SlideShare a Scribd company logo

AJAX Security - LAC2016

Julia Logan a.k.a. IrishWonder
Julia Logan a.k.a. IrishWonder

Security issues in AJAX applications and how to prevent them

Technology
1 of 17
Download to read offline
AJAX and Security Considerations @irishwonder LAC2016
Why Security Matters • Hacking on the rise • Hacked sites lose traffic • downtime • security warnings • A site getting hacked impacts its rankings eventually
What’s Different about AJAX? • No more or less dangerous per se • However, extra risks due to higher complexity • Extra considerations to keep in mind
AJAX Considerations • AJAX applications will not run with Javascript switched off • Degrade gracefully
Typical Risks • User input (XSS or SQL injection) • User ID or credentials processing by Javascript • Unauthorised access to files on the server
Typical Victims • Standalone AJAX applications • Popular CMS’s with AJAX enhanced functionality • Wordpress plugins using AJAX
Typical Victims
Typical Victims
More Vulnerable Targets
Typical Scenario • A user is authenticated in the code when the page is loaded • A user ID or other credentials are displayed in the URL unencoded, picked up by Javascipt • Unencoded and unauthenticated credentials sent back to server • HACKED!
Insecure WP Plugin Showcase RevSlider • First discovered in 2014 • Affects versions below 4.2 • Affects themes using it inurl:/wp-admin/admin-ajax.php?action=revslider_ajax_action - to find vulnerable revslider plugins !
The Problem Extent
Security Measures • Proper authentication and authorisation checks • User input validation against XSS and SQL injection • Use HTTPS if transmitting sensitive data
HTTPS • Implement correctly • Double check for consistent implementation throughout the site • Incorrect implementation results in additional security risks and hurts SEO performance
Plugins and Themes • Know what you use • Update to the latest (patched) versions
Bonus! • Showcase: RevSlider vulnerability story 
 http://securityaffairs.co/wordpress/35431/cyber-crime/ revslider-plugin-vulnerable.html • How to update a plugin if it’s included in a theme 
 http://www.themepunch.com/faq/update-plugin-packaged- theme/ • Free website malware and security scanner
 https://sitecheck.sucuri.net/ (WARNING: will not catch all security issues but may be of help) • Test your HTTPS https://www.ssllabs.com/ssltest/index.html
@irishwonder BAC, Berlin October 2015 Questions? 
 Feel free to get in touch! • info@irishwonder.com • Twitter: @irishwonder • Slideshare: 
 http://www.slideshare.net/irishwonder/ • LinkedIn: linkedin.com/in/irishwonder • Blogs: 
 http://www.irishwonder.com/blog/ - general SEO
 http://www.irishwonder.syndk8.co.uk/ - darker areas #LAC2016

Recommended

Ajax Security Dangers
Ajax Security DangersAjax Security Dangers
Ajax Security Dangersdrkimsky
 
AJAX: How to Divert Threats
AJAX: How to Divert ThreatsAJAX: How to Divert Threats
AJAX: How to Divert ThreatsCenzic
 
Dzhengis 93098 ajax - security
Dzhengis 93098 ajax - securityDzhengis 93098 ajax - security
Dzhengis 93098 ajax - securitydzhengo44
 
Ajax Security
Ajax SecurityAjax Security
Ajax SecurityRoberto Suggi Liverani
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
Web Hacking Intro
Web Hacking IntroWeb Hacking Intro
Web Hacking IntroAditya Kamat
 
Become a Security Ninja
Become a Security NinjaBecome a Security Ninja
Become a Security NinjaPaul Gilzow
 
Browser Security 101
Browser Security 101 Browser Security 101
Browser Security 101 Stormpath
 

Recommended

Ajax Security Dangers
Ajax Security DangersAjax Security Dangers
Ajax Security Dangersdrkimsky
 
AJAX: How to Divert Threats
AJAX: How to Divert ThreatsAJAX: How to Divert Threats
AJAX: How to Divert ThreatsCenzic
 
Dzhengis 93098 ajax - security
Dzhengis 93098 ajax - securityDzhengis 93098 ajax - security
Dzhengis 93098 ajax - securitydzhengo44
 
Ajax Security
Ajax SecurityAjax Security
Ajax SecurityRoberto Suggi Liverani
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
Web Hacking Intro
Web Hacking IntroWeb Hacking Intro
Web Hacking IntroAditya Kamat
 
