BROADCASTS.com

b'Worms traditionally propagate by exploiting a vulnerability in an OS or an underlying service. 2005 saw the release in the wild of the first worms that propagate by exploiting vulnerabilities in web applications served by simple http daemons. With the near ubiquity of W3C compliant web browsers and advances in dynamic content generation and client-side technologies like AJAX, major players like Google, Yahoo, and Microsoft are creating powerful application accessible only through web browsers. The security risks of web applications are already largely neglected. The discovery of programs that automatically exploit web applications and self-replicate will only make the situation worse.\\n\\t\\n\\tThis presentation will analyze the scope of these new threats. First we will examine how Web Worms and Viruses operate, specifically focusing on propagation methods, execution paths, payload threats and limitations, and design features. Next we will autopsy the source code of the Perl.Sanity worm and the MySpace.com virus to better understand how these programs function in the wild. We will discuss the shortcomings of these two attacks, what that tells us about the author\\u2019s sophistication, and how their impact could have been worse. Then we will hypothesize two future programs, the Swogmoh worm and the 1929 virus, and discuss their capabilities to learn how these threats might evolve. Finally, we will present guidelines for implementing new web applications securely to resist these new threats.\\n\\t\\n\\tParticipants should have a good understanding of the different HTTP methods, Javascript, DOM manipulation and security, Perl, and be familiar with web application design.\\n\\t\\n\\tBilly Hoffman is a security researcher for SPI Dynamics where he focuses on automated discovery of web application vulnerabilities and crawling technologies. He has been a guest speaker at Black Hat Federal, Toorcon, Shmoocon, O\'Reilly\'s Emerging Technology Conference, FooCamp, Shmoocon, The 5th Hope, and several other conferences. He has also presented by invitation to the FBI. His work has been featured in Wired, Make magazine, Slashdot, G4TechTV, and in various other journals and Web sites. Topics have included phishing, automated crawler design, automation of web exploits, reverse engineering laws and techniques, cracking spyware, ATMs, XM radio and magstripes. Billy also wrote TinyDisk, which implements a file system on a third party\'s web application to illustrate common weaknesses in web application design. In addition, Billy reviews white papers for the Web Application Security Consortium (WASC) and is the creator of Stripe Snoop, a suite of research tools that captures, modifies, validates, generates, analyzes, and shares data from magstripes. He also spends his time contributing to OSS projects, writing articles, and giving presentations under the handle Acidus."'