SlideShare ist ein Scribd-Unternehmen logo

Jsonp null-meet-02-2015

Als PPTX, PDF herunterladen
Sunil Kumar
Sunil Kumar

Null Meet Dharamsala February 27 2015

Software
1 von 20
JSONP Security Consideration
@ME  Malware Analyst  badboy16a@gmail.com  @_badbot
JSONP?  JSON-with-padding  JSON-P  JSON++
WEB PAGE  HTML  CSS  Resources  Image  Audio  Video  Flash  …  JavaScript
SOP  Same-Origin-Policy  Protects against interference from other domains.  Not for JavaScript, Image,…  GET only
JSON  JavaScript Object Notation  Data-interchange format  For Human  For Machine  Restricted by SOP {key1 : value, key2: [x,y,z], key3 : “String” }
JSONP  SOP workaround for JSON Data  Browsers not supportingCORS  JSON data wrapped in JavaScript
JSONP  Provider Domain  Owner of data  Consumer Domain  Owner of document
JSONP <script type=“text/javascript” src=http://api.example.com/jsonp?callback=foo /> <script> function foo(data){ Console.log(“value=“+data.key); } </script>
JSONP <script type=“text/javascript” src=http://api.example.com/jsonp?callback=foo /> <script> function foo(data){ Console.log(“value=“+data.key); } </script> GET jsonp?callback=foo HTTP/1.1 Host: api.example HTTP/1.1 200 OK Server: Apache/2.2 Content-Type: text/javascript Content-Length: 16 foo({key: value});
DYNAMIC(AJAX) JSONP  Create appropriate <script> elements  Add to body  Remove after processing  jQuery implements as helper function
JSONP  Only a convention  Not Standard  Padding can be anything  Convention:A function call  Limited to GET requests only  Control first few bytes of every response
JSONP::XSS  Also called Self-Inflicted XSS  Provider can provide anything  What about??  Ultimate trust on provider. HTTP/1.1 200 OK Server: Apache/2.2 Content-Type: text/javascript Content-Length: 16 foo({key: value}); (function(){…evil code…})();
JSONP::CONTENT SNIFFING HTTP/1.1 200 OK Server: Apache/2.2 Content-Type: text/javascript Content-Length: 100 <script>…evil javascript code…</script>
JSONP::CONTENT SNIFFING  Browsers may ignore Content-Type  Specific Scenarios  Infer the content based on data  Use X-Content-Type: nosniff HTTP/1.1 200 OK Server: Apache/2.2 Content-Type: text/javascript Content-Length: 100 <script>…evil javascript code…</script>
JSONP::CSRF  Easy target for CSRF  CSRFToken can be sniffed
JSONP::FLASH INJECTION  Flash may ignore Content-Type if provided data is a valid flash file  Can bypass X-Content-Type  Can talk to originating domain  Validate callback name
JSONP::ROSSETA FLASH EXPLOIT  Developed by Michele Spagnuoloy from Google  Converts any flash files to valid alphanumeric flash file.  Evades callback validation  Many high profile domain were vulnerable  accounts.google.com  maps.google.com  Youtube  Twitter  Flickr  …  More : https://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/
CONCLUSION  Hard to protect against CSRF  Hard to authenticate users  Mostly attacked in conjunction with Flash  Validate callback parameter  Create a sandbox domain for JSONP api  An empty javascript comment breaks Flash injection  /**/  Use CORS whenever possible.
THANKYOU

Empfohlen

Approach to find critical vulnerabilities
Approach to find critical vulnerabilitiesApproach to find critical vulnerabilities
Approach to find critical vulnerabilitiesAshish Kunwar
 
B03-GenomeContent-Intermine
B03-GenomeContent-IntermineB03-GenomeContent-Intermine
B03-GenomeContent-IntermineBioinformatics Open Source Conference
 
Ip lab
Ip labIp lab
Ip labEma Dunphy
 
gRPC in Go
gRPC in GogRPC in Go
gRPC in GoAlmog Baku
 
Mongodb
MongodbMongodb
MongodbGagan Gowda
 
Advanced Json
Advanced JsonAdvanced Json
Advanced Jsonguestfd7d7c
 
Realtime Communication Techniques with PHP
Realtime Communication Techniques with PHPRealtime Communication Techniques with PHP
Realtime Communication Techniques with PHPWaterSpout
 
