SlideShare ist ein Scribd-Unternehmen logo

Xss.e xopresentation from eXo SEA

Als PPT, PDF herunterladen
Thuy_Dang
Thuy_Dang

Here is the presentation of Khoi- Portal team and VHa CPT team from eXo Platform SEA.

News & PolitikTechnologie
1 von 24
XSS and eXo Products Portal & TQA teams Oct 2011
Agenda ,[object Object],[object Object],[object Object],[object Object]
Introduction to XSS
What is XSS? ,[object Object],[object Object],[object Object],[object Object]
How Does XSS Work? ,[object Object],[object Object],[object Object],[object Object]
How Does XSS Work? ,[object Object],[object Object],[object Object],[object Object]
XSS Sample Cases
XSS Cases Sample video
XSS types ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
The Impact of XSS ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
The Impact of XSS ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
The Impact of XSS ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
The Impact of XSS ,[object Object],[object Object],[object Object]
The Impact of XSS ,[object Object]
Preventing XSS attacks
Preventing XSS attacks ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Preventing XSS attacks ,[object Object],[object Object],[object Object],[object Object]
XSS in eXo Products Examples of how to detect XSS vulnerabilities
Use case of Reflected XSS Package: WCM 2.2.0 Attack steps: See defect description in this link https://jira.exoplatform.org/browse/ECMS-1773 Browsers: Internet Explorer 7, Firefox 3 Consequence : session hijacking & more
Use case of Stored XSS Package: Social 1.2.0 Attack steps: See defect description in this link https://jira.exoplatform.org/browse/SOC-1532 Browsers: Internet Explorer 7, Firefox 3 Consequence : session hijacking & more
Use case of DOM-based XSS Package: ECMS 2.3.x Attack steps: See defect description in this link https://jira.exoplatform.org/browse/ECMS-2791 Browsers: Internet Explorer 7, Firefox 3 Consequence : session hijacking & more
XSS exploit basing on logic vulnerability Package: PLF 3.5.0 Attack steps: See defect description in this link https://jira.exoplatform.org/browse/ECMS-2723 https://jira.exoplatform.org/browse/ECMS-2736 Browsers: Internet Explorer 7, Firefox 3 Consequence : session hijacking & more Question for listeners: what is the best solution for this situation?
References for audiences 1. Guideline of Secure coding standards http://www.oracle.com/technetwork/java/seccodeguide-139067.html#6-1 2. EXOWiki security links EXO-RedHat Collaboration Study https://wiki-int.exoplatform.org/display/rhcollab/XSS TQA Security Test https://wiki-int.exoplatform.org/display/TQA/SECURITY Deployment & Configuration rules (ITOP)‏ https://wiki-int.exoplatform.org/display/ITOP/eXo+Applications+and+security
DISCUSSION

Empfohlen

Cross site scripting
Cross site scriptingCross site scripting
Cross site scripting
ashutosh rai
 
Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)
Daniel Tumser
 
Attacking Web Proxies
Attacking Web ProxiesAttacking Web Proxies
Attacking Web Proxies
InMobi Technology
 
Cross Site Scripting (XSS)
Cross Site Scripting (XSS)Cross Site Scripting (XSS)
Cross Site Scripting (XSS)
Barrel Software
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scripting
n|u - The Open Security Community
 
Click jacking
Click jackingClick jacking
Click jacking
Ronan Dunne, CEH, SSCP
 
Cross site scripting (xss)
Cross site scripting (xss)Cross site scripting (xss)
Cross site scripting (xss)
Manish Kumar
 
The Cross Site Scripting Guide
The Cross Site Scripting GuideThe Cross Site Scripting Guide
The Cross Site Scripting Guide
Daisuke_Dan
 

Empfohlen

Cross site scripting
Cross site scriptingCross site scripting
Cross site scripting
ashutosh rai
 
Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)
Daniel Tumser
 
Attacking Web Proxies
Attacking Web ProxiesAttacking Web Proxies
Attacking Web Proxies
InMobi Technology
 
