As usual, whenever the Tra Da Hacking comes, VSEC security engineer often prepare some hot topics for presentations. This time, VSEC’s representative has brought to Tra Da Hacking 7 an extremely attractive content presentation and discussed finding ways to strengthen the network security for Vietnam.

Tra Da Hacking is an annual technique security seminar organized several times a year to promote the learning and researching on information security. Following the success of Tra Da Hacking 6, Tra Da Hacking 7 has returned spectacularly with security issues in the Era 4.0 held in Sai Gon.

The overview of Tra Da Hacking 7 (Source: Vozforum)

Nearly 100 guests and attendees were top security experts from FPT IS, Viettel, PWC, VNG, etc… The main topics of this workshop were Active Directory system attack techniques; Attack the modern domain name; Combined Java Deserialize and EL injection attacks in practice; Security issues in Smart Contract; Dynamic Diagnostics for malicious code in Ethereum Smart Contract … And VSEC’s security engineer – Mr. Pham Van Dien presented Cross-Communication Security Issues.

The VSEC’s representative presented Cross-Coummunication Security Issues (Source: Vozforum)

Nowadays, web applications are increasing rapidly such as web Services or web APIs in which other applications can get information then display to user. But there are some issues of security through cross-communication between web applications. This topic is going to cover some basic security issues about cross-communication.

The topic of VSEC was ebulliently discussed (Source: Vozforum)

According to the research of the speaker, there are 3 common types of vulnerabilities:

  1. Cross Origin Resource Sharing (CORS) Misconfiguration
    When implementing CORS is improper at server-side and allows any website to access data of response whithout validate origin that leads to leak sensitive information or even attacker can take his/her victim account over by tricking user to visit attacker-driven websites then trigger exploit via javascript code. In addition, this vulnerability can be used for cache poisoning too.
  2. JSON-P (JSON with padding)
    It’s similar to scenario of CORS by taking advantage of javascript tag to request data from a server residing in a different domain. The JSON-P also can be used to leak sensitive informations or account takeover.
  3. PostMessage
    With the use of postMessage method, we can communicate between different windows, iframes or a webpage and embed iframe. There are two common attack types: dom-based XSS and sensitive information leakage that caused by improper validating origin of sender or origin of reciever is set to wildcard before being processed. Attacker can use this for stealing cookies/leaking information.

Attendees raised questions to the presenter (Source: Vozforum)

Tra Da Hacking 7 ended well, most questions had been answered and current security issues had founded the best solution. Looking forward to the next technique seminars will attract more and more the attention of the community and enhance the influence. VSEC will certainly accompany Tra Da Hacking!

No Comments
Post a Comment