SlideShare una empresa de Scribd logo

Prevent XSS Attacks in eXo Products

Descargar como PPT, PDF
Thuy_Dang
Thuy_Dang

Here is the presentation of Khoi- Portal team and VHa CPT team from eXo Platform SEA.

Noticias y políticaTecnología
1 de 24
XSS and eXo Products Portal & TQA teams Oct 2011
Agenda ,[object Object],[object Object],[object Object],[object Object]
Introduction to XSS
What is XSS? ,[object Object],[object Object],[object Object],[object Object]
How Does XSS Work? ,[object Object],[object Object],[object Object],[object Object]
How Does XSS Work? ,[object Object],[object Object],[object Object],[object Object]
XSS Sample Cases
XSS Cases Sample video
XSS types ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
The Impact of XSS ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
The Impact of XSS ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
The Impact of XSS ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
The Impact of XSS ,[object Object],[object Object],[object Object]
The Impact of XSS ,[object Object]
Preventing XSS attacks
Preventing XSS attacks ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Preventing XSS attacks ,[object Object],[object Object],[object Object],[object Object]
XSS in eXo Products Examples of how to detect XSS vulnerabilities
Use case of Reflected XSS Package: WCM 2.2.0 Attack steps: See defect description in this link https://jira.exoplatform.org/browse/ECMS-1773 Browsers: Internet Explorer 7, Firefox 3 Consequence : session hijacking & more
Use case of Stored XSS Package: Social 1.2.0 Attack steps: See defect description in this link https://jira.exoplatform.org/browse/SOC-1532 Browsers: Internet Explorer 7, Firefox 3 Consequence : session hijacking & more
Use case of DOM-based XSS Package: ECMS 2.3.x Attack steps: See defect description in this link https://jira.exoplatform.org/browse/ECMS-2791 Browsers: Internet Explorer 7, Firefox 3 Consequence : session hijacking & more
XSS exploit basing on logic vulnerability Package: PLF 3.5.0 Attack steps: See defect description in this link https://jira.exoplatform.org/browse/ECMS-2723 https://jira.exoplatform.org/browse/ECMS-2736 Browsers: Internet Explorer 7, Firefox 3 Consequence : session hijacking & more Question for listeners: what is the best solution for this situation?
References for audiences 1. Guideline of Secure coding standards http://www.oracle.com/technetwork/java/seccodeguide-139067.html#6-1 2. EXOWiki security links EXO-RedHat Collaboration Study https://wiki-int.exoplatform.org/display/rhcollab/XSS TQA Security Test https://wiki-int.exoplatform.org/display/TQA/SECURITY Deployment & Configuration rules (ITOP)‏ https://wiki-int.exoplatform.org/display/ITOP/eXo+Applications+and+security
DISCUSSION

Recomendados

Cross site scripting
Cross site scriptingCross site scripting
Cross site scriptingashutosh rai
 
Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)Daniel Tumser
 
Attacking Web Proxies
Attacking Web ProxiesAttacking Web Proxies
Attacking Web ProxiesInMobi Technology
 
Cross Site Scripting (XSS)
Cross Site Scripting (XSS)Cross Site Scripting (XSS)
Cross Site Scripting (XSS)Barrel Software
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scriptingn|u - The Open Security Community
 
Click jacking
Click jackingClick jacking
Click jackingRonan Dunne, CEH, SSCP
 
Cross site scripting (xss)
Cross site scripting (xss)Cross site scripting (xss)
Cross site scripting (xss)Manish Kumar
 
The Cross Site Scripting Guide
The Cross Site Scripting GuideThe Cross Site Scripting Guide
The Cross Site Scripting GuideDaisuke_Dan
 

Recomendados

Cross site scripting
Cross site scriptingCross site scripting
Cross site scriptingashutosh rai
 
Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)Daniel Tumser
 
Attacking Web Proxies
Attacking Web ProxiesAttacking Web Proxies
Attacking Web ProxiesInMobi Technology
 
Cross Site Scripting (XSS)
Cross Site Scripting (XSS)Cross Site Scripting (XSS)
Cross Site Scripting (XSS)Barrel Software
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scriptingn|u - The Open Security Community
 
Click jacking
Click jackingClick jacking
Click jackingRonan Dunne, CEH, SSCP
 
Cross site scripting (xss)
Cross site scripting (xss)Cross site scripting (xss)
Cross site scripting (xss)Manish Kumar
 
The Cross Site Scripting Guide
The Cross Site Scripting GuideThe Cross Site Scripting Guide
The Cross Site Scripting GuideDaisuke_Dan
 
Reflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site ScriptingReflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site ScriptingInMobi Technology
 
Cross Site Scripting(XSS)
Cross Site Scripting(XSS)Cross Site Scripting(XSS)
Cross Site Scripting(XSS)Nabin Dutta
 
What is xss, blind xss and xploiting google gadgets
What is xss, blind xss and xploiting google gadgetsWhat is xss, blind xss and xploiting google gadgets
What is xss, blind xss and xploiting google gadgetsZiv Ginsberg
 
Cross Site Scripting
Cross Site ScriptingCross Site Scripting
Cross Site ScriptingAli Mattash
 
XSS Injection Vulnerabilities
XSS Injection VulnerabilitiesXSS Injection Vulnerabilities
XSS Injection VulnerabilitiesMindfire Solutions
 