Cross Site Scripting (XSS)
Cross Site Scripting (XSS)Cross Site Scripting (XSS)
Cross Site Scripting (XSS)
Barrel Software
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scripting
n|u - The Open Security Community
 
Click jacking
Click jackingClick jacking
Click jacking
Ronan Dunne, CEH, SSCP
 
Cross site scripting (xss)
Cross site scripting (xss)Cross site scripting (xss)
Cross site scripting (xss)
Manish Kumar
 
The Cross Site Scripting Guide
The Cross Site Scripting GuideThe Cross Site Scripting Guide
The Cross Site Scripting Guide
Daisuke_Dan
 
Reflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site ScriptingReflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site Scripting
InMobi Technology
 
Cross Site Scripting(XSS)
Cross Site Scripting(XSS)Cross Site Scripting(XSS)
Cross Site Scripting(XSS)
Nabin Dutta
 
What is xss, blind xss and xploiting google gadgets
What is xss, blind xss and xploiting google gadgetsWhat is xss, blind xss and xploiting google gadgets
What is xss, blind xss and xploiting google gadgets
Ziv Ginsberg
 
Cross Site Scripting
Cross Site ScriptingCross Site Scripting
Cross Site Scripting
Ali Mattash
 
XSS Injection Vulnerabilities
XSS Injection VulnerabilitiesXSS Injection Vulnerabilities
XSS Injection Vulnerabilities
Mindfire Solutions
 
Cross site scripting (xss) attacks issues and defense - by sandeep kumbhar
Cross site scripting (xss) attacks issues and defense - by sandeep kumbharCross site scripting (xss) attacks issues and defense - by sandeep kumbhar
Cross site scripting (xss) attacks issues and defense - by sandeep kumbhar
Sandeep Kumbhar
 
White paper screen
White paper screenWhite paper screen
White paper screen
eltincho89
 
STORED XSS IN DVWA
STORED XSS IN DVWASTORED XSS IN DVWA
STORED XSS IN DVWA
Rutvik patel
 
XSS-Alert-Pentration testing tool
XSS-Alert-Pentration testing toolXSS-Alert-Pentration testing tool
XSS-Alert-Pentration testing tool
Arjun Jain
 
Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation
Ikhade Maro Igbape
 
Clickjacking DevCon2011
Clickjacking DevCon2011Clickjacking DevCon2011
Clickjacking DevCon2011
Krishna T
 
XSS
XSSXSS
XSS
Hrishikesh Mishra
 
Security testing for web developers
Security testing for web developersSecurity testing for web developers
Security testing for web developers
matthewhughes
 
Introduction to Cross Site Scripting ( XSS )
Introduction to Cross Site Scripting ( XSS )Introduction to Cross Site Scripting ( XSS )
Introduction to Cross Site Scripting ( XSS )
Irfad Imtiaz
 
Cross site scripting (xss)
Cross site scripting (xss)Cross site scripting (xss)
Cross site scripting (xss)
Ritesh Gupta
 
Beef saurabh
Beef saurabhBeef saurabh
Beef saurabh
Saurav Chaudhary
 
Xss attack
Xss attackXss attack
Xss attack
Manjushree Mashal
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)
Amit Tyagi
 
Identifying Cross Site Scripting Vulnerabilities in Web Applications
Identifying Cross Site Scripting Vulnerabilities in Web ApplicationsIdentifying Cross Site Scripting Vulnerabilities in Web Applications
Identifying Cross Site Scripting Vulnerabilities in Web Applications
Porfirio Tramontana
 
Cross Site Scripting Going Beyond the Alert Box
Cross Site Scripting Going Beyond the Alert BoxCross Site Scripting Going Beyond the Alert Box
Cross Site Scripting Going Beyond the Alert Box
Aaron Weaver
 
Coisas antigas 1
Coisas antigas 1Coisas antigas 1
Coisas antigas 1
pr_afsalbergaria
 
Seasons Of Life
Seasons Of LifeSeasons Of Life
Seasons Of Life
Abhi Patel
 

Weitere ähnliche Inhalte

Was ist angesagt?

Reflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site ScriptingReflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site Scripting
InMobi Technology
 
Cross Site Scripting
Cross Site ScriptingCross Site Scripting
Cross Site Scripting
Ali Mattash
 
White paper screen
White paper screenWhite paper screen
White paper screen
eltincho89
 
Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation
Ikhade Maro Igbape
 
Clickjacking DevCon2011
Clickjacking DevCon2011Clickjacking DevCon2011
Clickjacking DevCon2011
Krishna T
 
Identifying Cross Site Scripting Vulnerabilities in Web Applications
Identifying Cross Site Scripting Vulnerabilities in Web ApplicationsIdentifying Cross Site Scripting Vulnerabilities in Web Applications
Identifying Cross Site Scripting Vulnerabilities in Web Applications
Porfirio Tramontana
 

Was ist angesagt? (20)

Reflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site ScriptingReflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site Scripting
 
Cross Site Scripting(XSS)
Cross Site Scripting(XSS)Cross Site Scripting(XSS)
Cross Site Scripting(XSS)
 
What is xss, blind xss and xploiting google gadgets
What is xss, blind xss and xploiting google gadgetsWhat is xss, blind xss and xploiting google gadgets
What is xss, blind xss and xploiting google gadgets
 
Cross Site Scripting
Cross Site ScriptingCross Site Scripting
Cross Site Scripting
 
XSS Injection Vulnerabilities
XSS Injection VulnerabilitiesXSS Injection Vulnerabilities
XSS Injection Vulnerabilities
 
Cross site scripting (xss) attacks issues and defense - by sandeep kumbhar
Cross site scripting (xss) attacks issues and defense - by sandeep kumbharCross site scripting (xss) attacks issues and defense - by sandeep kumbhar
Cross site scripting (xss) attacks issues and defense - by sandeep kumbhar
 
White paper screen
White paper screenWhite paper screen
White paper screen
 
STORED XSS IN DVWA
STORED XSS IN DVWASTORED XSS IN DVWA
STORED XSS IN DVWA
 
XSS-Alert-Pentration testing tool
XSS-Alert-Pentration testing toolXSS-Alert-Pentration testing tool
XSS-Alert-Pentration testing tool
 
Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation
 
Clickjacking DevCon2011
Clickjacking DevCon2011Clickjacking DevCon2011
Clickjacking DevCon2011
 
XSS
XSSXSS
XSS
 
Security testing for web developers
Security testing for web developersSecurity testing for web developers
Security testing for web developers
 
Introduction to Cross Site Scripting ( XSS )
Introduction to Cross Site Scripting ( XSS )Introduction to Cross Site Scripting ( XSS )
Introduction to Cross Site Scripting ( XSS )
 
Cross site scripting (xss)
Cross site scripting (xss)Cross site scripting (xss)
Cross site scripting (xss)
 
Beef saurabh
Beef saurabhBeef saurabh
Beef saurabh
 
Xss attack
Xss attackXss attack
Xss attack
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)
 
Identifying Cross Site Scripting Vulnerabilities in Web Applications
Identifying Cross Site Scripting Vulnerabilities in Web ApplicationsIdentifying Cross Site Scripting Vulnerabilities in Web Applications
Identifying Cross Site Scripting Vulnerabilities in Web Applications
 
Cross Site Scripting Going Beyond the Alert Box
Cross Site Scripting Going Beyond the Alert BoxCross Site Scripting Going Beyond the Alert Box
Cross Site Scripting Going Beyond the Alert Box
 

Andere mochten auch

Seasons Of Life
Seasons Of LifeSeasons Of Life
Seasons Of Life
Abhi Patel
 
La desicion mas dificil
La desicion mas dificilLa desicion mas dificil
La desicion mas dificil
gabydq
 
Ingles speaking
Ingles speakingIngles speaking
Ingles speaking
gabydq
 
Seasons of life-Don't judge life in one season!
Seasons of life-Don't judge life in one season!Seasons of life-Don't judge life in one season!
Seasons of life-Don't judge life in one season!
Abhi Patel
 

Andere mochten auch (20)