Validating a json in mule
Validating a json in muleValidating a json in mule
Validating a json in muleAnirban Sen Chowdhary
 

Empfohlen

Approach to find critical vulnerabilities
Approach to find critical vulnerabilitiesApproach to find critical vulnerabilities
Approach to find critical vulnerabilitiesAshish Kunwar
 
B03-GenomeContent-Intermine
B03-GenomeContent-IntermineB03-GenomeContent-Intermine
B03-GenomeContent-IntermineBioinformatics Open Source Conference
 
Ip lab
Ip labIp lab
Ip labEma Dunphy
 
gRPC in Go
gRPC in GogRPC in Go
gRPC in GoAlmog Baku
 
Mongodb
MongodbMongodb
MongodbGagan Gowda
 
Advanced Json
Advanced JsonAdvanced Json
Advanced Jsonguestfd7d7c
 
Realtime Communication Techniques with PHP
Realtime Communication Techniques with PHPRealtime Communication Techniques with PHP
Realtime Communication Techniques with PHPWaterSpout
 
Validating a json in mule
Validating a json in muleValidating a json in mule
Validating a json in muleAnirban Sen Chowdhary
 
Django with MongoDB using MongoEngine
Django with MongoDB using MongoEngineDjango with MongoDB using MongoEngine
Django with MongoDB using MongoEngineRakesh Kumar
 
Neo4j after 1 year in production
Neo4j after 1 year in productionNeo4j after 1 year in production
Neo4j after 1 year in productionAndrew Nikishaev
 
初心者のためのPythonによるWebAPI活用方入門
初心者のためのPythonによるWebAPI活用方入門初心者のためのPythonによるWebAPI活用方入門
初心者のためのPythonによるWebAPI活用方入門Xoxzo Inc.
 
Logs management
Logs managementLogs management
Logs managementMantas Klasavicius
 
XoxzoテレフォニーAPI入門2017
XoxzoテレフォニーAPI入門2017XoxzoテレフォニーAPI入門2017
XoxzoテレフォニーAPI入門2017Xoxzo Inc.
 
RestMQ - HTTP/Redis based Message Queue
RestMQ - HTTP/Redis based Message QueueRestMQ - HTTP/Redis based Message Queue
RestMQ - HTTP/Redis based Message QueueGleicon Moraes
 
Using Logstash, elasticsearch & kibana
Using Logstash, elasticsearch & kibanaUsing Logstash, elasticsearch & kibana
Using Logstash, elasticsearch & kibanaAlejandro E Brito Monedero
 
Php file upload, cookies & session
Php file upload, cookies & sessionPhp file upload, cookies & session
Php file upload, cookies & sessionJamshid Hashimi
 
HTML5 Web Messaging
HTML5 Web MessagingHTML5 Web Messaging
HTML5 Web MessagingMike Taylor
 
05 File Handling Upload Mysql
05 File Handling Upload Mysql05 File Handling Upload Mysql
05 File Handling Upload MysqlGeshan Manandhar
 
Web Scraping with PHP
Web Scraping with PHPWeb Scraping with PHP
Web Scraping with PHPMatthew Turland
 
Realtime Analytics Using MongoDB, Python, Gevent, and ZeroMQ
Realtime Analytics Using MongoDB, Python, Gevent, and ZeroMQRealtime Analytics Using MongoDB, Python, Gevent, and ZeroMQ
Realtime Analytics Using MongoDB, Python, Gevent, and ZeroMQRick Copeland
 
Web Apps in Perl - HTTP 101
Web Apps in Perl - HTTP 101Web Apps in Perl - HTTP 101
Web Apps in Perl - HTTP 101hendrikvb
 
Hack the box open admin writeup
Hack the box open admin writeupHack the box open admin writeup
Hack the box open admin writeuptamlaiyin
 
If love is_blind_-_tiffany
If love is_blind_-_tiffanyIf love is_blind_-_tiffany
If love is_blind_-_tiffanytenka
 
RESTful Web API and MongoDB go for a pic nic
RESTful Web API and MongoDB go for a pic nicRESTful Web API and MongoDB go for a pic nic
RESTful Web API and MongoDB go for a pic nicNicola Iarocci
 
When RSS Fails: Web Scraping with HTTP
When RSS Fails: Web Scraping with HTTPWhen RSS Fails: Web Scraping with HTTP
When RSS Fails: Web Scraping with HTTPMatthew Turland
 
