JS Suicide: Using Javascript's security features to kill itself

JS Suicide: Using Javascript's security features to kill itself

BlackHat Asia 2014, Singapore.

JavaScript today has a presence in almost every single website across the Internet. Aggressive research is in progress in the security community to come up with better security features in JavaScript everyday. Unfortunately, many security features of JS are a double-edged sword. In this presentation, we will show how some of the security features in JavaScript can be used maliciously by an attacker to kill other security features in any website. More specifically, we will see how the sandboxing features of ECMAScript 5 can break and make security in modern day applications. We also take a few real world examples like OWASP CSRFGUARD and use some of the major security features of JS to bypass CSRF protection offered by this OWASP library in many different ways.

6932fd8236cec12354ba8230c0e80d81?s=128

Ahamed Nafeez

March 28, 2014
Tweet