Cross site scripting (xss) attacks issues and defense - by sandeep kumbhar
Cross site scripting (xss) attacks issues and defense - by sandeep kumbharCross site scripting (xss) attacks issues and defense - by sandeep kumbhar
Cross site scripting (xss) attacks issues and defense - by sandeep kumbharSandeep Kumbhar
 
White paper screen
White paper screenWhite paper screen
White paper screeneltincho89
 
STORED XSS IN DVWA
STORED XSS IN DVWASTORED XSS IN DVWA
STORED XSS IN DVWARutvik patel
 
XSS-Alert-Pentration testing tool
XSS-Alert-Pentration testing toolXSS-Alert-Pentration testing tool
XSS-Alert-Pentration testing toolArjun Jain
 
Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Ikhade Maro Igbape
 
Clickjacking DevCon2011
Clickjacking DevCon2011Clickjacking DevCon2011
Clickjacking DevCon2011Krishna T
 
XSS
XSSXSS
XSSHrishikesh Mishra
 
Security testing for web developers
Security testing for web developersSecurity testing for web developers
Security testing for web developersmatthewhughes
 
Introduction to Cross Site Scripting ( XSS )
Introduction to Cross Site Scripting ( XSS )Introduction to Cross Site Scripting ( XSS )
Introduction to Cross Site Scripting ( XSS )Irfad Imtiaz
 
Cross site scripting (xss)
Cross site scripting (xss)Cross site scripting (xss)
Cross site scripting (xss)Ritesh Gupta
 
Beef saurabh
Beef saurabhBeef saurabh
Beef saurabhSaurav Chaudhary
 
Xss attack
Xss attackXss attack
Xss attackManjushree Mashal
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Amit Tyagi
 
Identifying Cross Site Scripting Vulnerabilities in Web Applications
Identifying Cross Site Scripting Vulnerabilities in Web ApplicationsIdentifying Cross Site Scripting Vulnerabilities in Web Applications
Identifying Cross Site Scripting Vulnerabilities in Web ApplicationsPorfirio Tramontana
 
Cross Site Scripting Going Beyond the Alert Box
Cross Site Scripting Going Beyond the Alert BoxCross Site Scripting Going Beyond the Alert Box
Cross Site Scripting Going Beyond the Alert BoxAaron Weaver
 
Coisas antigas 1
Coisas antigas 1Coisas antigas 1
Coisas antigas 1pr_afsalbergaria
 
Seasons Of Life
Seasons Of LifeSeasons Of Life
Seasons Of LifeAbhi Patel
 

Más contenido relacionado

La actualidad más candente

Reflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site ScriptingReflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site ScriptingInMobi Technology
 
Cross Site Scripting(XSS)
Cross Site Scripting(XSS)Cross Site Scripting(XSS)
Cross Site Scripting(XSS)Nabin Dutta
 
What is xss, blind xss and xploiting google gadgets
What is xss, blind xss and xploiting google gadgetsWhat is xss, blind xss and xploiting google gadgets
What is xss, blind xss and xploiting google gadgetsZiv Ginsberg
 
Cross Site Scripting
Cross Site ScriptingCross Site Scripting
Cross Site ScriptingAli Mattash
 
Cross site scripting (xss) attacks issues and defense - by sandeep kumbhar
Cross site scripting (xss) attacks issues and defense - by sandeep kumbharCross site scripting (xss) attacks issues and defense - by sandeep kumbhar
Cross site scripting (xss) attacks issues and defense - by sandeep kumbharSandeep Kumbhar
 
White paper screen
White paper screenWhite paper screen
White paper screeneltincho89
 
STORED XSS IN DVWA
STORED XSS IN DVWASTORED XSS IN DVWA
STORED XSS IN DVWARutvik patel
 
XSS-Alert-Pentration testing tool
XSS-Alert-Pentration testing toolXSS-Alert-Pentration testing tool
XSS-Alert-Pentration testing toolArjun Jain
 
Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Ikhade Maro Igbape
 
Clickjacking DevCon2011
Clickjacking DevCon2011Clickjacking DevCon2011
Clickjacking DevCon2011Krishna T
 
Security testing for web developers
Security testing for web developersSecurity testing for web developers
Security testing for web developersmatthewhughes
 
Introduction to Cross Site Scripting ( XSS )
Introduction to Cross Site Scripting ( XSS )Introduction to Cross Site Scripting ( XSS )
Introduction to Cross Site Scripting ( XSS )Irfad Imtiaz
 
Cross site scripting (xss)
Cross site scripting (xss)Cross site scripting (xss)
Cross site scripting (xss)Ritesh Gupta
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Amit Tyagi
 
Identifying Cross Site Scripting Vulnerabilities in Web Applications
Identifying Cross Site Scripting Vulnerabilities in Web ApplicationsIdentifying Cross Site Scripting Vulnerabilities in Web Applications
Identifying Cross Site Scripting Vulnerabilities in Web ApplicationsPorfirio Tramontana
 
Cross Site Scripting Going Beyond the Alert Box
Cross Site Scripting Going Beyond the Alert BoxCross Site Scripting Going Beyond the Alert Box
Cross Site Scripting Going Beyond the Alert BoxAaron Weaver
 

La actualidad más candente (20)

Reflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site ScriptingReflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site Scripting
 
Cross Site Scripting(XSS)
Cross Site Scripting(XSS)Cross Site Scripting(XSS)
Cross Site Scripting(XSS)
 
What is xss, blind xss and xploiting google gadgets
What is xss, blind xss and xploiting google gadgetsWhat is xss, blind xss and xploiting google gadgets
What is xss, blind xss and xploiting google gadgets
 
Cross Site Scripting
Cross Site ScriptingCross Site Scripting
Cross Site Scripting
 
XSS Injection Vulnerabilities
XSS Injection VulnerabilitiesXSS Injection Vulnerabilities
XSS Injection Vulnerabilities
 
Cross site scripting (xss) attacks issues and defense - by sandeep kumbhar
Cross site scripting (xss) attacks issues and defense - by sandeep kumbharCross site scripting (xss) attacks issues and defense - by sandeep kumbhar
Cross site scripting (xss) attacks issues and defense - by sandeep kumbhar
 
White paper screen
White paper screenWhite paper screen
White paper screen
 
STORED XSS IN DVWA
STORED XSS IN DVWASTORED XSS IN DVWA
STORED XSS IN DVWA
 
XSS-Alert-Pentration testing tool
XSS-Alert-Pentration testing toolXSS-Alert-Pentration testing tool
XSS-Alert-Pentration testing tool
 
Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation
 
Clickjacking DevCon2011
Clickjacking DevCon2011Clickjacking DevCon2011
Clickjacking DevCon2011
 
XSS
XSSXSS
XSS
 
Security testing for web developers
Security testing for web developersSecurity testing for web developers
Security testing for web developers
 
Introduction to Cross Site Scripting ( XSS )
Introduction to Cross Site Scripting ( XSS )Introduction to Cross Site Scripting ( XSS )
Introduction to Cross Site Scripting ( XSS )
 
Cross site scripting (xss)
Cross site scripting (xss)Cross site scripting (xss)
Cross site scripting (xss)
 
Beef saurabh
Beef saurabhBeef saurabh
Beef saurabh
 
Xss attack
Xss attackXss attack
Xss attack
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)
 
Identifying Cross Site Scripting Vulnerabilities in Web Applications
Identifying Cross Site Scripting Vulnerabilities in Web ApplicationsIdentifying Cross Site Scripting Vulnerabilities in Web Applications
Identifying Cross Site Scripting Vulnerabilities in Web Applications
 
Cross Site Scripting Going Beyond the Alert Box
Cross Site Scripting Going Beyond the Alert BoxCross Site Scripting Going Beyond the Alert Box
Cross Site Scripting Going Beyond the Alert Box
 

Destacado

Seasons Of Life
Seasons Of LifeSeasons Of Life
Seasons Of LifeAbhi Patel
 
Deans workshop
Deans workshopDeans workshop
Deans workshopAlan Amory
 
La desicion mas dificil
La desicion mas dificilLa desicion mas dificil
La desicion mas dificilgabydq
 
Scala - By Luu Thanh Thuy CWI team from eXo Platform SEA
Scala - By Luu Thanh Thuy CWI team from eXo Platform SEAScala - By Luu Thanh Thuy CWI team from eXo Platform SEA
Scala - By Luu Thanh Thuy CWI team from eXo Platform SEAThuy_Dang
 
Mcf presentation by Hai NGUYEN-Portal team
Mcf presentation by Hai NGUYEN-Portal teamMcf presentation by Hai NGUYEN-Portal team
Mcf presentation by Hai NGUYEN-Portal teamThuy_Dang
 
Ingles speaking
Ingles speakingIngles speaking
Ingles speakinggabydq
 
Catalog parts
Catalog partsCatalog parts
Catalog partsdesilvam
 
Dimensionamiento de conductor
Dimensionamiento de conductorDimensionamiento de conductor
Dimensionamiento de conductorRuben Ortiz
 
Cumple2011
Cumple2011Cumple2011
Cumple2011maclein1
 
Regular expression made by To Minh Hoang - Portal team
Regular expression made by To Minh Hoang - Portal teamRegular expression made by To Minh Hoang - Portal team
Regular expression made by To Minh Hoang - Portal teamThuy_Dang
 
Barber Library Website Usability Results, Fall 2012
Barber Library Website Usability Results, Fall 2012Barber Library Website Usability Results, Fall 2012
Barber Library Website Usability Results, Fall 2012desilvam
 
SEO presentation By Dang HA - ECM team
SEO presentation By Dang HA - ECM teamSEO presentation By Dang HA - ECM team
SEO presentation By Dang HA - ECM teamThuy_Dang
 
AOP-IOC made by Vi Quoc Hanh and Vu Cong Thanh in SC Team
AOP-IOC made by Vi Quoc Hanh and Vu Cong Thanh in SC TeamAOP-IOC made by Vi Quoc Hanh and Vu Cong Thanh in SC Team
AOP-IOC made by Vi Quoc Hanh and Vu Cong Thanh in SC TeamThuy_Dang
 
Seasons of life-Don't judge life in one season!
Seasons of life-Don't judge life in one season!Seasons of life-Don't judge life in one season!
Seasons of life-Don't judge life in one season!Abhi Patel
 

Destacado (20)

Coisas antigas 1
Coisas antigas 1Coisas antigas 1
Coisas antigas 1
 
Seasons Of Life
Seasons Of LifeSeasons Of Life
Seasons Of Life
 
Deans workshop
Deans workshopDeans workshop
Deans workshop
 
Cumple
CumpleCumple
Cumple
 
La desicion mas dificil
La desicion mas dificilLa desicion mas dificil
La desicion mas dificil
 
Jhonatanlopez
JhonatanlopezJhonatanlopez
Jhonatanlopez
 
Scala - By Luu Thanh Thuy CWI team from eXo Platform SEA
Scala - By Luu Thanh Thuy CWI team from eXo Platform SEAScala - By Luu Thanh Thuy CWI team from eXo Platform SEA
Scala - By Luu Thanh Thuy CWI team from eXo Platform SEA
 
Mcf presentation by Hai NGUYEN-Portal team
Mcf presentation by Hai NGUYEN-Portal teamMcf presentation by Hai NGUYEN-Portal team
Mcf presentation by Hai NGUYEN-Portal team
 
Jhonatanlopez
JhonatanlopezJhonatanlopez
Jhonatanlopez
 
Ingles speaking
Ingles speakingIngles speaking
Ingles speaking
 
Catalog parts
Catalog partsCatalog parts
Catalog parts
 
Dimensionamiento de conductor
Dimensionamiento de conductorDimensionamiento de conductor
Dimensionamiento de conductor
 
Cumple2011
Cumple2011Cumple2011
Cumple2011
 
Regular expression made by To Minh Hoang - Portal team
Regular expression made by To Minh Hoang - Portal teamRegular expression made by To Minh Hoang - Portal team
Regular expression made by To Minh Hoang - Portal team
 
Barber Library Website Usability Results, Fall 2012
Barber Library Website Usability Results, Fall 2012Barber Library Website Usability Results, Fall 2012
Barber Library Website Usability Results, Fall 2012
 
Expo dun and ross
Expo dun and rossExpo dun and ross
Expo dun and ross
 
SEO presentation By Dang HA - ECM team
SEO presentation By Dang HA - ECM teamSEO presentation By Dang HA - ECM team
SEO presentation By Dang HA - ECM team
 
AOP-IOC made by Vi Quoc Hanh and Vu Cong Thanh in SC Team
AOP-IOC made by Vi Quoc Hanh and Vu Cong Thanh in SC TeamAOP-IOC made by Vi Quoc Hanh and Vu Cong Thanh in SC Team
AOP-IOC made by Vi Quoc Hanh and Vu Cong Thanh in SC Team
 
20140426 wtm66
20140426 wtm6620140426 wtm66
20140426 wtm66
 
Seasons of life-Don't judge life in one season!
Seasons of life-Don't judge life in one season!Seasons of life-Don't judge life in one season!
Seasons of life-Don't judge life in one season!
 

Similar a Prevent XSS Attacks in eXo Products

Intro to Web Application Security
Intro to Web Application SecurityIntro to Web Application Security
Intro to Web Application SecurityRob Ragan
 
Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008abhijitapatil
 
Protecting Your Web Site From SQL Injection & XSS
Protecting Your Web Site From SQL Injection & XSSProtecting Your Web Site From SQL Injection & XSS
Protecting Your Web Site From SQL Injection & XSSskyhawk133
 
.NET Security Topics
.NET Security Topics.NET Security Topics
.NET Security TopicsShawn Gorrell
 
Xss is more than a simple threat
Xss is more than a simple threatXss is more than a simple threat
Xss is more than a simple threatAvădănei Andrei
 
Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009mirahman
 
XST - Cross Site Tracing
XST - Cross Site TracingXST - Cross Site Tracing
XST - Cross Site TracingMagno Logan
 
Application and Website Security -- Fundamental Edition
Application and Website Security -- Fundamental EditionApplication and Website Security -- Fundamental Edition
Application and Website Security -- Fundamental EditionDaniel Owens
 
Security In PHP Applications
Security In PHP ApplicationsSecurity In PHP Applications
Security In PHP ApplicationsAditya Mooley
 
Writing Secure Code – Threat Defense
Writing Secure Code – Threat DefenseWriting Secure Code – Threat Defense
Writing Secure Code – Threat Defenseamiable_indian
 
Web Security - OWASP - SQL injection & Cross Site Scripting XSS
Web Security - OWASP - SQL injection & Cross Site Scripting XSSWeb Security - OWASP - SQL injection & Cross Site Scripting XSS
Web Security - OWASP - SQL injection & Cross Site Scripting XSSIvan Ortega
 
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Jay Nagar
 
Evolution Of Web Security
Evolution Of Web SecurityEvolution Of Web Security
Evolution Of Web SecurityChris Shiflett
 
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...Mario Heiderich
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesBrad Hill
 
Locking the Throneroom 2.0
Locking the Throneroom 2.0Locking the Throneroom 2.0
Locking the Throneroom 2.0Mario Heiderich
 

Similar a Prevent XSS Attacks in eXo Products (20)

Intro to Web Application Security
Intro to Web Application SecurityIntro to Web Application Security
Intro to Web Application Security
 
Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008
 
Protecting Your Web Site From SQL Injection & XSS
Protecting Your Web Site From SQL Injection & XSSProtecting Your Web Site From SQL Injection & XSS
Protecting Your Web Site From SQL Injection & XSS
 
4.Xss
4.Xss4.Xss
4.Xss
 
.NET Security Topics
.NET Security Topics.NET Security Topics
.NET Security Topics
 
Xss is more than a simple threat
Xss is more than a simple threatXss is more than a simple threat
Xss is more than a simple threat
 
Xss is more than a simple threat
Xss is more than a simple threatXss is more than a simple threat
Xss is more than a simple threat
 
Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009
 
XST - Cross Site Tracing
XST - Cross Site TracingXST - Cross Site Tracing
XST - Cross Site Tracing
 
Application and Website Security -- Fundamental Edition
Application and Website Security -- Fundamental EditionApplication and Website Security -- Fundamental Edition
Application and Website Security -- Fundamental Edition
 
Security In PHP Applications
Security In PHP ApplicationsSecurity In PHP Applications
Security In PHP Applications
 
Phishing with Super Bait
Phishing with Super BaitPhishing with Super Bait
Phishing with Super Bait
 
Writing Secure Code – Threat Defense
Writing Secure Code – Threat DefenseWriting Secure Code – Threat Defense
Writing Secure Code – Threat Defense
 
Web Security - OWASP - SQL injection & Cross Site Scripting XSS
Web Security - OWASP - SQL injection & Cross Site Scripting XSSWeb Security - OWASP - SQL injection & Cross Site Scripting XSS
Web Security - OWASP - SQL injection & Cross Site Scripting XSS
 
Not only a XSS
Not only a XSSNot only a XSS
Not only a XSS
 
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )
 
Evolution Of Web Security
Evolution Of Web SecurityEvolution Of Web Security
Evolution Of Web Security
 
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
 
Locking the Throneroom 2.0
Locking the Throneroom 2.0Locking the Throneroom 2.0
Locking the Throneroom 2.0
 

Más de Thuy_Dang

MEET-BIS Vietnam TOR_ ES_2013
MEET-BIS Vietnam TOR_ ES_2013MEET-BIS Vietnam TOR_ ES_2013
MEET-BIS Vietnam TOR_ ES_2013Thuy_Dang
 
Shell scripting - By Vu Duy Tu from eXo Platform SEA
Shell scripting - By Vu Duy Tu from eXo Platform SEAShell scripting - By Vu Duy Tu from eXo Platform SEA
Shell scripting - By Vu Duy Tu from eXo Platform SEAThuy_Dang
 
Web accessibility developers by Bao AN - eXo SEA
Web accessibility developers by Bao AN - eXo SEAWeb accessibility developers by Bao AN - eXo SEA
Web accessibility developers by Bao AN - eXo SEAThuy_Dang
 
Secure & authentication By Lai HIEU - eXo SEA
Secure & authentication By Lai HIEU - eXo SEASecure & authentication By Lai HIEU - eXo SEA
Secure & authentication By Lai HIEU - eXo SEAThuy_Dang
 
Lotus Collaboration by Le Thanh Quang in CT
Lotus Collaboration by Le Thanh Quang in CT Lotus Collaboration by Le Thanh Quang in CT
Lotus Collaboration by Le Thanh Quang in CT Thuy_Dang
 
Os gi introduction made by Ly MInh Phuong-SOC team
Os gi introduction made by Ly MInh Phuong-SOC teamOs gi introduction made by Ly MInh Phuong-SOC team
Os gi introduction made by Ly MInh Phuong-SOC teamThuy_Dang
 
eXo Presentation: Bonita by Nguyen Anh Vu
eXo Presentation: Bonita by Nguyen Anh VueXo Presentation: Bonita by Nguyen Anh Vu
eXo Presentation: Bonita by Nguyen Anh VuThuy_Dang
 
Chromattic usage in eXo Social
Chromattic usage in eXo SocialChromattic usage in eXo Social
Chromattic usage in eXo SocialThuy_Dang
 

Más de Thuy_Dang (8)

MEET-BIS Vietnam TOR_ ES_2013
MEET-BIS Vietnam TOR_ ES_2013MEET-BIS Vietnam TOR_ ES_2013
MEET-BIS Vietnam TOR_ ES_2013
 
Shell scripting - By Vu Duy Tu from eXo Platform SEA
Shell scripting - By Vu Duy Tu from eXo Platform SEAShell scripting - By Vu Duy Tu from eXo Platform SEA
Shell scripting - By Vu Duy Tu from eXo Platform SEA
 
Web accessibility developers by Bao AN - eXo SEA
Web accessibility developers by Bao AN - eXo SEAWeb accessibility developers by Bao AN - eXo SEA
Web accessibility developers by Bao AN - eXo SEA
 
Secure & authentication By Lai HIEU - eXo SEA
Secure & authentication By Lai HIEU - eXo SEASecure & authentication By Lai HIEU - eXo SEA
Secure & authentication By Lai HIEU - eXo SEA
 
Lotus Collaboration by Le Thanh Quang in CT
Lotus Collaboration by Le Thanh Quang in CT Lotus Collaboration by Le Thanh Quang in CT
Lotus Collaboration by Le Thanh Quang in CT
 
Os gi introduction made by Ly MInh Phuong-SOC team
Os gi introduction made by Ly MInh Phuong-SOC teamOs gi introduction made by Ly MInh Phuong-SOC team
Os gi introduction made by Ly MInh Phuong-SOC team
 
eXo Presentation: Bonita by Nguyen Anh Vu
eXo Presentation: Bonita by Nguyen Anh VueXo Presentation: Bonita by Nguyen Anh Vu
eXo Presentation: Bonita by Nguyen Anh Vu
 
Chromattic usage in eXo Social
Chromattic usage in eXo SocialChromattic usage in eXo Social
Chromattic usage in eXo Social
 

Último

Israel Palestine Conflict, The issue and historical context!
Israel Palestine Conflict, The issue and historical context!Israel Palestine Conflict, The issue and historical context!
Israel Palestine Conflict, The issue and historical context!Krish109503
 
Call Girls in Mira Road Mumbai ( Neha 09892124323 ) College Escorts Service i...
Call Girls in Mira Road Mumbai ( Neha 09892124323 ) College Escorts Service i...Call Girls in Mira Road Mumbai ( Neha 09892124323 ) College Escorts Service i...
Call Girls in Mira Road Mumbai ( Neha 09892124323 ) College Escorts Service i...Pooja Nehwal
 
Roberts Rules Cheat Sheet for LD4 Precinct Commiteemen
Roberts Rules Cheat Sheet for LD4 Precinct CommiteemenRoberts Rules Cheat Sheet for LD4 Precinct Commiteemen
Roberts Rules Cheat Sheet for LD4 Precinct Commiteemenkfjstone13
 
29042024_First India Newspaper Jaipur.pdf
29042024_First India Newspaper Jaipur.pdf29042024_First India Newspaper Jaipur.pdf
29042024_First India Newspaper Jaipur.pdfFIRST INDIA
 
KAHULUGAN AT KAHALAGAHAN NG GAWAING PANSIBIKO.pptx
KAHULUGAN AT KAHALAGAHAN NG GAWAING PANSIBIKO.pptxKAHULUGAN AT KAHALAGAHAN NG GAWAING PANSIBIKO.pptx
KAHULUGAN AT KAHALAGAHAN NG GAWAING PANSIBIKO.pptxjohnandrewcarlos
 
2024 04 03 AZ GOP LD4 Gen Meeting Minutes FINAL.docx
2024 04 03 AZ GOP LD4 Gen Meeting Minutes FINAL.docx2024 04 03 AZ GOP LD4 Gen Meeting Minutes FINAL.docx
2024 04 03 AZ GOP LD4 Gen Meeting Minutes FINAL.docxkfjstone13
 
Dynamics of Destructive Polarisation in Mainstream and Social Media: The Case...
Dynamics of Destructive Polarisation in Mainstream and Social Media: The Case...Dynamics of Destructive Polarisation in Mainstream and Social Media: The Case...
Dynamics of Destructive Polarisation in Mainstream and Social Media: The Case...Axel Bruns
 
Nurturing Families, Empowering Lives: TDP's Vision for Family Welfare in Andh...
Nurturing Families, Empowering Lives: TDP's Vision for Family Welfare in Andh...Nurturing Families, Empowering Lives: TDP's Vision for Family Welfare in Andh...
Nurturing Families, Empowering Lives: TDP's Vision for Family Welfare in Andh...narsireddynannuri1
 
Lorenzo D'Emidio_Lavoro sullaNorth Korea .pptx
Lorenzo D'Emidio_Lavoro sullaNorth Korea .pptxLorenzo D'Emidio_Lavoro sullaNorth Korea .pptx
Lorenzo D'Emidio_Lavoro sullaNorth Korea .pptxlorenzodemidio01
 
How Europe Underdeveloped Africa_walter.pdf
How Europe Underdeveloped Africa_walter.pdfHow Europe Underdeveloped Africa_walter.pdf
How Europe Underdeveloped Africa_walter.pdfLorenzo Lemes
 
Beyond Afrocentrism: Prerequisites for Somalia to lead African de-colonizatio...
Beyond Afrocentrism: Prerequisites for Somalia to lead African de-colonizatio...Beyond Afrocentrism: Prerequisites for Somalia to lead African de-colonizatio...
Beyond Afrocentrism: Prerequisites for Somalia to lead African de-colonizatio...Muhammad Shamsaddin Megalommatis
 
TDP As the Party of Hope For AP Youth Under N Chandrababu Naidu’s Leadership
TDP As the Party of Hope For AP Youth Under N Chandrababu Naidu’s LeadershipTDP As the Party of Hope For AP Youth Under N Chandrababu Naidu’s Leadership
TDP As the Party of Hope For AP Youth Under N Chandrababu Naidu’s Leadershipanjanibaddipudi1
 
Enjoy Night⚡Call Girls Iffco Chowk Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Iffco Chowk Gurgaon >༒8448380779 Escort ServiceEnjoy Night⚡Call Girls Iffco Chowk Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Iffco Chowk Gurgaon >༒8448380779 Escort ServiceDelhi Call girls
 
30042024_First India Newspaper Jaipur.pdf
30042024_First India Newspaper Jaipur.pdf30042024_First India Newspaper Jaipur.pdf
30042024_First India Newspaper Jaipur.pdfFIRST INDIA
 
Minto-Morley Reforms 1909 (constitution).pptx
Minto-Morley Reforms 1909 (constitution).pptxMinto-Morley Reforms 1909 (constitution).pptx
Minto-Morley Reforms 1909 (constitution).pptxAwaiskhalid96
 
Vashi Escorts, {Pooja 09892124323}, Vashi Call Girls
Vashi Escorts, {Pooja 09892124323}, Vashi Call GirlsVashi Escorts, {Pooja 09892124323}, Vashi Call Girls
Vashi Escorts, {Pooja 09892124323}, Vashi Call GirlsPooja Nehwal
 
AI as Research Assistant: Upscaling Content Analysis to Identify Patterns of ...
AI as Research Assistant: Upscaling Content Analysis to Identify Patterns of ...AI as Research Assistant: Upscaling Content Analysis to Identify Patterns of ...
AI as Research Assistant: Upscaling Content Analysis to Identify Patterns of ...Axel Bruns
 
₹5.5k {Cash Payment} Independent Greater Noida Call Girls In [Delhi INAYA] 🔝|...
₹5.5k {Cash Payment} Independent Greater Noida Call Girls In [Delhi INAYA] 🔝|...₹5.5k {Cash Payment} Independent Greater Noida Call Girls In [Delhi INAYA] 🔝|...
₹5.5k {Cash Payment} Independent Greater Noida Call Girls In [Delhi INAYA] 🔝|...Diya Sharma
 
HARNESSING AI FOR ENHANCED MEDIA ANALYSIS A CASE STUDY ON CHATGPT AT DRONE EM...
HARNESSING AI FOR ENHANCED MEDIA ANALYSIS A CASE STUDY ON CHATGPT AT DRONE EM...HARNESSING AI FOR ENHANCED MEDIA ANALYSIS A CASE STUDY ON CHATGPT AT DRONE EM...
HARNESSING AI FOR ENHANCED MEDIA ANALYSIS A CASE STUDY ON CHATGPT AT DRONE EM...Ismail Fahmi
 
Kishan Reddy Report To People (2019-24).pdf
Kishan Reddy Report To People (2019-24).pdfKishan Reddy Report To People (2019-24).pdf
Kishan Reddy Report To People (2019-24).pdfKISHAN REDDY OFFICE
 

Último (20)

Israel Palestine Conflict, The issue and historical context!
Israel Palestine Conflict, The issue and historical context!Israel Palestine Conflict, The issue and historical context!
Israel Palestine Conflict, The issue and historical context!
 
Call Girls in Mira Road Mumbai ( Neha 09892124323 ) College Escorts Service i...
Call Girls in Mira Road Mumbai ( Neha 09892124323 ) College Escorts Service i...Call Girls in Mira Road Mumbai ( Neha 09892124323 ) College Escorts Service i...
Call Girls in Mira Road Mumbai ( Neha 09892124323 ) College Escorts Service i...
 
Roberts Rules Cheat Sheet for LD4 Precinct Commiteemen
Roberts Rules Cheat Sheet for LD4 Precinct CommiteemenRoberts Rules Cheat Sheet for LD4 Precinct Commiteemen
Roberts Rules Cheat Sheet for LD4 Precinct Commiteemen
 
29042024_First India Newspaper Jaipur.pdf
29042024_First India Newspaper Jaipur.pdf29042024_First India Newspaper Jaipur.pdf
29042024_First India Newspaper Jaipur.pdf
 
KAHULUGAN AT KAHALAGAHAN NG GAWAING PANSIBIKO.pptx
KAHULUGAN AT KAHALAGAHAN NG GAWAING PANSIBIKO.pptxKAHULUGAN AT KAHALAGAHAN NG GAWAING PANSIBIKO.pptx
KAHULUGAN AT KAHALAGAHAN NG GAWAING PANSIBIKO.pptx
 
2024 04 03 AZ GOP LD4 Gen Meeting Minutes FINAL.docx
2024 04 03 AZ GOP LD4 Gen Meeting Minutes FINAL.docx2024 04 03 AZ GOP LD4 Gen Meeting Minutes FINAL.docx
2024 04 03 AZ GOP LD4 Gen Meeting Minutes FINAL.docx
 
Dynamics of Destructive Polarisation in Mainstream and Social Media: The Case...
Dynamics of Destructive Polarisation in Mainstream and Social Media: The Case...Dynamics of Destructive Polarisation in Mainstream and Social Media: The Case...
Dynamics of Destructive Polarisation in Mainstream and Social Media: The Case...
 
Nurturing Families, Empowering Lives: TDP's Vision for Family Welfare in Andh...
Nurturing Families, Empowering Lives: TDP's Vision for Family Welfare in Andh...Nurturing Families, Empowering Lives: TDP's Vision for Family Welfare in Andh...
Nurturing Families, Empowering Lives: TDP's Vision for Family Welfare in Andh...
 
Lorenzo D'Emidio_Lavoro sullaNorth Korea .pptx
Lorenzo D'Emidio_Lavoro sullaNorth Korea .pptxLorenzo D'Emidio_Lavoro sullaNorth Korea .pptx
Lorenzo D'Emidio_Lavoro sullaNorth Korea .pptx
 
How Europe Underdeveloped Africa_walter.pdf
How Europe Underdeveloped Africa_walter.pdfHow Europe Underdeveloped Africa_walter.pdf
How Europe Underdeveloped Africa_walter.pdf
 
Beyond Afrocentrism: Prerequisites for Somalia to lead African de-colonizatio...
Beyond Afrocentrism: Prerequisites for Somalia to lead African de-colonizatio...Beyond Afrocentrism: Prerequisites for Somalia to lead African de-colonizatio...
Beyond Afrocentrism: Prerequisites for Somalia to lead African de-colonizatio...
 
