Back To Schedule
Thursday, November 21 • 9:00am - 9:50am
Defeating XSS and XSRF using JSF Based Frameworks

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

During several recent code review engagements, I have discovered that developers sometimes gain a feeling of comfort when they read that frameworks protect them from certain attacks. This sometimes leads to the assumption that if you use this framework, you are protected.
This presentation will focus on Frameworks built upon JSF API component of JEE and two specific vulnerabilities which frameworks commonly advertise built-in mitigation; cross site scripting and cross site request forgery. 
It is very common for a framework to provide ways to prevent XSS and XSRF so to begin the session, I will take a few minutes to describe at a high level what these frameworks are and what we assume their capabilities are regarding these two vulnerabilities.
During the course of this presentation, I will demonstrate what happens when these frameworks are used out-of-the-box by exploiting a sample application.  Since this code is open source, we will look at the framework code to confirm or deny that they have automatically protected you against these attacks.  I will then proceed to give you a couple of options which will close these gaps and secure the application from these attacks. 
You should leave this presentation with an awareness of what these frameworks are capable of and how to take advantage of their features to help secure the application.

avatar for Stephen Wolf

Stephen Wolf

I have spent the last 6 years of my development career evangelizing application security and am currently working as an application security engineer in the San Francisco bay area. I’ve been a developer for over 20 years with my hands into everything from embedded systems and assembly... Read More →

Thursday November 21, 2013 9:00am - 9:50am EST
Belasco & Broadhurst (5th Floor) NY Marriott Marquis

Attendees (0)