Billy Hoffman will deliver a session at the upcoming AJAXWorld Conference & Expo, October 2-4, 2006, in Santa Clara, California, on the hot topic of AJAX and Security. His session is entitled "How to Prevent Security Vulnerabilites in AJAX."

AJAX can mean different things to different people. To a user, AJAX means smooth Web applications like Google Maps or Outlook Web Access. To a developer, AJAX provides methods to enrich a user's experience with a Web application by reducing latency and offloading complex tasks on the client. To an information architect, AJAX means fundamentally changing the design of Web applications so they span both client and server. To the security professional, AJAX makes life difficult by increasing the attack surface of Web applications and exposing internal logic layers to the entire network. With 70% of attacks coming through the application layer, AJAX makes the job of securing web applications that much harder. This presentation will comprehensively discuss the fundamental security issues of AJAX. These include browser/server interact issues, application design issues, vulnerabilities in work-arounds like AJAX bridges, and how the hype surrounding Web 2.0 applications is making things worse. Specifically we will examine the different attack methodologies used against AJAX applications, how AJAX increases the danger of XSS attacks, the dangers of exposing your application logic layer to the network, how bridges can be used to exploit 3rd party sites, and more . Finally we discuss how to properly design an AJAX application to avoid these security issues and demonstrate methods to secure existing applications.

Speaker Bio: Billy Hoffman is a lead security researcher for SPI Dynamics (www.spidynamics.com). At SPI Dynamics, Billy focuses on automated discovery of Web application vulnerabilities and crawling technologies. He has been a guest speaker at Black Hat Federal, Toorcon, Shmoocon, O'Reilly's Emerging Technology Conference, The 5th Hope, and several other conferences. His work has been featured in Wired, Make magazine, Slashdot, G4TechTV, and in various other journals and Web sites. Topics have included reverse engineering law and techniques, ATMs, XM Radio and magstripe projects. In addition, Billy is a reviewer of white papers for the Web Application Security Consortium (WASC), and is a creator of Stripe Snoop, a suite of research tools that captures, modifies, validates, generates, analyzes, and shares data from magstripes. He also spends his time contributing to OSS projects and writes articles under the handle Acidus.