How the internet works
How the internet worksHow the internet works
How the internet worksSharon Chen
 
We love NLTK
We love NLTKWe love NLTK
We love NLTKDhiana Deva
 
Ruby on embedded devices rug::b Aug 2014
Ruby on embedded devices rug::b Aug 2014Ruby on embedded devices rug::b Aug 2014
Ruby on embedded devices rug::b Aug 2014Eno Thierbach
 
Uryad zmin-taxes-251110
Uryad zmin-taxes-251110Uryad zmin-taxes-251110
Uryad zmin-taxes-251110Svitlana Taranenko
 
AmazonStar newmedia
AmazonStar newmediaAmazonStar newmedia
AmazonStar newmediaSvitlana Taranenko
 

Weitere ähnliche Inhalte

Was ist angesagt?

Django with MongoDB using MongoEngine
Django with MongoDB using MongoEngineDjango with MongoDB using MongoEngine
Django with MongoDB using MongoEngineRakesh Kumar
 
Neo4j after 1 year in production
Neo4j after 1 year in productionNeo4j after 1 year in production
Neo4j after 1 year in productionAndrew Nikishaev
 
初心者のためのPythonによるWebAPI活用方入門
初心者のためのPythonによるWebAPI活用方入門初心者のためのPythonによるWebAPI活用方入門
初心者のためのPythonによるWebAPI活用方入門Xoxzo Inc.
 
XoxzoテレフォニーAPI入門2017
XoxzoテレフォニーAPI入門2017XoxzoテレフォニーAPI入門2017
XoxzoテレフォニーAPI入門2017Xoxzo Inc.
 
RestMQ - HTTP/Redis based Message Queue
RestMQ - HTTP/Redis based Message QueueRestMQ - HTTP/Redis based Message Queue
RestMQ - HTTP/Redis based Message QueueGleicon Moraes
 
Php file upload, cookies & session
Php file upload, cookies & sessionPhp file upload, cookies & session
Php file upload, cookies & sessionJamshid Hashimi
 
HTML5 Web Messaging
HTML5 Web MessagingHTML5 Web Messaging
HTML5 Web MessagingMike Taylor
 
05 File Handling Upload Mysql
05 File Handling Upload Mysql05 File Handling Upload Mysql
05 File Handling Upload MysqlGeshan Manandhar
 
Realtime Analytics Using MongoDB, Python, Gevent, and ZeroMQ
Realtime Analytics Using MongoDB, Python, Gevent, and ZeroMQRealtime Analytics Using MongoDB, Python, Gevent, and ZeroMQ
Realtime Analytics Using MongoDB, Python, Gevent, and ZeroMQRick Copeland
 
Web Apps in Perl - HTTP 101
Web Apps in Perl - HTTP 101Web Apps in Perl - HTTP 101
Web Apps in Perl - HTTP 101hendrikvb
 
Hack the box open admin writeup
Hack the box open admin writeupHack the box open admin writeup
Hack the box open admin writeuptamlaiyin
 
If love is_blind_-_tiffany
If love is_blind_-_tiffanyIf love is_blind_-_tiffany
If love is_blind_-_tiffanytenka
 
RESTful Web API and MongoDB go for a pic nic
RESTful Web API and MongoDB go for a pic nicRESTful Web API and MongoDB go for a pic nic
RESTful Web API and MongoDB go for a pic nicNicola Iarocci
 
When RSS Fails: Web Scraping with HTTP
When RSS Fails: Web Scraping with HTTPWhen RSS Fails: Web Scraping with HTTP
When RSS Fails: Web Scraping with HTTPMatthew Turland
 
How the internet works
How the internet worksHow the internet works
How the internet worksSharon Chen
 
Ruby on embedded devices rug::b Aug 2014
Ruby on embedded devices rug::b Aug 2014Ruby on embedded devices rug::b Aug 2014
Ruby on embedded devices rug::b Aug 2014Eno Thierbach
 

Was ist angesagt? (20)

Django with MongoDB using MongoEngine
Django with MongoDB using MongoEngineDjango with MongoDB using MongoEngine
Django with MongoDB using MongoEngine
 
Neo4j after 1 year in production
Neo4j after 1 year in productionNeo4j after 1 year in production
Neo4j after 1 year in production
 
