DeepSec2016 Talk: The (In)Security or Sad State of Online Newspapers – Ashar Javed
Web sites are simply, one might think. The client requests a page, the server sends it, the layout is applied, and your article appears. This is a heavy simplification. It worked like this back in 1994. Modern web sites are much more complex. And complexity attracts curious minds. Usually that’s what gets you into trouble. Now content management systems serve the web page of the 1990s with a lot of queries, executable code, and from different servers. The ever changing Top 10 list of mistakes from the Open Web Application Security Project can show you the tip of the iceberg. Ashar Javed took a closer look at online newspapers, and he found some scary stuff.
The goal of his talk is to raise awareness about the (in)securities of online newspapers. Ashar Javed hopes that their publishers will consider this as a warning signal. The big players in the media industry (e.g. the Guardian, Forbes, SC Magazine, the Daily Mail and The Times of India) are vulnerable to simple XSS vulnerabilities. He will share some real experiences of dealing with the developers of publishing industry’s most popular CMS. The presentation consists of responsible & irresponsible disclosures, says Ashar, but the latter are more fun.
Don’t take XSS (Cross Site Scripting) lightly. It can be avoided, and it definitely is a security bug. It doesn’t matter how big the impact is. XSS allows anyone to deposit executable code on your site (and it doesn’t have to be assembly to do some damage). We recommend Ashar’s talk for anyone designing, implementing, or owning web pages. Mind you, owning, not 0wning!
Dr.-Ing Ashar Javed lives and breaths in XSS and he spends his days and nights “CONFIRM-ing(1)”. His favorite characters on the German keyboard are ‘, “, <, > and /, while, at the same time, he knows how, when and where to use &, %,` and \. He gets his monthly salary from Hyundai & Kia working from 8:30 AM to 5:30 PM. In his spare time he tries to earn rewards of equivalent amount in the form of bug bounties (sounds challenging), though his two kids & wife have always other plans for him. That’s why he has a poster in his room with a payload: “><img src=x onerror=confirm(‘one-good-xss-in-terms-of-money-per-month’)>” that serves him as a daily reminder of his goal.