Download - GNUCITIZEN Pdp Owasp Usa 2007
Copyright © 2007 - The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike 2.5 License. To view this license, visit http://creativecommons.org/licenses/by-sa/2.5/
The OWASP Foundation
OWASPUSA
November 2007
http://www.owasp.org/
For my next trick...hacking Web2.0 (lite)
Petko D. Petkov (pdp)GNUCITIZENhttp://www.gnucitizen.org
OWASP USA – November 2007
powered BY
http://www.gnucitizen.org
OWASP USA – November 2007
...before we START
Feel free to ask questions!Do ask questions!Have fun!
OWASP USA – November 2007
what is WEB2.0?
OWASP USA – November 2007
...
Marketing buzzword Invented by O'Reilly Media in 2003Wikis, Blogs, AJAX, Social Networks,
CollaborationAPIs, SOA (Service Oriented Architecture)Data in the CloudApplications on Demand
OWASP USA – November 2007
why web2.0 HACKING?
OWASP USA – November 2007
...
Data Management Information LeaksLive Profiling Information SpammingService AbuseAutonomous AgentsDistributionAttack Infrastructures
OWASP USA – November 2007
the PAPER
5 fictional stories with technology that is real
Learn by exampleKISS (Keep it Simple Stupid)Problems with no solutions
I was told that I need to come up with some solutions, otherwise I cannot present at OWASP.
OWASP USA – November 2007
the STORIES
MPack2.0Attack Infrastructures
WormoholicAutonomous Agents
Bookmarks RiderDistribution
RSS Kingpin Information Spamming
Revealing the hidden WebService Abuse
OWASP USA – November 2007
know your ROOTS
OWASP USA – November 2007
...
what's MPACK?
OWASP USA – November 2007
...
what would it be in the web2.0 WORLD?hint: Google Mashup Editor
OWASP USA – November 2007
...
who is SAMY?
OWASP USA – November 2007
...
what's a covert CHANNEL?
OWASP USA – November 2007
...
...but in the web2.0 WORLD?
OWASP USA – November 2007
...
who's the mechanical TURK?
OWASP USA – November 2007
...
...to MALWARE?hint: Social Bookmarking
OWASP USA – November 2007
...
can web2.0 malware BROADCAST?
OWASP USA – November 2007
...
...MD5(DOMAIN + TIME)
OWASP USA – November 2007
...
where are my SCHEDULERS?
OWASP USA – November 2007
...
where are my ACTUATORS?
OWASP USA – November 2007
...
...data in the CLOUD...
(the malicious one)
OWASP USA – November 2007
...
...applications on DEMAND...
(the malicious ones)
OWASP USA – November 2007
...
what's state and what's PERSISTENCE?
OWASP USA – November 2007
...
riding social bookmarks is FUN!
OWASP USA – November 2007
...
...maybe make some money TOO!
OWASP USA – November 2007
...
to splog or not to splog. This is the QUESTION!
OWASP USA – November 2007
...
call me the rss KINGPIN!
OWASP USA – November 2007
...
service abuse and the hidden WEB
OWASP USA – November 2007
know your ROOTS
OWASP USA – November 2007
...more
Profiling targets by watching their Web activities
Snoop onto targetsGEO Position Mobile phonesGEO Position individualsMore service abuseMore vulnerabilitiesMore Insecurities
OWASP USA – November 2007
...
solutions and recommendations?
OWASP USA – November 2007
thank YOU
http://www.gnucitizen.org