Coisas antigas 1
Coisas antigas 1Coisas antigas 1
Coisas antigas 1
 
Seasons Of Life
Seasons Of LifeSeasons Of Life
Seasons Of Life
 
Deans workshop
Deans workshopDeans workshop
Deans workshop
 
Cumple
CumpleCumple
Cumple
 
La desicion mas dificil
La desicion mas dificilLa desicion mas dificil
La desicion mas dificil
 
Jhonatanlopez
JhonatanlopezJhonatanlopez
Jhonatanlopez
 
Scala - By Luu Thanh Thuy CWI team from eXo Platform SEA
Scala - By Luu Thanh Thuy CWI team from eXo Platform SEAScala - By Luu Thanh Thuy CWI team from eXo Platform SEA
Scala - By Luu Thanh Thuy CWI team from eXo Platform SEA
 
Mcf presentation by Hai NGUYEN-Portal team
Mcf presentation by Hai NGUYEN-Portal teamMcf presentation by Hai NGUYEN-Portal team
Mcf presentation by Hai NGUYEN-Portal team
 
Jhonatanlopez
JhonatanlopezJhonatanlopez
Jhonatanlopez
 
Ingles speaking
Ingles speakingIngles speaking
Ingles speaking
 
Catalog parts
Catalog partsCatalog parts
Catalog parts
 
Dimensionamiento de conductor
Dimensionamiento de conductorDimensionamiento de conductor
Dimensionamiento de conductor
 
Cumple2011
Cumple2011Cumple2011
Cumple2011
 
Regular expression made by To Minh Hoang - Portal team
Regular expression made by To Minh Hoang - Portal teamRegular expression made by To Minh Hoang - Portal team
Regular expression made by To Minh Hoang - Portal team
 
Barber Library Website Usability Results, Fall 2012
Barber Library Website Usability Results, Fall 2012Barber Library Website Usability Results, Fall 2012
Barber Library Website Usability Results, Fall 2012
 
Expo dun and ross
Expo dun and rossExpo dun and ross
Expo dun and ross
 
SEO presentation By Dang HA - ECM team
SEO presentation By Dang HA - ECM teamSEO presentation By Dang HA - ECM team
SEO presentation By Dang HA - ECM team
 
AOP-IOC made by Vi Quoc Hanh and Vu Cong Thanh in SC Team
AOP-IOC made by Vi Quoc Hanh and Vu Cong Thanh in SC TeamAOP-IOC made by Vi Quoc Hanh and Vu Cong Thanh in SC Team
AOP-IOC made by Vi Quoc Hanh and Vu Cong Thanh in SC Team
 
20140426 wtm66
20140426 wtm6620140426 wtm66
20140426 wtm66
 
Seasons of life-Don't judge life in one season!
Seasons of life-Don't judge life in one season!Seasons of life-Don't judge life in one season!
Seasons of life-Don't judge life in one season!
 

Ähnlich wie Xss.e xopresentation from eXo SEA

Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009
mirahman
 
Phishing with Super Bait
Phishing with Super BaitPhishing with Super Bait
Phishing with Super Bait
Jeremiah Grossman
 
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
Mario Heiderich
 
Locking the Throneroom 2.0
Locking the Throneroom 2.0Locking the Throneroom 2.0
Locking the Throneroom 2.0
Mario Heiderich
 

Ähnlich wie Xss.e xopresentation from eXo SEA (20)

Intro to Web Application Security
Intro to Web Application SecurityIntro to Web Application Security
Intro to Web Application Security
 
Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008
 
Protecting Your Web Site From SQL Injection & XSS
Protecting Your Web Site From SQL Injection & XSSProtecting Your Web Site From SQL Injection & XSS
Protecting Your Web Site From SQL Injection & XSS
 
4.Xss
4.Xss4.Xss
4.Xss
 
.NET Security Topics
.NET Security Topics.NET Security Topics
.NET Security Topics
 
Xss is more than a simple threat
Xss is more than a simple threatXss is more than a simple threat
Xss is more than a simple threat
 
Xss is more than a simple threat
Xss is more than a simple threatXss is more than a simple threat
Xss is more than a simple threat
 
Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009
 
XST - Cross Site Tracing
XST - Cross Site TracingXST - Cross Site Tracing
XST - Cross Site Tracing
 
Application and Website Security -- Fundamental Edition
Application and Website Security -- Fundamental EditionApplication and Website Security -- Fundamental Edition
Application and Website Security -- Fundamental Edition
 
Security In PHP Applications
Security In PHP ApplicationsSecurity In PHP Applications
Security In PHP Applications
 
Phishing with Super Bait
Phishing with Super BaitPhishing with Super Bait
Phishing with Super Bait
 
Writing Secure Code – Threat Defense
Writing Secure Code – Threat DefenseWriting Secure Code – Threat Defense
Writing Secure Code – Threat Defense
 
Web Security - OWASP - SQL injection & Cross Site Scripting XSS
Web Security - OWASP - SQL injection & Cross Site Scripting XSSWeb Security - OWASP - SQL injection & Cross Site Scripting XSS
Web Security - OWASP - SQL injection & Cross Site Scripting XSS
 
Not only a XSS
Not only a XSSNot only a XSS
Not only a XSS
 
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )
 
Evolution Of Web Security
Evolution Of Web SecurityEvolution Of Web Security
Evolution Of Web Security
 
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
 
Locking the Throneroom 2.0
Locking the Throneroom 2.0Locking the Throneroom 2.0
Locking the Throneroom 2.0
 

Mehr von Thuy_Dang

MEET-BIS Vietnam TOR_ ES_2013
MEET-BIS Vietnam TOR_ ES_2013MEET-BIS Vietnam TOR_ ES_2013
MEET-BIS Vietnam TOR_ ES_2013
Thuy_Dang
 
Os gi introduction made by Ly MInh Phuong-SOC team
Os gi introduction made by Ly MInh Phuong-SOC teamOs gi introduction made by Ly MInh Phuong-SOC team
Os gi introduction made by Ly MInh Phuong-SOC team
Thuy_Dang
 

Mehr von Thuy_Dang (8)

MEET-BIS Vietnam TOR_ ES_2013
MEET-BIS Vietnam TOR_ ES_2013MEET-BIS Vietnam TOR_ ES_2013
MEET-BIS Vietnam TOR_ ES_2013
 
Shell scripting - By Vu Duy Tu from eXo Platform SEA
Shell scripting - By Vu Duy Tu from eXo Platform SEAShell scripting - By Vu Duy Tu from eXo Platform SEA
Shell scripting - By Vu Duy Tu from eXo Platform SEA
 
Web accessibility developers by Bao AN - eXo SEA
Web accessibility developers by Bao AN - eXo SEAWeb accessibility developers by Bao AN - eXo SEA
Web accessibility developers by Bao AN - eXo SEA
 
Secure & authentication By Lai HIEU - eXo SEA
Secure & authentication By Lai HIEU - eXo SEASecure & authentication By Lai HIEU - eXo SEA
Secure & authentication By Lai HIEU - eXo SEA
 
Lotus Collaboration by Le Thanh Quang in CT
Lotus Collaboration by Le Thanh Quang in CT Lotus Collaboration by Le Thanh Quang in CT
Lotus Collaboration by Le Thanh Quang in CT
 
Os gi introduction made by Ly MInh Phuong-SOC team
Os gi introduction made by Ly MInh Phuong-SOC teamOs gi introduction made by Ly MInh Phuong-SOC team
Os gi introduction made by Ly MInh Phuong-SOC team
 
eXo Presentation: Bonita by Nguyen Anh Vu
eXo Presentation: Bonita by Nguyen Anh VueXo Presentation: Bonita by Nguyen Anh Vu
eXo Presentation: Bonita by Nguyen Anh Vu
 
Chromattic usage in eXo Social
Chromattic usage in eXo SocialChromattic usage in eXo Social
Chromattic usage in eXo Social
 

Kürzlich hochgeladen

Dubai Call Girls Pinky O525547819 Call Girl's In Dubai
Dubai Call Girls Pinky O525547819 Call Girl's In DubaiDubai Call Girls Pinky O525547819 Call Girl's In Dubai
Dubai Call Girls Pinky O525547819 Call Girl's In Dubai
kojalkojal131
 
