Many service providers have offered their business through web applications. Web services have developed through the past years to a powerful and flexible platform where business meets business and customers. This has triggered a surge for new requirements, leading to some significant changes in the way we use and consume software, store data and develop applications; completely transforming the Web. Probably the most popular Web development in recent years is AJAX. Together with other technologies, AJAX forms the foundation for Web 2.0 which revolutionised the way we use and experience the web. Unfortunately the industry has created a new popular technology without much security in mind. Not only have new attack vectors evolved but also the attack surface for old web application attacks has increased. Cross Site Scripting (XSS), parameter manipulation, session hijacking are just a few of them. Additionally security professionals have to be concerned about the new data containers like JSON, new architecture principles like REST, new protocols like SOAP and especially the JavaScript language. This workshop will consist of following parts: 1. Introduction and "Why can't your firewall and IDS/IPS protect you against web application attacks?" This part looks at the evolution of hacking from networks to web applications. It explains why conventional security products don't offer any protection against attacks through web applications. 2. Web application vulnerabilities This part is all about the most common web application vulnerabilities like xss, csrf, sql injection, code injections and data leakage. We will look at basic as well as at more advanced forms of attacks. Attacks will be analysed in detail so their cause is understood. We will also talk about tools that can be used to discover these vulnerabilities. 3. Hands on session, "Experimenting with web application vulnerabilities in an application" First practical session where attendees get a chance to apply their knowledge gained in the previous parts. A local HACKME application will be used as target. 4. Difference between Web 1.0 and Web 2.0 (and what exactly is AJAX) This part offers a detailed introduction to Web 2.0. It also shows the advancements from first to the second generation of Web Applications. 5. Security implications on Web 2.0 After defining Web 2.0 we will take a look at its implications from a security perspective. Main focus will be same domain policy, its circumvention and what this means for business. We will talk about vulnerabilities introduced by Web 2.0, their identification/discovery and some tools that might help in their remediation. 6. Hands on session, "Finding and exploiting web application vulnerabilities in a Web 2.0 application" The second practical session can be seen as a hacking challenge on a local application which runs on Web 2.0 technology. Attendees will need to find vulnerabilities and try to exploit them. 7. Future of Web 2.0 security and wrap-up We'll start this part with a demonstration of JavaScript worms, scanners and other interesting applications which will show the powerful future of Web 2.0. After that we'll finish off with question time. Hope to see you there ... we'll make your investment worth while ;-) Benjamin , Nik,