Become a Security Ninja
Become a Security NinjaBecome a Security Ninja
Become a Security NinjaPaul Gilzow
 
Browser Security 101
Browser Security 101 Browser Security 101
Browser Security 101 Stormpath
 
ASP.NET Web Security
ASP.NET Web SecurityASP.NET Web Security
ASP.NET Web SecuritySharePointRadi
 
Cyber ppt
Cyber pptCyber ppt
Cyber pptkarthik menon
 
Web application attacks
Web application attacksWeb application attacks
Web application attackshruth
 
Spring Security
Spring SecuritySpring Security
Spring SecurityBoy Tech
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
Web Hacking
Web HackingWeb Hacking
Web HackingInformation Technology
 
RSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingRSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingJim Manico
 
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Jay Nagar
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10bilcorry
 
Securing Web Applications with Token Authentication
Securing Web Applications with Token AuthenticationSecuring Web Applications with Token Authentication
Securing Web Applications with Token AuthenticationStormpath
 
Web 2.0 Application Kung-Fu - Securing Ajax & Web Services
Web 2.0 Application Kung-Fu - Securing Ajax & Web ServicesWeb 2.0 Application Kung-Fu - Securing Ajax & Web Services
Web 2.0 Application Kung-Fu - Securing Ajax & Web ServicesShreeraj Shah
 
Error codes & custom 404s
Error codes & custom 404sError codes & custom 404s
Error codes & custom 404sRonan Dunne, CEH, SSCP
 
Common Web Application Attacks
Common Web Application Attacks Common Web Application Attacks
Common Web Application Attacks Ahmed Sherif
 
Web application attack Presentation
Web application attack PresentationWeb application attack Presentation
Web application attack PresentationKhoa Nguyen
 
Hacking web applications
Hacking web applicationsHacking web applications
Hacking web applicationsAdeel Javaid
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013Edouard de Lansalut
 
Web application security: Threats & Countermeasures
Web application security: Threats & CountermeasuresWeb application security: Threats & Countermeasures
Web application security: Threats & CountermeasuresAung Thu Rha Hein
 
Build A Killer Client For Your REST+JSON API
Build A Killer Client For Your REST+JSON APIBuild A Killer Client For Your REST+JSON API
Build A Killer Client For Your REST+JSON APIStormpath
 
DVWA(Damn Vulnerabilities Web Application)
DVWA(Damn Vulnerabilities Web Application)DVWA(Damn Vulnerabilities Web Application)
DVWA(Damn Vulnerabilities Web Application)Soham Kansodaria
 
Web Security Attacks
Web Security AttacksWeb Security Attacks
Web Security AttacksSajid Hasan
 
www.webre24h.com - Ajax security
www.webre24h.com - Ajax securitywww.webre24h.com - Ajax security
www.webre24h.com - Ajax securitywebre24h
 
Web hackingtools cf-summit2014
Web hackingtools cf-summit2014Web hackingtools cf-summit2014
Web hackingtools cf-summit2014ColdFusionConference
 

More Related Content

What's hot

Web application attacks
Web application attacksWeb application attacks
Web application attackshruth
 
Spring Security
Spring SecuritySpring Security
Spring SecurityBoy Tech
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
RSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingRSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingJim Manico
 
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Jay Nagar
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10bilcorry
 
Securing Web Applications with Token Authentication
Securing Web Applications with Token AuthenticationSecuring Web Applications with Token Authentication
Securing Web Applications with Token AuthenticationStormpath
 
Web 2.0 Application Kung-Fu - Securing Ajax & Web Services
Web 2.0 Application Kung-Fu - Securing Ajax & Web ServicesWeb 2.0 Application Kung-Fu - Securing Ajax & Web Services
Web 2.0 Application Kung-Fu - Securing Ajax & Web ServicesShreeraj Shah
 
Common Web Application Attacks
Common Web Application Attacks Common Web Application Attacks
Common Web Application Attacks Ahmed Sherif
 
Web application attack Presentation
Web application attack PresentationWeb application attack Presentation
Web application attack PresentationKhoa Nguyen
 
Hacking web applications
Hacking web applicationsHacking web applications
Hacking web applicationsAdeel Javaid
 