初心者のためのPythonによるWebAPI活用方入門
初心者のためのPythonによるWebAPI活用方入門初心者のためのPythonによるWebAPI活用方入門
初心者のためのPythonによるWebAPI活用方入門
 
Logs management
Logs managementLogs management
Logs management
 
XoxzoテレフォニーAPI入門2017
XoxzoテレフォニーAPI入門2017XoxzoテレフォニーAPI入門2017
XoxzoテレフォニーAPI入門2017
 
RestMQ - HTTP/Redis based Message Queue
RestMQ - HTTP/Redis based Message QueueRestMQ - HTTP/Redis based Message Queue
RestMQ - HTTP/Redis based Message Queue
 
Using Logstash, elasticsearch & kibana
Using Logstash, elasticsearch & kibanaUsing Logstash, elasticsearch & kibana
Using Logstash, elasticsearch & kibana
 
Php file upload, cookies & session
Php file upload, cookies & sessionPhp file upload, cookies & session
Php file upload, cookies & session
 
HTML5 Web Messaging
HTML5 Web MessagingHTML5 Web Messaging
HTML5 Web Messaging
 
05 File Handling Upload Mysql
05 File Handling Upload Mysql05 File Handling Upload Mysql
05 File Handling Upload Mysql
 
Web Scraping with PHP
Web Scraping with PHPWeb Scraping with PHP
Web Scraping with PHP
 
Realtime Analytics Using MongoDB, Python, Gevent, and ZeroMQ
Realtime Analytics Using MongoDB, Python, Gevent, and ZeroMQRealtime Analytics Using MongoDB, Python, Gevent, and ZeroMQ
Realtime Analytics Using MongoDB, Python, Gevent, and ZeroMQ
 
Web Apps in Perl - HTTP 101
Web Apps in Perl - HTTP 101Web Apps in Perl - HTTP 101
Web Apps in Perl - HTTP 101
 
Hack the box open admin writeup
Hack the box open admin writeupHack the box open admin writeup
Hack the box open admin writeup
 
If love is_blind_-_tiffany
If love is_blind_-_tiffanyIf love is_blind_-_tiffany
If love is_blind_-_tiffany
 
RESTful Web API and MongoDB go for a pic nic
RESTful Web API and MongoDB go for a pic nicRESTful Web API and MongoDB go for a pic nic
RESTful Web API and MongoDB go for a pic nic
 
When RSS Fails: Web Scraping with HTTP
When RSS Fails: Web Scraping with HTTPWhen RSS Fails: Web Scraping with HTTP
When RSS Fails: Web Scraping with HTTP
 
How the internet works
How the internet worksHow the internet works
How the internet works
 
We love NLTK
We love NLTKWe love NLTK
We love NLTK
 
Ruby on embedded devices rug::b Aug 2014
Ruby on embedded devices rug::b Aug 2014Ruby on embedded devices rug::b Aug 2014
Ruby on embedded devices rug::b Aug 2014
 

Andere mochten auch

Dt5 varenni win_pcapdosdonts
Dt5 varenni win_pcapdosdontsDt5 varenni win_pcapdosdonts
Dt5 varenni win_pcapdosdontsSunil Kumar
 
Win pcap filtering expression syntax
Win pcap filtering expression syntaxWin pcap filtering expression syntax
Win pcap filtering expression syntaxVota Ppt
 
Ipc Policy Brief Re Mcss Fippa Act
Ipc Policy Brief Re Mcss Fippa ActIpc Policy Brief Re Mcss Fippa Act
Ipc Policy Brief Re Mcss Fippa ActROSEMARY CD
 

Andere mochten auch (8)

Uryad zmin-taxes-251110
Uryad zmin-taxes-251110Uryad zmin-taxes-251110
Uryad zmin-taxes-251110
 
AmazonStar newmedia
AmazonStar newmediaAmazonStar newmedia
AmazonStar newmedia
 
IT in arbitrage
IT in arbitrage IT in arbitrage
IT in arbitrage
 
E-stonia = eGovernment 100%.
E-stonia = eGovernment 100%.E-stonia = eGovernment 100%.
E-stonia = eGovernment 100%.
 
Мыслевирусы
МыслевирусыМыслевирусы
Мыслевирусы
 
Dt5 varenni win_pcapdosdonts
Dt5 varenni win_pcapdosdontsDt5 varenni win_pcapdosdonts
Dt5 varenni win_pcapdosdonts
 
Win pcap filtering expression syntax
Win pcap filtering expression syntaxWin pcap filtering expression syntax
Win pcap filtering expression syntax
 
Ipc Policy Brief Re Mcss Fippa Act
Ipc Policy Brief Re Mcss Fippa ActIpc Policy Brief Re Mcss Fippa Act
Ipc Policy Brief Re Mcss Fippa Act
 

Ähnlich wie Jsonp null-meet-02-2015

JSON Fuzzing: New approach to old problems
JSON Fuzzing: New approach to old problemsJSON Fuzzing: New approach to old problems
JSON Fuzzing: New approach to old problemstitanlambda
 
Rapid java backend and api development for mobile devices
Rapid java backend and api development for mobile devicesRapid java backend and api development for mobile devices
Rapid java backend and api development for mobile devicesciklum_ods
 
Laurens Van Den Oever Xopus Presentation
Laurens Van Den Oever Xopus PresentationLaurens Van Den Oever Xopus Presentation
Laurens Van Den Oever Xopus PresentationAjax Experience 2009
 
PythonWebConference_ Cloud Native Apache Pulsar Development 202 with Python
PythonWebConference_ Cloud Native Apache Pulsar Development 202 with PythonPythonWebConference_ Cloud Native Apache Pulsar Development 202 with Python
PythonWebConference_ Cloud Native Apache Pulsar Development 202 with PythonTimothy Spann
 
Zombilizing The Web Browser Via Flash Player 9
Zombilizing The Web Browser Via Flash Player 9Zombilizing The Web Browser Via Flash Player 9
Zombilizing The Web Browser Via Flash Player 9thaidn
 
Tuning web performance
Tuning web performanceTuning web performance
Tuning web performanceGeorge Ang
 
Tuning Web Performance
Tuning Web PerformanceTuning Web Performance
Tuning Web PerformanceEric ShangKuan
 
Hypermedia APIs - GeekOut
Hypermedia APIs - GeekOutHypermedia APIs - GeekOut
Hypermedia APIs - GeekOutJan Kronquist
 
Web Integration Patterns in the Era of HTML5
Web Integration Patterns in the Era of HTML5Web Integration Patterns in the Era of HTML5
Web Integration Patterns in the Era of HTML5johnwilander
 
Orange is the new blue: How to port Chrome Extension to Firefox Extension
Orange is the new blue: How to port Chrome Extension to Firefox ExtensionOrange is the new blue: How to port Chrome Extension to Firefox Extension
Orange is the new blue: How to port Chrome Extension to Firefox Extensionchaykaborya
 
Firefox OS in Japan
Firefox OS in JapanFirefox OS in Japan
Firefox OS in Japandynamis
 
JSON-RPC Proxy Generation with PHP 5
JSON-RPC Proxy Generation with PHP 5JSON-RPC Proxy Generation with PHP 5
JSON-RPC Proxy Generation with PHP 5Stephan Schmidt
 
Static Analysis of PHP Code – IPC Berlin 2016
Static Analysis of PHP Code – IPC Berlin 2016Static Analysis of PHP Code – IPC Berlin 2016
Static Analysis of PHP Code – IPC Berlin 2016Rouven Weßling
 
Mashups MAX 360|MAX 2008 Unconference
Mashups MAX 360|MAX 2008 UnconferenceMashups MAX 360|MAX 2008 Unconference
Mashups MAX 360|MAX 2008 UnconferenceElad Elrom
 
JavaScript Web Development
JavaScript Web DevelopmentJavaScript Web Development
JavaScript Web Developmentvito jeng
 
Browser security
Browser securityBrowser security
Browser securityUday Anand
 
Progressive web apps
Progressive web appsProgressive web apps
Progressive web appsFastly
 
Python RESTful webservices with Python: Flask and Django solutions
Python RESTful webservices with Python: Flask and Django solutionsPython RESTful webservices with Python: Flask and Django solutions
Python RESTful webservices with Python: Flask and Django solutionsSolution4Future
 

Ähnlich wie Jsonp null-meet-02-2015 (20)

JSON Fuzzing: New approach to old problems
JSON Fuzzing: New approach to old problemsJSON Fuzzing: New approach to old problems
JSON Fuzzing: New approach to old problems
 
Rapid java backend and api development for mobile devices
Rapid java backend and api development for mobile devicesRapid java backend and api development for mobile devices
Rapid java backend and api development for mobile devices
 
Laurens Van Den Oever Xopus Presentation
Laurens Van Den Oever Xopus PresentationLaurens Van Den Oever Xopus Presentation
Laurens Van Den Oever Xopus Presentation
 
Secure java script-for-developers
Secure java script-for-developersSecure java script-for-developers
Secure java script-for-developers
 
PythonWebConference_ Cloud Native Apache Pulsar Development 202 with Python
PythonWebConference_ Cloud Native Apache Pulsar Development 202 with PythonPythonWebConference_ Cloud Native Apache Pulsar Development 202 with Python
PythonWebConference_ Cloud Native Apache Pulsar Development 202 with Python
 
Zombilizing The Web Browser Via Flash Player 9
Zombilizing The Web Browser Via Flash Player 9Zombilizing The Web Browser Via Flash Player 9
Zombilizing The Web Browser Via Flash Player 9
 
Tuning web performance
Tuning web performanceTuning web performance
Tuning web performance
 
Tuning Web Performance
Tuning Web PerformanceTuning Web Performance
Tuning Web Performance
 
Hypermedia APIs - GeekOut
Hypermedia APIs - GeekOutHypermedia APIs - GeekOut
Hypermedia APIs - GeekOut
 
Web Integration Patterns in the Era of HTML5
Web Integration Patterns in the Era of HTML5Web Integration Patterns in the Era of HTML5
Web Integration Patterns in the Era of HTML5
 
Orange is the new blue: How to port Chrome Extension to Firefox Extension
Orange is the new blue: How to port Chrome Extension to Firefox ExtensionOrange is the new blue: How to port Chrome Extension to Firefox Extension
Orange is the new blue: How to port Chrome Extension to Firefox Extension
 
Firefox OS in Japan
Firefox OS in JapanFirefox OS in Japan
Firefox OS in Japan
 
JSON-RPC Proxy Generation with PHP 5
JSON-RPC Proxy Generation with PHP 5JSON-RPC Proxy Generation with PHP 5
JSON-RPC Proxy Generation with PHP 5
 
Static Analysis of PHP Code – IPC Berlin 2016
Static Analysis of PHP Code – IPC Berlin 2016Static Analysis of PHP Code – IPC Berlin 2016
Static Analysis of PHP Code – IPC Berlin 2016
 
Mashups MAX 360|MAX 2008 Unconference
Mashups MAX 360|MAX 2008 UnconferenceMashups MAX 360|MAX 2008 Unconference
Mashups MAX 360|MAX 2008 Unconference
 
JavaScript Web Development
JavaScript Web DevelopmentJavaScript Web Development
JavaScript Web Development
 
Browser security
Browser securityBrowser security
Browser security
 
Advanced I/O in browser
Advanced I/O in browserAdvanced I/O in browser
Advanced I/O in browser
 
Progressive web apps
Progressive web appsProgressive web apps
Progressive web apps
 
Python RESTful webservices with Python: Flask and Django solutions
Python RESTful webservices with Python: Flask and Django solutionsPython RESTful webservices with Python: Flask and Django solutions
Python RESTful webservices with Python: Flask and Django solutions
 

Mehr von Sunil Kumar

Basics of Cryptography
Basics of CryptographyBasics of Cryptography
Basics of CryptographySunil Kumar
 
3Es of Ransomware
3Es of Ransomware3Es of Ransomware
3Es of RansomwareSunil Kumar
 
Http2 Security Perspective
Http2 Security PerspectiveHttp2 Security Perspective
Http2 Security PerspectiveSunil Kumar
 
Memory forensics
Memory forensicsMemory forensics
Memory forensicsSunil Kumar
 
n|u Dharamsala Humla : Memory Forensic by Tenzin Chokden
n|u Dharamsala Humla : Memory Forensic by Tenzin Chokdenn|u Dharamsala Humla : Memory Forensic by Tenzin Chokden
n|u Dharamsala Humla : Memory Forensic by Tenzin ChokdenSunil Kumar
 
