Web Framework Vulnerabilities

Presented at AppSec USA 2012, Oct. 26, 2012, 3 p.m. (45 minutes).

This talk will give participants an opportunity to practically code review Web Application Framework based applications for security vulnerabilities. The material in this talk covers the common vulnerability anti-patterns which show up in applications built on the most popular enterprise web application frameworks (Struts 2, Spring MVC, Ruby on Rails, and .NET MVC). Sample applications are provided with guided tasks to ease participants into understanding the vulnerabilities in each framework and the overall steps a code reviewer should follow to identify these vulnerabilities.

This talk is trimmed down version of the 3 hour workshop given at Blackhat. This is an advanced talk and an understand of the application frameworks is a prerequisite to get the most out of this talk.


Presenters:

  • Abraham Kang - Senior Director Software - Samsung Research America
    Abraham Kang is fascinated with the nuanced details associated with programming languages and their associated APIs. Kang has a B.S. from Cornell University. He currently works for Samsung as a Senior Director Software helping to drive security and development in Samsung. Prior to joining Samsung, he worked as Principal Security Researcher for HP in their Software Security Research group. Prior to this, he worked in application security for over 10 years, reviewing over 12 million lines of code and working for over four years as a dedicated security code reviewer at Wells Fargo. He is focused on application, framework, blockchain smart contracts, intelligent assistants and mobile security and has presented his findings at OWASP AppSec USA, Black Hat USA, DEFCON, RSA USA and BSIDES

Links:

Similar Presentations: