OWASP - User contributions [en]

OWASP AppSec Europe 2008 - Belgium

2008-04-21T03:37:47Z

Erachner:

[[Image:Owasp_banner_EU08.jpg]]

Welcome to the European OWASP Application Security Conference! After successful OWASP Conferences in the United States and Europe, we are back in Belgium: 5 tutorials and 2 conference tracks in the historic center of Ghent on May 19-22 2008!

The conference is stuffed with top notch presentations from industry recognised speakers and technical experts on the latest application security risks and trends. New for AppSec Europe: technical vendor demos and a Capture the Flag!

==Conference Location==
[[Image:GhentEU2008.JPG]]

The historic center of [http://en.wikipedia.org/wiki/Ghent Ghent], Belgium May 19th-22nd.

[[OWASP_AppSec_Europe_2008_-_Belgium/Training | Tutorial Days: May 19th-20th]]

[[OWASP_AppSec_Europe_2008_-_Belgium/Agenda | Main Conference: May 21st-22nd]]

'''Registration is available via the OWASP Conference Cvent site at: [http://guest.cvent.com/i.aspx?4W,M3,7b36ecdc-1234-4d63-bc08-898a7bf60b2a Cvent link]'''

'''If you are registering as a Speaker or Sponsor, please use the following link: [http://guest.cvent.com/i.aspx?4W,M3,49b0aaab-82ef-4a36-a982-6e56a485c531 Cvent link for speakers/sponsors]'''

==Agenda and Presentations - May 21-22==

The agenda follows the successful OWASP conference two tracks format, with opening keynotes and presentations in the main auditorium, split tracks in the middle of the day, and closing pannel discussions back in the main auditorium both days. As in the previous editions, the OWASP AppSec Europe 2008 conference will feature a refereed papers track.

{| style="width:80%" border="0" align="center"
! colspan="3" align="center" style="background:#4058A0; color:white" | Day 1 - May 21, 2008
|-
| style="width:10%; background:#7B8ABD" | || style="width:40%; background:#BC857A" | Track 1:
| style="width:40%; background:#BCA57A" | Track 2:
|-
| style="width:10%; background:#7B8ABD" | 08:00-09:00 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Registration and Coffee
|-
| style="width:10%; background:#7B8ABD" | 09:00-09:05 || colspan="2" style="width:80%; background:#F2F2F2" align="center" | Welcome to OWASP AppSec 2008 Conference
''Sebastien Deleersnyder''
|-
| style="width:10%; background:#7B8ABD" | 09:05-09:45 || colspan="2" style="width:80%; background:#F2F2F2" align="center" | Keynote: The Great Information Security Scrap Yard Challenge
''Mark Curphey, Microsoft''
|-
| style="width:10%; background:#7B8ABD" | 09:45-10:20 || colspan="2" style="width:80%; background:#F2F2F2" align="center" | Owasp State of the Union
''Dinis Cruz''
|-
| style="width:10%; background:#7B8ABD" | 10:20-10:40 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Break
|-
| style="width:10%; background:#7B8ABD" | 10:40-11:20 || style="width:40%; background:#BC857A" align="left" | [[AppSecEU08_The_OWASP_ESAPI_project | The OWASP ESAPI project]]
''[[User:Wichers | Dave Wichers]], Aspect Security''
| style="width:40%; background:#BCA57A" align="left" | [[AppSecEU08_Trends_in_Web_Hacking_Incidents:_What's_hot_for_2008 | Trends in Web Hacking Incidents: What's hot for 2008]]
''[http://blog.shezaf.com Ofer Shezaf], Breach''
|-
| style="width:10%; background:#7B8ABD" | 11:20-12:00 || style="width:40%; background:#BC857A" align="left" | [[AppSecEU08_Evaluation_Criteria_for_Web_Application_Firewalls | Evaluation Criteria for Web Application Firewalls]]
''[http://blog.ivanristic.com Ivan Ristic], Breach''
| style="width:40%; background:#BCA57A" align="left" | HTML5 security
''Thomas Roessler''
|-
| style="width:10%; background:#7B8ABD" | 12:00-12:30 || style="width:40%; background:#BC857A" align="left" | [[AppSecEU08_The_OWASP_ORIZON_project | The OWASP Orizon Project internals]]
''Paolo Perego''
| style="width:40%; background:#BCA57A" align="left" | Remo presentation (Positive ModSecurity rulesets / Input validation)
''Christian Folini''
|-
| style="width:10%; background:#7B8ABD" | 12:30-14:00 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Lunch
|-
| style="width:10%; background:#7B8ABD" | 14:00-14:40 || style="width:40%; background:#BC857A" align="left" | [[AppSecEU08_Best_Practices_Guide_Web_Application_Firewalls | Best Practices Guide: Web Application Firewalls (OWASP German chapter)]]
''Alexander Meisel''
| style="width:40%; background:#BCA57A" align="left" | Google-Hacking and Google-Shielding
''Amichai Shulman''
|-
| style="width:10%; background:#7B8ABD" | 14:40-15:20 || style="width:40%; background:#BC857A" align="left" | [[AppSecEU08_NTLM_Relay_Attacks | NTLM Relay Attacks]]
''Eric Rachner''
| style="width:40%; background:#BCA57A" align="left" | PHPIDS Monitoring attack surface activity
''Mario Heiderich''
|-
| style="width:10%; background:#7B8ABD" | 15:20-15:50 || style="width:40%; background:#BC857A" align="left" | [[AppSecEU08_Agile_Security_Breaking_the_Waterfall_Mindset | Agile Security - Breaking the Waterfall Mindset of the Security Industry]]
''[[User:Wichers | Dave Wichers]], Aspect Security''
| style="width:40%; background:#BCA57A" align="left" | Security framework is not in the code
''Sam Reghenzi''
|-
| style="width:10%; background:#7B8ABD" | 15:50-16:10 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Break
|-
| style="width:10%; background:#7B8ABD" | 16:10-17:00 || style="width:40%; background:#BC857A" align="left" | [[AppSecEU08_Exploiting_Online_Games | Exploiting Online Games]]
''[[User:gem | Gary McGraw]], Cigital''
| style="width:40%; background:#BCA57A" align="left" | [[AppSecEU08 SHIELDS: metrics, tools and Internet services to improve security in application developments | SHIELDS: metrics, tools and Internet services to improve security in application developments]]
''[[AppSecEU08 Eva Coscia | Eva Coscia]]''
|-
| style="width:10%; background:#7B8ABD" | 17:00-18:00 || colspan="2" style="width:40%; background:#F2F2F2" align="left" | Panel: “tbd”
Moderator:tbd
Panelists: tbd
|-
| style="width:10%; background:#7B8ABD" | 18:00-19:00 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | OWASP Leader Meeting - Organized by Matteo Meucci
|-
| style="width:10%; background:#7B8ABD" | 19:00-21:00 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | OWASP Social Gathering: Dinner and Drinks at the Monasterium
|-
! colspan="3" align="center" style="background:#4058A0; color:white" | Day 2 - May 22, 2008
|-
| style="width:10%; background:#7B8ABD" | || style="width:40%; background:#BC857A" | Track 1:
| style="width:40%; background:#BCA57A" | Track 2:
|-
| style="width:10%; background:#7B8ABD" | 08:00-09:00 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Coffee
|-
| style="width:10%; background:#7B8ABD" | 09:00-9:40 || colspan="2" style="width:80%; background:#F2F2F2" align="center" | Keynote: [[AppSecEU08 Software Security State of the Practice 2008 | Software Security: State of the Practice 2008]]
''[[user:gem | Gary McGraw]], Cigital''
|-
| style="width:10%; background:#7B8ABD" | 9:40-10:20 || colspan="2" style="width:80%; background:#F2F2F2" align="center" | Tour of OWASP projects
''Dinis Cruz (Chief OWASP Evangelist), [[User:Wichers | Dave Wichers]] (OWASP Board), Michael Eddington (OWASP Encoding Project, .NET Web Service Validation Project) and Mark Roxberry (OWASP .NET Project)''
|-
| style="width:10%; background:#7B8ABD" | 10:20-10:40 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Break
|-
| style="width:10%; background:#7B8ABD" | 10:40-11:20 || style="width:40%; background:#BC857A" align="left" | Graph Analysis for WebApps: From Nodes to Edges
''Simon Roses Femerling, Microsoft''
| style="width:40%; background:#BCA57A" align="left" | The OWASP Education Project
''Martin Knobloch''
|-
| style="width:10%; background:#7B8ABD" | 11:20-12:00 || style="width:40%; background:#BC857A" align="left" | Dynamic Taint Propagation: Finding Vulnerabilities Without Attacking
''Brian Chess, Fortify''
| style="width:40%; background:#BCA57A" align="left" | [[AppSecEU08_Threat_Modeling_for_Application_Designers_and_Architects | Threat Modeling for Application Designers & Architects]]
''[[AppSecEU08 Shay Zalalichin Shay Zalalichin | Shay Zalalichin]]''
|-
| style="width:10%; background:#7B8ABD" | 12:00-12:30 || style="width:40%; background:#BC857A" align="left" |
[[AppSecEU08_Scanstud_-_Evaluating_static_analysis_tools | Scanstud: Evaluating static analysis tools]]

