CONFERENCE MATERIALS HAVE BEEN UPLOADED
http://conference.hitb.org/hitbsecconf2009dubai/materials/
CONFERENCE PHOTOS HAVE BEEN RELEASED
http://photos.hackinthebox.org

Billy Rios (Security Engineer, Microsoft Corp)

Presentation Title: Biting the Hand that Feeds You (Reloaded)
Presentation Abstract:

Web application users on the web are protected by two sets of security mechanisms. The first is a trust relationship between the web browser and the web application. This relationship is typically established through sessions negotiated between the client and the server. These established sessions form the basis of the security model that is used to determine the access to sensitive data and administrative functionality. The second security mechanism is the protections offered by the browser. Web browsers base their security model on a set of criteria known as the same origin policy. The browser enforced same origin policy prevents content from one domain from interacting with other domains.

This talk will cover attacks that target this disparity between the security models used by web applications and the browsers that serve those web applications. Specifically, this talk will cover and demonstrate:

Content Ownership Attacks
Forced Logged in Attacks
Session Switching Attacks

About Billy

Billy Rios is currently a Security Engineer for Microsoft working for the Business Online Services Group. Prior to his current role, Billy was a penetration tester for both VeriSign and Ernst and Young. As a penetration tester, Billy was hired by numerous organizations within the Fortune 500 to assess the effectiveness of their organization’s security posture. Billy made his living by outsmarting security teams, bypassing security measures, and demonstrating the business risk of security exposures to executives and organizational decision makers.

Before his life as a penetration tester, Billy worked as an Information Assurance Analyst for the Defense Information Systems Agency (DISA). While at DISA, Billy helped protect Department of Defense (DoD) information systems by performing network intrusion detection, vulnerability analysis, incident handling, and formal incident reporting on security related events involving DoD information systems. Before attacking and defending information systems, Billy was an active duty Officer in the United States Marine Corps. Billy has spoken at numerous security conferences including: Blackhat briefings, Bluehat, RSA , Hack in the Box, and PACSEC.

Billy holds a Bachelors degree in Business Administration, Master of Science degree in Information Systems, and is currently pursuing his Master of Business Administration.