Web Pen Testing HTML 5 Web Storage using JSON Injection
text to speech
Author: Jeremy Druin
Twitter: @webpwnized
Description: Recorded at the 2012 AIDE conference, this video covers a presentation given by Jeremy Druin; a professional web application and network pen-tester. The topic is pen-testing html5 web storage which is a client-side storage technology available in html5-aware browsers. Web storage is discussed from two perspectives: altering your own web storage and altering the web storage of a remote user.
Additionally JSON injection is reviewed to show how cross site scripts can be injected in unconventional ways. A cross site script is injected in the middle of a JSON response in order to get the script to execute when the JSON is parse by the browser.
The web application used in the demonstration is Mutillidae; a deliberately vulnerable app designed to act as a realistic target for practicing web pen testing. Mutillidae comes pre-installed on Metasploitable 2 and Samurai Web Testing Framework 0.99. Mutillidae can additionally be installed on Windows or Linux using XAMPP.
The speaker is Jeremy Druin (@webpwnized) and was recorded by Adrian Crenshaw (@irongeek_adc). Thank you for watching. Please support this channel. Up vote, subscribe or even donate by clicking "Support" at https://www.youtube.com/user/webpwnized!
The webpwnized YouTube channel is dedicated to information security, security testing and ethical hacking. There is an emphasis on web application security but many other topics are covers. Some of these include forensics, network security, security testing tools and security testing processes. The channel provides videos to encourage software developers and system administrators to perform security testing. Also, the channel educates the next generation of security testers and bug bounty hunters who want to respectfully, legally and ethically help system owners that allow security testing.
2012-06-01 22:44:59
source
Gloss