Matasano: Vulneraility Reporting in a Web 2.0 World. Same old security problems, just no one to report it to or fix 'em.

Step #1: I send in a vulnerability report. I explain the vulnerability in a concise email and include repro steps. They reply: Thanks for the tip, David. It’s been noted.

BTW, most of the talks at OWASP Milan last week were on Web 2.0 attacks.

The Dark Side of AJAX, Brian Chess, Chief Scientist, Fortify Software (a sampling of 400 different known XSS vulns, goes through the popular frameworks (Atlas, Dojo, et. al.) to see which ones address Jaavscript hijacking today (basically none) and whichs ones have fixes in next versions (rsn) more info)



Overtaking Google Desktop - Leveraging XSS into Mayhem, Yair Amit, Sr. Security Researcher, Watchfire (pass XSS and CSRF attacks through to Google desktop)



Advance Web Hacking Revealed, Petko D. Petkov (AKA PDP Architect), Senior Security Researcher (showed some interesting ways to extend fundamental XSS/CSRF and mash those atatcks up using Yahoo Pipes and Google APIs)



Protecting Web Applications from Universal PDF XSS: A discussion of how weird the web application security world has become – Ivan Ristic (not possible to see attack on server)