Nullcon 2011- Behaviour Analysis with DBI
Nullcon 2011- Behaviour Analysis with DBINullcon 2011- Behaviour Analysis with DBI
Nullcon 2011- Behaviour Analysis with DBISunil Kumar
 

Mehr von Sunil Kumar (6)

Basics of Cryptography
Basics of CryptographyBasics of Cryptography
Basics of Cryptography
 
3Es of Ransomware
3Es of Ransomware3Es of Ransomware
3Es of Ransomware
 
Http2 Security Perspective
Http2 Security PerspectiveHttp2 Security Perspective
Http2 Security Perspective
 
Memory forensics
Memory forensicsMemory forensics
Memory forensics
 
n|u Dharamsala Humla : Memory Forensic by Tenzin Chokden
n|u Dharamsala Humla : Memory Forensic by Tenzin Chokdenn|u Dharamsala Humla : Memory Forensic by Tenzin Chokden
n|u Dharamsala Humla : Memory Forensic by Tenzin Chokden
 
Nullcon 2011- Behaviour Analysis with DBI
Nullcon 2011- Behaviour Analysis with DBINullcon 2011- Behaviour Analysis with DBI
Nullcon 2011- Behaviour Analysis with DBI
 

Kürzlich hochgeladen

How to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion ApplicationHow to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion ApplicationBradBedford3
 
UI5ers live - Custom Controls wrapping 3rd-party libs.pptx
UI5ers live - Custom Controls wrapping 3rd-party libs.pptxUI5ers live - Custom Controls wrapping 3rd-party libs.pptx
UI5ers live - Custom Controls wrapping 3rd-party libs.pptxAndreas Kunz
 
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Angel Borroy López
 
Unveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New FeaturesUnveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New FeaturesŁukasz Chruściel
 
Precise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive GoalPrecise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive GoalLionel Briand
 
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company OdishaBalasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odishasmiwainfosol
 
Unveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsUnveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsAhmed Mohamed
 
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...confluent
 
Xen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdfXen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdfStefano Stabellini
 
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)jennyeacort
 
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024StefanoLambiase
 
Comparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdfComparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdfDrew Moseley
 
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...Akihiro Suda
 
英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作qr0udbr0
 
Introduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdfIntroduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdfFerryKemperman
 
Cloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEECloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEEVICTOR MAESTRE RAMIREZ
 
What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...Technogeeks
 
Cyber security and its impact on E commerce
Cyber security and its impact on E commerceCyber security and its impact on E commerce
Cyber security and its impact on E commercemanigoyal112
 

Kürzlich hochgeladen (20)

How to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion ApplicationHow to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion Application
 
UI5ers live - Custom Controls wrapping 3rd-party libs.pptx
UI5ers live - Custom Controls wrapping 3rd-party libs.pptxUI5ers live - Custom Controls wrapping 3rd-party libs.pptx
UI5ers live - Custom Controls wrapping 3rd-party libs.pptx
 
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort ServiceHot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
 
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
 
Unveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New FeaturesUnveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New Features
 
Precise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive GoalPrecise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive Goal
 
2.pdf Ejercicios de programación competitiva
2.pdf Ejercicios de programación competitiva2.pdf Ejercicios de programación competitiva
2.pdf Ejercicios de programación competitiva
 
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company OdishaBalasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
 
Unveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsUnveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML Diagrams
 
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
 
Xen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdfXen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdf
 
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
 
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
 
Comparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdfComparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdf
 
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
 
英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作
 
Introduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdfIntroduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdf
 
Cloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEECloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEE
 
What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...
 
Cyber security and its impact on E commerce
Cyber security and its impact on E commerceCyber security and its impact on E commerce
Cyber security and its impact on E commerce
 

Jsonp null-meet-02-2015

Hinweis der Redaktion

  1. References http://en.wikipedia.org/wiki/JSONP http://quaxio.com/jsonp_handcrafted_flash_files/ https://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/ https://molnarg.github.io/ascii-flash/
  2. Proposed in December 2005.
  3. On Client/Browser HTML : Content/Structure CSS: Layout/Representation JavaScript: Logic, Manipulation
  4. As static tag on page.
  5. Padding: assignment, logic, …
  6. Will this work? Might with IE,Chrome
  7. Will this work? Might with IE,Chrome
  8. Validate for alpha, num, . & _ Flash contains other data.
  9. Vulnerable as on July 2014