''[http://www.informatik.uni-hamburg.de/SVS/personnel/martin/index.php Martin Johns]'', ''Moritz Jodeit'', ''Wolfgang Koeppl'', ''Martin Wimmer''
| style="width:40%; background:#BCA57A" align="left" | Office 2.0: Software as a Service, Security on the Sidelines?
''John Heasman''
|-
| style="width:10%; background:#7B8ABD" | 12:30-14:00 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Lunch
|-
| style="width:10%; background:#7B8ABD" | 14:00-14:40 || style="width:40%; background:#BC857A" align="left" | [[AppSecEU08 How Data Privacy affects Applications and Databases | How Data Privacy affects Applications and Databases]]
''[[AppSecEU08 Dirk De Maeyer | Dirk De Maeyer]]''
| style="width:40%; background:#BCA57A" align="left" | [http://www.cs.kuleuven.be/~lieven/AppSec2008/program.html Refereed papers track]
|-
| style="width:10%; background:#7B8ABD" | 14:40-15:20 || style="width:40%; background:#BC857A" align="left" | [[AppSecEU08_The_OWASP_Anti-Samy_project | The OWASP Anti-Samy project]]
''Jason Li, Aspect Security''
| style="width:40%; background:#BCA57A" align="left" | [http://www.cs.kuleuven.be/~lieven/AppSec2008/program.html Refereed papers track]
|-
| style="width:10%; background:#7B8ABD" | 15:20-15:50 || style="width:40%; background:#BC857A" align="left" | [[AppSecEU08_Input_validation:_the_Good,_the_Bad_and_the_Ugly|
Input validation: the Good, the Bad and the Ugly]]
[[Johan_Peeters|''Johan Peeters'']]
| style="width:40%; background:#BCA57A" align="left" | [http://www.cs.kuleuven.be/~lieven/AppSec2008/program.html Refereed papers track]
|-
| style="width:10%; background:#7B8ABD" | 15:50-16:10 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Break
|-
| style="width:10%; background:#7B8ABD" | 16:10-17:00 || style="width:40%; background:#BC857A" align="left" | Client-side security
''pdp''
| style="width:40%; background:#BCA57A" align="left" | [http://www.cs.kuleuven.be/~lieven/AppSec2008/program.html Refereed papers track]
|-
| style="width:10%; background:#7B8ABD" | 17:00-18:00 || style="width:40%; background:#F2F2F2" align="left" | Panel: Responsible "tbd"
Moderator: tbd

Panelists: tbd
| style="width:40%; background:#F2F2F2" align="left" | Panel: "tbd"
Moderator: tbd
Panelists: tbd
|-
| style="width:10%; background:#7B8ABD" | 18:00-18:10 || colspan="2" style="width:40%; background:#F2F2F2" align="left" | Conference Wrap Up - Dave Wichers, OWASP Conferences Chair
|-
|}

Venue: Aula, Ghent University, Voldersstraat 9, 9000 Ghent [http://maps.google.com/maps?f=q&hl=en&geocode=&q=Voldersstraat+9,+9000+Gent&jsv=107&sll=50.994753,3.745665&sspn=0.154284,0.466919&ie=UTF8&ll=51.054749,3.723121&spn=0.00963,0.029182&z=15&iwloc=addr Google Maps Link]

Registration is available via the OWASP Conference Cvent site at: [http://guest.cvent.com/i.aspx?4W,M3,7b36ecdc-1234-4d63-bc08-898a7bf60b2a Cvent link]

==Tutorial Days - May 19-20==

OWASP arranged for several Application Security tutorials on May 19th-20th, the days prior to the conference.
{| style="width:80%" border="0" align="center"
! align="center" style="background:#4058A0; color:white" | T1. Building and Testing Secure Web Applications
|-
| style="background:#F2F2F2" | Most developers, IT professionals, and auditors learn what they know about application security on the job, usually by making mistakes. Application security is just not a part of many computer science curricula today and most organizations have not focused on instituting a culture that includes application security as a core part of their IT security efforts. This powerful two day course focuses on the most common web application security problems, including the OWASP Top Ten. The course will introduce and demonstrate hacking techniques, illustrating how application vulnerabilities can be exploited so students really understand how to avoid introducing such vulnerabilities into their code.