TDP As the Party of Hope For AP Youth Under N Chandrababu Naidu’s Leadership
TDP As the Party of Hope For AP Youth Under N Chandrababu Naidu’s LeadershipTDP As the Party of Hope For AP Youth Under N Chandrababu Naidu’s Leadership
TDP As the Party of Hope For AP Youth Under N Chandrababu Naidu’s Leadership
 
Enjoy Night⚡Call Girls Iffco Chowk Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Iffco Chowk Gurgaon >༒8448380779 Escort ServiceEnjoy Night⚡Call Girls Iffco Chowk Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Iffco Chowk Gurgaon >༒8448380779 Escort Service
 
30042024_First India Newspaper Jaipur.pdf
30042024_First India Newspaper Jaipur.pdf30042024_First India Newspaper Jaipur.pdf
30042024_First India Newspaper Jaipur.pdf
 
Minto-Morley Reforms 1909 (constitution).pptx
Minto-Morley Reforms 1909 (constitution).pptxMinto-Morley Reforms 1909 (constitution).pptx
Minto-Morley Reforms 1909 (constitution).pptx
 
Vashi Escorts, {Pooja 09892124323}, Vashi Call Girls
Vashi Escorts, {Pooja 09892124323}, Vashi Call GirlsVashi Escorts, {Pooja 09892124323}, Vashi Call Girls
Vashi Escorts, {Pooja 09892124323}, Vashi Call Girls
 
AI as Research Assistant: Upscaling Content Analysis to Identify Patterns of ...
AI as Research Assistant: Upscaling Content Analysis to Identify Patterns of ...AI as Research Assistant: Upscaling Content Analysis to Identify Patterns of ...
AI as Research Assistant: Upscaling Content Analysis to Identify Patterns of ...
 
₹5.5k {Cash Payment} Independent Greater Noida Call Girls In [Delhi INAYA] 🔝|...
₹5.5k {Cash Payment} Independent Greater Noida Call Girls In [Delhi INAYA] 🔝|...₹5.5k {Cash Payment} Independent Greater Noida Call Girls In [Delhi INAYA] 🔝|...
₹5.5k {Cash Payment} Independent Greater Noida Call Girls In [Delhi INAYA] 🔝|...
 
HARNESSING AI FOR ENHANCED MEDIA ANALYSIS A CASE STUDY ON CHATGPT AT DRONE EM...
HARNESSING AI FOR ENHANCED MEDIA ANALYSIS A CASE STUDY ON CHATGPT AT DRONE EM...HARNESSING AI FOR ENHANCED MEDIA ANALYSIS A CASE STUDY ON CHATGPT AT DRONE EM...
HARNESSING AI FOR ENHANCED MEDIA ANALYSIS A CASE STUDY ON CHATGPT AT DRONE EM...
 
Kishan Reddy Report To People (2019-24).pdf
Kishan Reddy Report To People (2019-24).pdfKishan Reddy Report To People (2019-24).pdf
Kishan Reddy Report To People (2019-24).pdf
 

Prevent XSS Attacks in eXo Products

  • 1. XSS and eXo Products Portal & TQA teams Oct 2011
  • 2.
  • 4.
  • 5.
  • 6.
  • 9.
  • 10.
  • 11.
  • 12.
  • 13.
  • 14.
  • 16.
  • 17.
  • 18. XSS in eXo Products Examples of how to detect XSS vulnerabilities
  • 19. Use case of Reflected XSS Package: WCM 2.2.0 Attack steps: See defect description in this link https://jira.exoplatform.org/browse/ECMS-1773 Browsers: Internet Explorer 7, Firefox 3 Consequence : session hijacking & more
  • 20. Use case of Stored XSS Package: Social 1.2.0 Attack steps: See defect description in this link https://jira.exoplatform.org/browse/SOC-1532 Browsers: Internet Explorer 7, Firefox 3 Consequence : session hijacking & more
  • 21. Use case of DOM-based XSS Package: ECMS 2.3.x Attack steps: See defect description in this link https://jira.exoplatform.org/browse/ECMS-2791 Browsers: Internet Explorer 7, Firefox 3 Consequence : session hijacking & more
  • 22. XSS exploit basing on logic vulnerability Package: PLF 3.5.0 Attack steps: See defect description in this link https://jira.exoplatform.org/browse/ECMS-2723 https://jira.exoplatform.org/browse/ECMS-2736 Browsers: Internet Explorer 7, Firefox 3 Consequence : session hijacking & more Question for listeners: what is the best solution for this situation?
  • 23. References for audiences 1. Guideline of Secure coding standards http://www.oracle.com/technetwork/java/seccodeguide-139067.html#6-1 2. EXOWiki security links EXO-RedHat Collaboration Study https://wiki-int.exoplatform.org/display/rhcollab/XSS TQA Security Test https://wiki-int.exoplatform.org/display/TQA/SECURITY Deployment & Configuration rules (ITOP)‏ https://wiki-int.exoplatform.org/display/ITOP/eXo+Applications+and+security