I’m speaking at the Security Geeks meeting in Baltimore. I will describe two of the most important web application security concerns today: Cross-site scripting (XSS) and SQL injection. We’ll look at the common 3-tier architecture and the fundamentals of HTTP to understand how these two attacks can work against many of today’s common platforms (J2EE, .NET, etc.). We’ll explore these two attacks in detail, including an example of some tools that help attackers (and legitimate testers) bypass client-side security checks and attack the underlying application. You’ll come away with an in-depth understanding of how these two attacks work and how you can test for them in your own apps.
BIO: I’m a Technical Manager with Cigital, Inc. and have 12 years of experience in operating system and software security. I have focused on the security of embedded systems (lottery systems, cell phones, casino gaming devices, smart cards) and software security policy. I have conducted or led security analyses of several major domestic and international lottery deployments and have analyzed casino gaming devices for reliability and security issues. I have testified on electronic voting security at the request of the legislature of the Commonwealth of Virginia. As a trusted advisor, have served as a subject matter expert to MasterCard International on point of sale terminal security policy.