Mario Heiderich

Title: I thought you were my friend. Malicious markup, browser issues and other obscurities

Bio:
I am Mario Heiderich, cologne based CTO for an online enterprise based in Cologne and New York. I was visitor and speaker on several OWASP conferences, maintain the PHPIDS and other security related projects and recently authored a German book on Web Security together with Christian Matthies, fukami and Johannes Dahse. I am currently into browser security and digging the HTML5 specifications.

Abstract:
The talk will cover a short exegesis of how and where browser vendors talk about security - and what can be seen from a security professionals perspective. The ratio between the growth of new browser technologies and the amount of time for developers to learn working with them could turn out to be a problem - especially when knowing that todays browsers support a vast amount of lost treasures. Amongst them various XML quirks, data islands, SVG fonts etc. which make it hard to protect rich web applications. Surprising but true: several of the most recent in-the-wild browser exploits were possible due to those legacy features like the IE6-8 code execution flaw. Reason enough to dive into a collection of weird techniques and standards exposing attack vectors and scenarios that WAF systems and filters might have some trouble with. The talk also shows some issues regarding IE8 and Opera 10 - as well as current Firefox versions. The conclusion of the talk features an overview of what we can expect during the next months, ways for developers and related parties to deal with those security risks.

The talk right now covers about 50 slides - but will probably grow during the next weeks to be as current as possible. I am currently translating the talk from German to English. I will send you a draft as soon as I am done if you are interested.