"Last year's presentation was more abstract. This time we're going to show live examples of how applications built using security tips from popular AJAX guidebooks and advice forums can be ripped to little itty-bitty pieces," Hoffman said. "There's a lot of bad advice out there, and it illustrates the inexperience most developers have with AJAX. We've seen companies like Yahoo and Google hit with major AJAX security issues; if those companies are having problems, chances are that smaller developers are too."
As part of the demonstration, the two researchers will execute attacks against a fictional travel site they built using commonly accepted AJAX coding techniques. Among the types of threats they plan to carry out are those that can be used to steal information from such applications, carry out DoS campaigns on the sites, or to use the vulnerabilities to hack into backend systems.
Among the other applications-security experts planning to present at Black Hat 2007 will be researchers from SPI rival Watchfire, which was similarly acquired in June by IBM for the sake of having its vulnerability scanning technologies integrated into Big Blue's Rational development platform.
Among the attacks that Watchfire researchers will present at the gathering will be a clinic delivered by Jonathan Afek on the art of attacking so-called dangling pointers.
Dangling pointers, or programming instructions that do not point to a valid object of the appropriate type, are very common in most types of software as developers have never been pushed to clean the code out of their work.
Watchfire maintains that it has found the first way to actively exploit the instructions, even though the pointers have been suspected as a potential security threat for some time.
Officials said that Afek's presentation involves an exploit based on a remote command execution vulnerability.
"Dangling pointers theoretically have been considered as security bugs for some time, with the idea that if you could get them to point to malicious code you could do things, but prior to this nobody has been able to figure out a way to take advantage," said Danny Allan, director of security research at Watchfire, which is based in Waltham, Mass.
"What's truly interesting is that this is a completely new attack vector, and it will show the methodology for creating an exploit to introduce shell code," Allan said. "I expect that we'll see a lot of activity among security researchers around this issue after this gets out into people's hands."
In another nod to the theme of applications-level hacks, researchers from automated penetration testing software specialist Core Security will demonstrate their latest methods for stealing information from database records. The latest attacks will be carried out using timing techniques that take advantage of the indexing algorithms found in many commercial database management systems.