems, where he works on end-to-end penetration testing to researching exotic security topics to creating threat models. He has an above average interest in client-side security and network security.

Links:

• https://www.blackhat.com/asia-14/briefings.html#Nafeez
• https://www.youtube.com/watch?v=y6CnUiW0J8g

Similar Presentations:

• AppSec USA 2014 / Warning Ahead: Security Storms are Brewing in Your JavaScript
• AppSec USA 2012 / KEYNOTE: Securing JavaScript by Douglas Crockford
• Black Hat USA 2013 / Javascript Static Security Analysis Made Easy with JSPrime