The political system of the united kingdom
The political system of the united kingdomThe political system of the united kingdom
The political system of the united kingdom
lunadelior
 
call girls inMahavir Nagar (delhi) call me [🔝9953056974🔝] escort service 24X7
call girls inMahavir Nagar (delhi) call me [🔝9953056974🔝] escort service 24X7call girls inMahavir Nagar (delhi) call me [🔝9953056974🔝] escort service 24X7
call girls inMahavir Nagar (delhi) call me [🔝9953056974🔝] escort service 24X7
9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
9953056974 Call Girls In Pratap Nagar, Escorts (Delhi) NCR
9953056974 Call Girls In Pratap Nagar, Escorts (Delhi) NCR9953056974 Call Girls In Pratap Nagar, Escorts (Delhi) NCR
9953056974 Call Girls In Pratap Nagar, Escorts (Delhi) NCR
9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
America Is the Target; Israel Is the Front Line _ Andy Blumenthal _ The Blogs...
America Is the Target; Israel Is the Front Line _ Andy Blumenthal _ The Blogs...America Is the Target; Israel Is the Front Line _ Andy Blumenthal _ The Blogs...
America Is the Target; Israel Is the Front Line _ Andy Blumenthal _ The Blogs...
Andy (Avraham) Blumenthal
 

Kürzlich hochgeladen (17)

422524114-Patriarchy-Kamla-Bhasin gg.pdf
422524114-Patriarchy-Kamla-Bhasin gg.pdf422524114-Patriarchy-Kamla-Bhasin gg.pdf
422524114-Patriarchy-Kamla-Bhasin gg.pdf
 
Job-Oriеntеd Courses That Will Boost Your Career in 2024
Job-Oriеntеd Courses That Will Boost Your Career in 2024Job-Oriеntеd Courses That Will Boost Your Career in 2024
Job-Oriеntеd Courses That Will Boost Your Career in 2024
 
10052024_First India Newspaper Jaipur.pdf
10052024_First India Newspaper Jaipur.pdf10052024_First India Newspaper Jaipur.pdf
10052024_First India Newspaper Jaipur.pdf
 
Dubai Call Girls Pinky O525547819 Call Girl's In Dubai
Dubai Call Girls Pinky O525547819 Call Girl's In DubaiDubai Call Girls Pinky O525547819 Call Girl's In Dubai
Dubai Call Girls Pinky O525547819 Call Girl's In Dubai
 
declarationleaders_sd_re_greens_theleft_5.pdf
declarationleaders_sd_re_greens_theleft_5.pdfdeclarationleaders_sd_re_greens_theleft_5.pdf
declarationleaders_sd_re_greens_theleft_5.pdf
 
06052024_First India Newspaper Jaipur.pdf
06052024_First India Newspaper Jaipur.pdf06052024_First India Newspaper Jaipur.pdf
06052024_First India Newspaper Jaipur.pdf
 
11052024_First India Newspaper Jaipur.pdf
11052024_First India Newspaper Jaipur.pdf11052024_First India Newspaper Jaipur.pdf
11052024_First India Newspaper Jaipur.pdf
 
Politician uddhav thackeray biography- Full Details
Politician uddhav thackeray biography- Full DetailsPolitician uddhav thackeray biography- Full Details
Politician uddhav thackeray biography- Full Details
 
Unveiling the Characteristics of Political Institutions_ A Comprehensive Anal...
Unveiling the Characteristics of Political Institutions_ A Comprehensive Anal...Unveiling the Characteristics of Political Institutions_ A Comprehensive Anal...
Unveiling the Characteristics of Political Institutions_ A Comprehensive Anal...
 