Web application security: Threats & Countermeasures
Web application security: Threats & CountermeasuresWeb application security: Threats & Countermeasures
Web application security: Threats & CountermeasuresAung Thu Rha Hein
 
Build A Killer Client For Your REST+JSON API
Build A Killer Client For Your REST+JSON APIBuild A Killer Client For Your REST+JSON API
Build A Killer Client For Your REST+JSON APIStormpath
 
DVWA(Damn Vulnerabilities Web Application)
DVWA(Damn Vulnerabilities Web Application)DVWA(Damn Vulnerabilities Web Application)
DVWA(Damn Vulnerabilities Web Application)Soham Kansodaria
 
Web Security Attacks
Web Security AttacksWeb Security Attacks
Web Security AttacksSajid Hasan
 

What's hot (20)

ASP.NET Web Security
ASP.NET Web SecurityASP.NET Web Security
ASP.NET Web Security
 
Cyber ppt
Cyber pptCyber ppt
Cyber ppt
 
Web application attacks
Web application attacksWeb application attacks
Web application attacks
 
Spring Security
Spring SecuritySpring Security
Spring Security
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
 
Web Hacking
Web HackingWeb Hacking
Web Hacking
 
RSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingRSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP Training
 
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10
 
Securing Web Applications with Token Authentication
Securing Web Applications with Token AuthenticationSecuring Web Applications with Token Authentication
Securing Web Applications with Token Authentication
 
Web 2.0 Application Kung-Fu - Securing Ajax & Web Services
Web 2.0 Application Kung-Fu - Securing Ajax & Web ServicesWeb 2.0 Application Kung-Fu - Securing Ajax & Web Services
Web 2.0 Application Kung-Fu - Securing Ajax & Web Services
 
Error codes & custom 404s
Error codes & custom 404sError codes & custom 404s
Error codes & custom 404s
 
Common Web Application Attacks
Common Web Application Attacks Common Web Application Attacks
Common Web Application Attacks
 
Web application attack Presentation
Web application attack PresentationWeb application attack Presentation
Web application attack Presentation
 
Hacking web applications
Hacking web applicationsHacking web applications
Hacking web applications
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013
 
Web application security: Threats & Countermeasures
Web application security: Threats & CountermeasuresWeb application security: Threats & Countermeasures
Web application security: Threats & Countermeasures
 
Build A Killer Client For Your REST+JSON API
Build A Killer Client For Your REST+JSON APIBuild A Killer Client For Your REST+JSON API
Build A Killer Client For Your REST+JSON API
 
DVWA(Damn Vulnerabilities Web Application)
DVWA(Damn Vulnerabilities Web Application)DVWA(Damn Vulnerabilities Web Application)
DVWA(Damn Vulnerabilities Web Application)
 
Web Security Attacks
Web Security AttacksWeb Security Attacks
Web Security Attacks
 

Similar to AJAX Security - LAC2016

www.webre24h.com - Ajax security
www.webre24h.com - Ajax securitywww.webre24h.com - Ajax security
www.webre24h.com - Ajax securitywebre24h
 
WordPress Security and Best Practices
WordPress Security and Best PracticesWordPress Security and Best Practices
WordPress Security and Best PracticesRobert Vidal
 
Do you lose sleep at night?
Do you lose sleep at night?Do you lose sleep at night?
Do you lose sleep at night?Nathan Van Gheem
 
How to Harden the Security of Your .NET Website
How to Harden the Security of Your .NET WebsiteHow to Harden the Security of Your .NET Website
How to Harden the Security of Your .NET WebsiteDNN
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top TenSecurity Innovation
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxDARSHANBHAVSAR14
 
Essential security measures in ASP.NET MVC
Essential security measures in ASP.NET MVC Essential security measures in ASP.NET MVC
Essential security measures in ASP.NET MVC Rafał Hryniewski
 
The OWASP Zed Attack Proxy
The OWASP Zed Attack ProxyThe OWASP Zed Attack Proxy
The OWASP Zed Attack ProxyAditya Gupta
 
CSS 17: NYC - Protecting your Web Applications
CSS 17: NYC - Protecting your Web ApplicationsCSS 17: NYC - Protecting your Web Applications
CSS 17: NYC - Protecting your Web ApplicationsAlert Logic
 