Trainer: Jason Li, [http://www.aspectsecurity.com Aspect Security] - [[OWASP_AppSec_Europe_2008_-_Belgium/Training | Read more here!]]
|-
! align="center" style="background:#4058A0; color:white" | T2. Leading the Development of Secure Applications
|-
| style="background:#F2F2F2" | In this one-day management session you’ll get the answers to the ten key questions that most CIOs and development managers face when trying to improve security in the development process. The course provides proven techniques and valuable lessons learned that can be applied to projects at any phase of their application’s lifecycle.

Trainer: Arshan Dabirsiaghi, [http://www.aspectsecurity.com Aspect Security] - [[OWASP_AppSec_Europe_2008_-_Belgium/Training | Read more here!]]
|-
! align="center" style="background:#4058A0; color:white" | T3. Building Secure Rich Internet Applications
|-
| style="background:#F2F2F2" | Rich Internet applications using technologies like Ajax, Flash, ActiveX, and Java Applets require special attention to secure. This one day training addresses the special issues that arise in this type of application development.

Trainer: Arshan Dabirsiaghi, [http://www.aspectsecurity.com Aspect Security] - [[OWASP_AppSec_Europe_2008_-_Belgium/Training | Read more here!]]
|-
! align="center" style="background:#4058A0; color:white" | T4. Building Secure Web Services
|-
| style="background:#F2F2F2" | The movement towards Web Services and Service Oriented architecture (SOA) paradigms requires new security paradigms to deal with new risks posed by these architectures. This session takes a pragmatic approach towards identifying Web Services security risks and selecting and applying countermeasures to the application, code, web servers, databases, application, and identity servers and related software. Many enterprises are currently developing new Web Services and/or adding and acquiring Web Services functionality into existing applications -- now is the time to build security into the system!

Trainer: [[User:wichers | Dave Wichers]], [http://www.aspectsecurity.com Aspect Security] - [[OWASP_AppSec_Europe_2008_-_Belgium/Training | Read more here!]]
|-
! align="center" style="background:#4058A0; color:white" | T5. Open Source ModSecurity Training
|-
| style="background:#F2F2F2" | ModSecurity is currently the most widely deployed web application firewall (WAF) product. This two-day class is for those people who want to learn how to build, deploy, and use ModSecurity in the most effective manner. The course will cover the open source ModSecurity Console, which helps manage alerts on suspicious web activity targeting your web servers. The course also provides an in-depth look at the extremely powerful ModSecurity Rules Language.

Trainer: Ryan Barnett, Breach - [[OWASP_AppSec_Europe_2008_-_Belgium/Training | Read more here!]]
|}
More information about the tutorials are [[OWASP_AppSec_Europe_2008_-_Belgium/Training | online]].

Venue: Monasterium PoortAckere, Oude Houtlei 56, 9000 Gent [http://www.monasterium.be/ http://www.monasterium.be/]

==Evening Social Event - May 21==

At every conference we have an evening social event the first night. This allows participants to have some unstructured time to mingle with the other attendees. They are always fun and typically attract about half the conference attendees. This year's event will be a Flemish buffet with special Belgian beers at the Monasterium (near the conference location).

Registration is available via the OWASP Conference Cvent site at: [http://guest.cvent.com/i.aspx?4W,M3,7b36ecdc-1234-4d63-bc08-898a7bf60b2a Cvent link]

==Accommodations==

* OWASP arranged for a room block of 20 Executive Deluxe rooms at the [http://www.nh-hotels.com/nh/en/hotels/belgium/ghent/nh-gent-belfort.html NH Gent Belfort] at a rate of €199 per night. This room block is being held through April 11!! After that date, there is no guarantee that rooms at this rate will be available at the NH Gent Belfort.
* OWASP attendees have an option for 20 rooms at € 122 and 10 rooms at € 132 per night at the [http://www.monasterium.be Hotel Monasterium PoortAckere] up until April 30. Use OWASP as reference when booking your room. Please note that there are no more rooms for the night of May 22.
* OWASP arranged for a room block of 25 rooms at the IBIS hotels. You can already contact them on [http://www.ibishotel.com/ibis/fichehotel/gb/ibi/1455/fiche_hotel.shtml Hotel Ibis Gent Centrum Opera] (€ 89 per night - 10 rooms) and [http://www.ibishotel.com/ibis/fichehotel/gb/ibi/0961/fiche_hotel.shtml Hotel Ibis Gent Centrum Kathedraal] (€ 99 per night - 15 rooms of which 3 still available for the 22nd) - reservations through e-mail: H0961-RE at accor.com or fax: 0032/9 233 10 00 (before April 19 - reference OWASP).