Indegene Limited IPO Detail - Divadhvik
Indegene Limited IPO Detail - DivadhvikIndegene Limited IPO Detail - Divadhvik
Indegene Limited IPO Detail - Divadhvik
 
China's soft power in 21st century .pptx
China's soft power in 21st century .pptxChina's soft power in 21st century .pptx
China's soft power in 21st century .pptx
 
05052024_First India Newspaper Jaipur.pdf
05052024_First India Newspaper Jaipur.pdf05052024_First India Newspaper Jaipur.pdf
05052024_First India Newspaper Jaipur.pdf
 
The political system of the united kingdom
The political system of the united kingdomThe political system of the united kingdom
The political system of the united kingdom
 
KING VISHNU BHAGWANON KA BHAGWAN PARAMATMONKA PARATOMIC PARAMANU KASARVAMANVA...
KING VISHNU BHAGWANON KA BHAGWAN PARAMATMONKA PARATOMIC PARAMANU KASARVAMANVA...KING VISHNU BHAGWANON KA BHAGWAN PARAMATMONKA PARATOMIC PARAMANU KASARVAMANVA...
KING VISHNU BHAGWANON KA BHAGWAN PARAMATMONKA PARATOMIC PARAMANU KASARVAMANVA...
 
call girls inMahavir Nagar (delhi) call me [🔝9953056974🔝] escort service 24X7
call girls inMahavir Nagar (delhi) call me [🔝9953056974🔝] escort service 24X7call girls inMahavir Nagar (delhi) call me [🔝9953056974🔝] escort service 24X7
call girls inMahavir Nagar (delhi) call me [🔝9953056974🔝] escort service 24X7
 
9953056974 Call Girls In Pratap Nagar, Escorts (Delhi) NCR
9953056974 Call Girls In Pratap Nagar, Escorts (Delhi) NCR9953056974 Call Girls In Pratap Nagar, Escorts (Delhi) NCR
9953056974 Call Girls In Pratap Nagar, Escorts (Delhi) NCR
 
America Is the Target; Israel Is the Front Line _ Andy Blumenthal _ The Blogs...
America Is the Target; Israel Is the Front Line _ Andy Blumenthal _ The Blogs...America Is the Target; Israel Is the Front Line _ Andy Blumenthal _ The Blogs...
America Is the Target; Israel Is the Front Line _ Andy Blumenthal _ The Blogs...
 

Xss.e xopresentation from eXo SEA

  • 1. XSS and eXo Products Portal & TQA teams Oct 2011
  • 2.
  • 4.
  • 5.
  • 6.
  • 9.
  • 10.
  • 11.
  • 12.
  • 13.
  • 14.
  • 16.
  • 17.
  • 18. XSS in eXo Products Examples of how to detect XSS vulnerabilities
  • 19. Use case of Reflected XSS Package: WCM 2.2.0 Attack steps: See defect description in this link https://jira.exoplatform.org/browse/ECMS-1773 Browsers: Internet Explorer 7, Firefox 3 Consequence : session hijacking & more
  • 20. Use case of Stored XSS Package: Social 1.2.0 Attack steps: See defect description in this link https://jira.exoplatform.org/browse/SOC-1532 Browsers: Internet Explorer 7, Firefox 3 Consequence : session hijacking & more
  • 21. Use case of DOM-based XSS Package: ECMS 2.3.x Attack steps: See defect description in this link https://jira.exoplatform.org/browse/ECMS-2791 Browsers: Internet Explorer 7, Firefox 3 Consequence : session hijacking & more
  • 22. XSS exploit basing on logic vulnerability Package: PLF 3.5.0 Attack steps: See defect description in this link https://jira.exoplatform.org/browse/ECMS-2723 https://jira.exoplatform.org/browse/ECMS-2736 Browsers: Internet Explorer 7, Firefox 3 Consequence : session hijacking & more Question for listeners: what is the best solution for this situation?
  • 23. References for audiences 1. Guideline of Secure coding standards http://www.oracle.com/technetwork/java/seccodeguide-139067.html#6-1 2. EXOWiki security links EXO-RedHat Collaboration Study https://wiki-int.exoplatform.org/display/rhcollab/XSS TQA Security Test https://wiki-int.exoplatform.org/display/TQA/SECURITY Deployment & Configuration rules (ITOP)‏ https://wiki-int.exoplatform.org/display/ITOP/eXo+Applications+and+security