Jonathan Singer - Wheezing The Juice.pdf
Jonathan Singer - Wheezing The Juice.pdfJonathan Singer - Wheezing The Juice.pdf
Jonathan Singer - Wheezing The Juice.pdfJonathan Singer
 
Web hackingtools 2015
Web hackingtools 2015Web hackingtools 2015
Web hackingtools 2015devObjective
 
VAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptxVAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptxkarthikvcyber
 
Hacker Proof web app using Functional tests
Hacker Proof web app using Functional testsHacker Proof web app using Functional tests
Hacker Proof web app using Functional testsAnkita Gupta
 
Owasp healthcare cms
Owasp healthcare cmsOwasp healthcare cms
Owasp healthcare cmsuisgslide
 
Css sf azure_8-9-17-protecting_web_apps_stephen coty_al
Css sf azure_8-9-17-protecting_web_apps_stephen coty_alCss sf azure_8-9-17-protecting_web_apps_stephen coty_al
Css sf azure_8-9-17-protecting_web_apps_stephen coty_alAlert Logic
 
CSS17: Houston - Protecting Web Apps
CSS17: Houston - Protecting Web AppsCSS17: Houston - Protecting Web Apps
CSS17: Houston - Protecting Web AppsAlert Logic
 
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017Philippe Gamache
 

Similar to AJAX Security - LAC2016 (20)

www.webre24h.com - Ajax security
www.webre24h.com - Ajax securitywww.webre24h.com - Ajax security
www.webre24h.com - Ajax security
 
Web hackingtools cf-summit2014
Web hackingtools cf-summit2014Web hackingtools cf-summit2014
Web hackingtools cf-summit2014
 
WordPress Security and Best Practices
WordPress Security and Best PracticesWordPress Security and Best Practices
WordPress Security and Best Practices
 
Do you lose sleep at night?
Do you lose sleep at night?Do you lose sleep at night?
Do you lose sleep at night?
 
How to Harden the Security of Your .NET Website
How to Harden the Security of Your .NET WebsiteHow to Harden the Security of Your .NET Website
How to Harden the Security of Your .NET Website
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptx
 
Security testautomation
Security testautomationSecurity testautomation
Security testautomation
 
Essential security measures in ASP.NET MVC
Essential security measures in ASP.NET MVC Essential security measures in ASP.NET MVC
Essential security measures in ASP.NET MVC
 
The OWASP Zed Attack Proxy
The OWASP Zed Attack ProxyThe OWASP Zed Attack Proxy
The OWASP Zed Attack Proxy
 
CSS 17: NYC - Protecting your Web Applications
CSS 17: NYC - Protecting your Web ApplicationsCSS 17: NYC - Protecting your Web Applications
CSS 17: NYC - Protecting your Web Applications
 
Jonathan Singer - Wheezing The Juice.pdf
Jonathan Singer - Wheezing The Juice.pdfJonathan Singer - Wheezing The Juice.pdf
Jonathan Singer - Wheezing The Juice.pdf
 
Web hackingtools 2015
Web hackingtools 2015Web hackingtools 2015
Web hackingtools 2015
 
Web hackingtools 2015
Web hackingtools 2015Web hackingtools 2015
Web hackingtools 2015
 
VAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptxVAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptx
 
Hacker Proof web app using Functional tests
Hacker Proof web app using Functional testsHacker Proof web app using Functional tests
Hacker Proof web app using Functional tests
 
Owasp healthcare cms
Owasp healthcare cmsOwasp healthcare cms
Owasp healthcare cms
 
Css sf azure_8-9-17-protecting_web_apps_stephen coty_al
Css sf azure_8-9-17-protecting_web_apps_stephen coty_alCss sf azure_8-9-17-protecting_web_apps_stephen coty_al
Css sf azure_8-9-17-protecting_web_apps_stephen coty_al
 
CSS17: Houston - Protecting Web Apps
CSS17: Houston - Protecting Web AppsCSS17: Houston - Protecting Web Apps
CSS17: Houston - Protecting Web Apps
 
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
 

More from Julia Logan a.k.a. IrishWonder

SEO for the Baltic Region, Translation and Localisation - Mare Balticum 2023 ...
SEO for the Baltic Region, Translation and Localisation - Mare Balticum 2023 ...SEO for the Baltic Region, Translation and Localisation - Mare Balticum 2023 ...
SEO for the Baltic Region, Translation and Localisation - Mare Balticum 2023 ...Julia Logan a.k.a. IrishWonder
 
