Interview with Shreeraj Shah at HITB2012KUL

Shreeraj-ShahShreeraj Shah, (B.E., MSCS, MBA, CSSLP) is the founder of Blueinfy, a company that provides application security services. Prior to founding Blueinfy, he was founder and board member at Net Square. He also worked with Foundstone (McAfee), Chase Manhattan Bank and IBM in Security space. He is also the author of popular books like Web 2.0 Security, Hacking Web Services and Web Hacking: Attacks and Defense. In addition, he has published several advisories, tools, and whitepapers, and has presented at numerous conferences including RSA, AusCERT, InfosecWorld (Misti), HackInTheBox, Blackhat, OSCON, Bellua, Syscan, ISACA, etc. His articles are regularly published on Securityfocus, InformIT, DevX, O’reilly, HNS.His work has been quoted on BBC, DarkReading, Bank Technology as an expert.

Blog of shreeraj –

Can you describe in short about your company profile – BlueInfy ?

We specialize in application security with a clear strategic focus. We provide products and services to evaluate and improve the overall security posture of enterprise applications, websites and software deployed worldwide. We continually strive to ensure complete security of our clients’ applications and software assets, and to achieve this through state-of-the-art know-how built by enhancing methodologies, evolving tools and researching technologies. Key facts about the company –

* Thousands of applications and millions of lines of code analyzed and assessed
* Customers include Fortune 100 companies
* Providing services in USA, Asia-Pacific, Middle-East and Europe
* Proprietary tools and methodologies
* Delivering cutting edge technologies and tools for assessment of Web 2.0 and HTML5 applications
* Web Hacking and Secure Coding Trainings conducted and appreciated worldwide
* Strong knowledge base shared in the form of popular books and articles published in leading journals and magazines
* Papers presented at RSA, BlackHat, OWASP, HackInTheBox, Infosec World, Syscan, AusCert, OSCON, EUSecWest, etc.
* Research quoted on BBC, DarkReading, MIT Technology Review, Security Week, Bank Technology, etc.
* Years of team experience in the area of Penetration testing, on-demand scanning and source code reviews for web applications and software

Can u tell our readers a little about silent exploits and stealth attacks ?

HTML5 is an emerging stack for next generation applications. HTML5 is enhancing browser capabilities and able to execute Rich Internet Applications in the context of modern browser architecture. Interestingly HTML5 can run on mobile devices as well and it makes even more complicated. HTML5 is not a single technology stack but combination of various components like XMLHttpRequest (XHR), Document Object model (DOM), Cross Origin Resource Sharing (CORS) and enhanced HTML/Browser rendering. It brings several new technologies to the browser which were not seen before like localstorage, webSQL, websocket, webworkers, enhanced XHR, DOM based XPATH to name a few. It has enhanced attack surface and point of exploitations for attacker and malicious agents. By leveraging these vectors one can craft stealth attacks and silent exploits, it is hard to detect and easy to compromise.

Would you like to share about your latest research ? or any discovery ?

Each evolution has its own security impact and attackers get new opportunity to craft exploits. HTML5 is also bringing new threats to horizon and it is time to take them seriously. HTML5 adding new technologies and opening possible abuse scenario. HTML5 has several new components like XHR-Level2, DOM, Storage, App Cache, WebSQL etc. All these components are making underlying backbone for HTML5 applications and by nature they look very silent. It allows crafting stealth attack vectors and adding risk to end client. Here is a list of top 10 attack vectors. Structured layers as mentioned in the above section provide more clarity on a possible enhanced attack surface. This exposes browser components of an application to a set of possible threats which can be exploited. Listed below are possible top 10 threats where new HTML5 features along with emerging software developing patterns, have significant impact.
A1 – CORS Attacks & CSRF
A2 – ClickJacking, CORJacking and UI exploits
A3 – XSS with HTML5 tags, attributes and events
A4 – Web Storage and DOM information extraction
A5 – SQLi & Blind Enumeration
A6 – Web Messaging and Web Workers injections
A7 – DOM based XSS with HTML5 & Messaging
A8 – Third party/Offline HTML Widgets and Gadgets
A9 – Web Sockets and Attacks
A10 – Protocol/Schema/APIs attacks with HTML5

How you would describe about the web applications threats / risk in indian cyber space ?

Cyber space has no boundary as such and with that respect I would not see India with different set from rest of the world as far as technology set is concern. Yes, motive behind attack agent may have different perspectives.

Why are web Applications a bigger security risk?

Yes, indeed. All critical activities from banking to running electrical power runs on Internet and web applications are core behind it. Web application attacks are on the rise and stable. It is going to stay here for ever. Web applications are not going to die and attackers will keep findings loopholes and opportunities. Web applications are poorly written in cases and it allows abuse scenario and easy to exploit position. SQL Injection, XSS, CSRF etc. are not going away and will stay for a duration to come.

Can you tell us any new web applications attacks ?

As mentioned din question 3 ? there are set of new attacks coming up. They are encompassing Web 2.0 and HTML5 stack primarily.

By Kai Farmer