Black Hat Briefings, Usa 2007 [audio] Presentations From The Security Conference.

Attacks always get better, never worse. The malicious capabilities of Cross-Site Scripting (XSS) and Cross-Site Request Forgeries (CSRF), coupled with JavaScript malware payloads, exploded in 2006. Intranet Hacking from the Outside, Browser Port Scanning, Browser History Stealing, Blind Web Server Fingerprinting, and dozens of other bleeding-edge attack techniques blew away our assumptions that perimeter firewalls, encryption, A/V, and multi-actor authentication can protect websites from attack. One quote from a member of the community summed it way: ""The last quarter of this year (2006), RSnake and Jeremiah pretty much destroyed any security we thought we had left - including the ""I'll just browse without JavaScript"" mantra. Could you really call that browsing anyway?"" -Kryan That's right. New research is revealing that even if JavaScript has been disabled or restricted, some of the now popular attack techniques - such as Browser Intranet Hacking, Port Scanning, and History Stealing - can still