Controlling Your Links: How to Build a Private Network
Controlling Your Links: How to Build a Private NetworkControlling Your Links: How to Build a Private Network
Controlling Your Links: How to Build a Private NetworkJulia Logan a.k.a. IrishWonder
 
"Catch Me If You Can" - Google vs Spam - Linkdex Gambling Thinktank
"Catch Me If You Can" - Google vs Spam - Linkdex Gambling Thinktank"Catch Me If You Can" - Google vs Spam - Linkdex Gambling Thinktank
"Catch Me If You Can" - Google vs Spam - Linkdex Gambling ThinktankJulia Logan a.k.a. IrishWonder
 
Widely Preached Truths That Are Not Always True - SASCon Mini
Widely Preached Truths That Are Not Always True - SASCon MiniWidely Preached Truths That Are Not Always True - SASCon Mini
Widely Preached Truths That Are Not Always True - SASCon MiniJulia Logan a.k.a. IrishWonder
 
SEO Security Audits - Is Your Site at Risk? - Amsterdam Affiliate Conference
SEO Security Audits - Is Your Site at Risk? - Amsterdam Affiliate ConferenceSEO Security Audits - Is Your Site at Risk? - Amsterdam Affiliate Conference
SEO Security Audits - Is Your Site at Risk? - Amsterdam Affiliate ConferenceJulia Logan a.k.a. IrishWonder
 
Negative SEO: Myths and reality - BrightonSEO April 2013
Negative SEO: Myths and reality - BrightonSEO April 2013Negative SEO: Myths and reality - BrightonSEO April 2013
Negative SEO: Myths and reality - BrightonSEO April 2013Julia Logan a.k.a. IrishWonder
 
Negative SEO: Past, Present and Future - ThinkVis 2013
Negative SEO: Past, Present and Future - ThinkVis 2013Negative SEO: Past, Present and Future - ThinkVis 2013
Negative SEO: Past, Present and Future - ThinkVis 2013Julia Logan a.k.a. IrishWonder
 

More from Julia Logan a.k.a. IrishWonder (19)

SEO for the Baltic Region, Translation and Localisation - Mare Balticum 2023 ...
SEO for the Baltic Region, Translation and Localisation - Mare Balticum 2023 ...SEO for the Baltic Region, Translation and Localisation - Mare Balticum 2023 ...
SEO for the Baltic Region, Translation and Localisation - Mare Balticum 2023 ...
 
2022 Zangoose brochure.pdf
2022 Zangoose brochure.pdf2022 Zangoose brochure.pdf
2022 Zangoose brochure.pdf
 
Zangoose Digital - Bespoke Private Networks
Zangoose Digital - Bespoke Private NetworksZangoose Digital - Bespoke Private Networks
Zangoose Digital - Bespoke Private Networks
 
WordPress Security
WordPress Security WordPress Security
WordPress Security
 
Why We Should Stop Ignoring Bing
Why We Should Stop Ignoring BingWhy We Should Stop Ignoring Bing
Why We Should Stop Ignoring Bing
 
How to Audit a Site for Security
How to Audit a Site for SecurityHow to Audit a Site for Security
How to Audit a Site for Security
 
Preemptive Reputation Management
Preemptive Reputation ManagementPreemptive Reputation Management
Preemptive Reputation Management
 
Content Audit for iGaming - BAC2017
Content Audit for iGaming - BAC2017Content Audit for iGaming - BAC2017
Content Audit for iGaming - BAC2017
 
Wordpress SEO and Security - AAC2016
Wordpress SEO and Security - AAC2016Wordpress SEO and Security - AAC2016
Wordpress SEO and Security - AAC2016
 
Controlling Your Links: How to Build a Private Network
Controlling Your Links: How to Build a Private NetworkControlling Your Links: How to Build a Private Network
Controlling Your Links: How to Build a Private Network
 
It's Not All About Google: Searching for Alternatives
It's Not All About Google: Searching for AlternativesIt's Not All About Google: Searching for Alternatives
It's Not All About Google: Searching for Alternatives
 
"Catch Me If You Can" - Google vs Spam - Linkdex Gambling Thinktank
"Catch Me If You Can" - Google vs Spam - Linkdex Gambling Thinktank"Catch Me If You Can" - Google vs Spam - Linkdex Gambling Thinktank
"Catch Me If You Can" - Google vs Spam - Linkdex Gambling Thinktank
 
