OWASP AppSec Asia 2008: Proxy Caches and Web Application Security

10-03-2008

Registered User

26,240, 27

Join Date: Sep 2000

Last Activity: 1 August 2008, 3:09 PM EDT

Posts: 26,240

Thanks Given: 0

Thanked 27 Times in 26 Posts

OWASP AppSec Asia 2008: Proxy Caches and Web Application Security

Tim Bass
10-03-2008 04:05 AM
Back to travelling a bit, I have accepted an invitation from Wayne Huang, Chapter Leader, OWASP Taiwan,* to give the following presentation at OWASP AppSec Asia 2008, October 27 - 28, 2008, in Taipei:

Proxy Caches and Web Application Security

Abstract:* Proxy caches, combined with poorly written session management code, can easily lead to serious Internet security breaches. Web application developers cannot know whether their content is consumed directly or via a proxy cache. Developers cannot assume that the HTTP responses will be delivered to the intended browser. Moreover, developers cannot be sure that the intended browser even receives the intented content. Consequently, proxy caches are a serious theat to web application security. *In the presentation, we will discuss the recent security breach Tim found in Google Docs and review web application security and session management topics related to proxy caching.

Source...

Linux Bot

View Public Profile for Linux Bot

Find all posts by Linux Bot

HTTP::Proxy::BodyFilter::complete(3pm) User Contributed Perl Documentation HTTP::Proxy::BodyFilter::complete(3pm) NAME
HTTP::Proxy::BodyFilter::complete - A filter that passes on a complete body or nothing SYNOPSIS
use HTTP::Proxy; use HTTP::Proxy::BodyFilter::simple; use HTTP::Proxy::BodyFilter::complete; my $proxy = HTTP::Proxy->new; # pass the complete response body to our filter (in one pass) $proxy->push_filter( mime => 'text/html', response => HTTP::Proxy::BodyFilter::complete->new, response => HTTP::Proxy::BodyFilter::simple->new( sub { my ( $self, $dataref, $message, $protocol, $buffer ) = @_; # some complex processing that needs # the whole response body } ); ); $proxy->start; DESCRIPTION
The HTTP::Proxy::BodyFilter::complete filter will ensure that the next filter in the filter chain will only receive complete message bodies (either request or response). It will store the chunks of data as they arrive, only to pass the entire message body after the whole message has been received by the proxy. Subsequent filters is the chain will receive the whole body as a big piece of data. CAVEAT EMPTOR
This consumes memory and time. Use with caution, otherwise your client will timeout, or your proxy will run out of memory. Also note that all filters after "complete" are still called when the proxy receives data: they just receive empty data. They will receive the complete data when the filter chain is called for the very last time (the $buffer parameter is "undef"). (See the documentation of HTTP::Proxy::BodyFilter for details about the $buffer parameter.) METHOD
This filter defines two methods, called automatically: filter() Stores the incoming data in memory until the last moment and passes empty data to the subsequent filters in the chain. They will receive the full body during the last round of filter calls. will_modify() This method returns a false value, thus indicating to the system that it will not modify data passing through. AUTHOR
Philippe "BooK" Bruhat, <book@cpan.org>. THANKS
Thanks to Simon Cozens and Merijn H. Brandt, who needed this almost at the same time. ";-)" COPYRIGHT
Copyright 2004-2008, Philippe Bruhat. LICENSE
This module is free software; you can redistribute it or modify it under the same terms as Perl itself. perl v5.12.4 2011-07-03 HTTP::Proxy::BodyFilter::complete(3pm)

Complex Event Processing RSS News

OWASP AppSec Asia 2008: Proxy Caches and Web Application Security

LEARN ABOUT DEBIAN

http::proxy::bodyfilter::complete