This presentation contain only few PowerPoint slide and most of the time will be used to demonstrate on stage different type of weakness and attack vectors in iframing.
Here are some high lights:
- Obvious risks of iframing - clickjacking and UI redressing
- Bypass of X-FRAME-OPTIONS SAMEORIN
- XSS with json in the iframe
- Cross origin access to DOM on apps running on different TCP ports of the same host (IE&Edge)
- more tricks of cross origin access utilizing iframe
- misuse of XSS filter to create XSS on the app without XSS vulnerability (XSS nightmare)
- and more ...
Aurelijus Stanislovaitis will hold this presentation. Aurelijus have been a security professional for more than 10 years. Currently focusing on web application security testing. Previous roles included auditing and advising on risks and security controls for international clients in a wide range of industries. CISA, CISM certified member of ISACA and a leader of OWASP Lithuania chapter since 2014. Aurelijus is a frequent speaker at local technical user groups and regularly delivers web application security trainings for international audiences in Visma.
Cross-project work dictates a constant need of learning new things. Finding unexpected ways to use a technology is what fascinates the most. Recognizing in himself an engineer by nature Aurelijus believes that a balance between people and technology is often the answer to most problems.
If you are working with web development or web security - you should not miss this session!