Widely Preached Truths That Are Not Always True - SASCon Mini
Widely Preached Truths That Are Not Always True - SASCon MiniWidely Preached Truths That Are Not Always True - SASCon Mini
Widely Preached Truths That Are Not Always True - SASCon Mini
 
SEO Security Audits - Is Your Site at Risk? - Amsterdam Affiliate Conference
SEO Security Audits - Is Your Site at Risk? - Amsterdam Affiliate ConferenceSEO Security Audits - Is Your Site at Risk? - Amsterdam Affiliate Conference
SEO Security Audits - Is Your Site at Risk? - Amsterdam Affiliate Conference
 
SEO Security Audits - SMX London
SEO Security Audits - SMX LondonSEO Security Audits - SMX London
SEO Security Audits - SMX London
 
Negative SEO: Myths and reality - BrightonSEO April 2013
Negative SEO: Myths and reality - BrightonSEO April 2013Negative SEO: Myths and reality - BrightonSEO April 2013
Negative SEO: Myths and reality - BrightonSEO April 2013
 
State of Search RIMC 2013
State of Search RIMC 2013State of Search RIMC 2013
State of Search RIMC 2013
 
Negative SEO: Past, Present and Future - ThinkVis 2013
Negative SEO: Past, Present and Future - ThinkVis 2013Negative SEO: Past, Present and Future - ThinkVis 2013
Negative SEO: Past, Present and Future - ThinkVis 2013
 
So You Want to Know About AdSense?
So You Want to Know About AdSense?So You Want to Know About AdSense?
So You Want to Know About AdSense?
 

Recently uploaded

What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 

Recently uploaded (20)

What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 

AJAX Security - LAC2016

  • 2. Why Security Matters • Hacking on the rise • Hacked sites lose traffic • downtime • security warnings • A site getting hacked impacts its rankings eventually
  • 3. What’s Different about AJAX? • No more or less dangerous per se • However, extra risks due to higher complexity • Extra considerations to keep in mind
  • 4. AJAX Considerations • AJAX applications will not run with Javascript switched off • Degrade gracefully
  • 5. Typical Risks • User input (XSS or SQL injection) • User ID or credentials processing by Javascript • Unauthorised access to files on the server
  • 6. Typical Victims • Standalone AJAX applications • Popular CMS’s with AJAX enhanced functionality • Wordpress plugins using AJAX
  • 10. Typical Scenario • A user is authenticated in the code when the page is loaded • A user ID or other credentials are displayed in the URL unencoded, picked up by Javascipt • Unencoded and unauthenticated credentials sent back to server • HACKED!
  • 11. Insecure WP Plugin Showcase RevSlider • First discovered in 2014 • Affects versions below 4.2 • Affects themes using it inurl:/wp-admin/admin-ajax.php?action=revslider_ajax_action - to find vulnerable revslider plugins !
  • 13. Security Measures • Proper authentication and authorisation checks • User input validation against XSS and SQL injection • Use HTTPS if transmitting sensitive data
  • 14. HTTPS • Implement correctly • Double check for consistent implementation throughout the site • Incorrect implementation results in additional security risks and hurts SEO performance
  • 15. Plugins and Themes • Know what you use • Update to the latest (patched) versions
  • 16. Bonus! • Showcase: RevSlider vulnerability story 
 http://securityaffairs.co/wordpress/35431/cyber-crime/ revslider-plugin-vulnerable.html • How to update a plugin if it’s included in a theme 
 http://www.themepunch.com/faq/update-plugin-packaged- theme/ • Free website malware and security scanner
 https://sitecheck.sucuri.net/ (WARNING: will not catch all security issues but may be of help) • Test your HTTPS https://www.ssllabs.com/ssltest/index.html
  • 17. @irishwonder BAC, Berlin October 2015 Questions? 
 Feel free to get in touch! • info@irishwonder.com • Twitter: @irishwonder • Slideshare: 
 http://www.slideshare.net/irishwonder/ • LinkedIn: linkedin.com/in/irishwonder • Blogs: 
 http://www.irishwonder.com/blog/ - general SEO
 http://www.irishwonder.syndk8.co.uk/ - darker areas #LAC2016