by Krishna Chaitanya T (@novogeek) on Tuesday, February 7, 2012

+7
Vote on this proposal
Status: Submitted
Section
Default

Session type
Lecture

Technical level
Intermediate

Media

Objective

The objective of this talk is to explain how insecure client side communications can be and the care one should take to securely integrate third party content.

Description

Mashups, a breed of modern web applications, often integrate content from different origins on the client side and provide rich interactivity. The aggregated content can be in the form of widgets, social plugins, advertisements etc. A mashup built just by embedding third party JavaScript files is inherently insecure as its security boils down to 'trust' on the script provider.

Building secure web mashups involves several challenges like keeping same origin policy, navigation policies of browsers in mind, assuring confidentiality, authentication, reliability, script isolation etc. Also, when sufficient care is not taken, attackers can eavesdrop inter-party communication via framing attacks, deceive via UI-redress attacks etc. This talk tries to cover these challenges and explain secure coding practices for building web mashups.

Requirements

Decent knowledge of JavaScript. Experience of building mashups will help understand the talk better.

Speaker bio

I'm a web guy working at a reputed security research lab at Hyderabad. I blog on my little tech experiments, present regularly at Microsoft's online & offline technical community events on web development. I'm a Microsoft MVP for ASP.NET (2010) and Internet Explorer (2011). More info on my blog.