All significant modern applications are ported to the web. Even with custom applications, there is at least one web-based component. Web applications are partially dependent on web clients and are continuously part of the security equation. These issues manifest in ways that make the user vulnerable. For example, privacy vulnerabilities are demonstrated with the EFF's Panopticlick browser fingerprinting project. Whether the weakness is privacy exposure, a client exploit, or a server exploit,--an empowered browser can provide a reasonable defense.
This presentation will review three typical vulnerability classes and selected defenses: Privacy, Client-Side, and Server-side. The goal of this new tool is to shorten the vulnerability window to six days. The finale during the talk will demonstrate how to poison your browserĂs DOM for anonymity.
James Shewmaker has over 15 years' experience in IT, primarily developing appliances for automation and security for broadcast radio, internet, and satellite devices. He is a SANS certified instructor and is one of the first certified GSE-Malware experts. He graduated with a BS in Computer Science from the University of Idaho. James is a founder and active consultant for Bluenotch Corporation, which focuses on investigations, penetration testing, and analysis. He develops custom automation for broadcast radio, Internet, and satellite devices incorporating watermarking and steganographic techniques. James also contributes to the FreeBSD project and is a port maintainer. He presents at various security and IT conferences and is actively involved in the COINS program of the SANS Institute. In 2009, Shewmaker's focus was on the Netwars project-building and operating this contribution to the US Cyber Challenge. Currently, his research focus is client-side active defenses, including a new browser tool called x06d.