BSides Boston 2016 has ended
Back To Schedule
Saturday, May 21 • 2:00pm - 2:45pm
Advanced XSS and Injection Attacks
Many developers are becoming increasingly familiar with the OWASP Top 10 Web Application Security Risks and the other OWASP Projects such as the OWASP Proactive Controls. However, in today’s world of advanced client side JavaScript frameworks, Single Page Applications and multi tiered RESTful backends, the common vulnerabilities that the OWASP Top 10 highlights are not as easy to find and exploit as they used to be. While these newer frameworks do a great job of increasing the security of the application they also have their own caveats, and in the real world where it takes time to refactor existing applications, new vulnerabilities can be introduced. In this presentation we take a look at advanced forms of Cross Site Scripting (XSS) in the AngularJS framework through improper usage of the AngularJS templating language and Injection attacks through the Hibernate Query Language (HQL) as well as breaking the HQL Lexer to run arbitrary SQL commands. We also present methods of auditing applications for these issues and preventing these vulnerabilities.


David Bressler

David Bressler is a Managing Consultant at GuidePoint Security within the Application Security Team. He has more than 8 years of broad-based experience managing application penetration testing, source code review, architecture review, network penetration testing, digital and physical... Read More →

Casey Dunham

Casey Dunham is a Security Consultant at GuidePoint Security with 10 years of experience as a full stack software developer in various industries managing development projects and building DevOps and Security initiatives into the Software Development Lifecycle. Before joining GuidePoint... Read More →

Saturday May 21, 2016 2:00pm - 2:45pm EDT
NERD 1 Memorial Dr
  Break It
  • Room Paul