It is difficult getting rooms at reduced prices, as there is a medical congress around the same time in Ghent. You will find it difficult to get a room for the night of May 22. We recommend you then book a room for one night near the airport of [http://maps.google.com/maps?f=q&hl=en&geocode=&q=hotels+zaventem,+belgium&ie=UTF8&z=11 Brussels].

The following is a list of nearby accommodations that may have availability:

* [http://www.gent.be/eCache/THE/44/235.html List of hotels in Ghent]
* [http://www.hotelnazareth.be/ Hotel Vandervalken Nazareth - on Highway 5 minutes from Ghent]
* [http://www.bedandbreakfast-gent.be/en/home.php A list of bed and breakfasts in Ghent]
* [http://www.jeugdherbergen.be/jeugdherbergen/gent/ Youth hostels in Ghent]

==Registration and Conference Fees==

Registration is available via the OWASP Conference Cvent site at: [http://guest.cvent.com/i.aspx?4W,M3,7b36ecdc-1234-4d63-bc08-898a7bf60b2a Cvent link]

The conference fee for this conference is :

* Standard: 350 Euros, OWASP Members: 300 Euros, Students: 225 Euros.
* Conference Dinner (Evening of May 21st): 50 Euros
* Conference Tutorials: 825 Euros, Student Fee: 430 Euros
* [http://2008.confidence.org.pl/ CONFidence Poland 2008] members get a € 35 reduction on OWASP (see OWASP On a Plane below).
* [http://www.issa-be.org ISSA], [http://www.isaca.be ISACA] and [http://www.lsec.be L-SEC] Members get a € 35 reduction.

Note: To save on processing expenses, all fees paid for the OWASP conference are non-refundable. OWASP can accomodate transfers of registrations from one person to another, if such an adjustment becomes necessary.

==OWASP on a Plane - CONFidence 2008==
This year's [http://2008.confidence.org.pl/lang-pref/en/ CONFidence 2008] will take place on 16-17.05.2008 in Cracow (Poland). They have decided to spend Saturday morning talking about OWASP-related projects. No more excuses: you can attend 2 OWASP events in a row in Europe!

==Conference Committee==

OWASP Conferences Chair: Dave Wichers - Aspect Security - dave.wichers 'at' owasp.org

2008 EU Planning Committee Chair: Sebastien Deleersnyder - Telindus - seba 'at' owasp.org

Vendor Exhibition Chair: Pravir Chandra - Cigital - chandra 'at' cigital.com

Capture the Flag Chair: Pieter Danhieux - Ernst & Young - pieter.danhieux 'at' be.ey.com

Refereed Papers Chair: Lieven Desmet - KU Leuven - Lieven.Desmet 'at' cs.kuleuven.ac.be

== Affiliated Partners ==
We are glad to have the local support of:
* ISACA
* ISSA
* L-SEC

==[[OWASP AppSec Conference Sponsors | Conference Sponsors]]==

The following organizations are sponsors for this conference. If you are interested in sponsoring an OWASP conference, please contact OWASP at: conferences 'at' owasp.org.

[http://www.aspectsecurity.com https://www.owasp.org/images/d/d1/Aspect_logo.gif]

More information about conference sponsorship is available [[OWASP AppSec Conference Sponsors | here]].

[[Category:OWASP AppSec Conference]]

OWASP AppSec Europe 2008 - Belgium

2008-04-21T03:32:24Z

Erachner: Fixing the link to the Aspect logo to use https instead of http -- this suppresses an annoying warning message displayed by interenet explorer

[[Image:Owasp_banner_EU08.jpg]]

Welcome to the European OWASP Application Security Conference! After successful OWASP Conferences in the United States and Europe, we are back in Belgium: 5 tutorials and 2 conference tracks in the historic center of Ghent on May 19-22 2008!

The conference is stuffed with top notch presentations from industry recognised speakers and technical experts on the latest application security risks and trends. New for AppSec Europe: technical vendor demos and a Capture the Flag!

==Conference Location==
[[Image:GhentEU2008.JPG]]

The historic center of [http://en.wikipedia.org/wiki/Ghent Ghent], Belgium May 19th-22nd.

[[OWASP_AppSec_Europe_2008_-_Belgium/Training | Tutorial Days: May 19th-20th]]

[[OWASP_AppSec_Europe_2008_-_Belgium/Agenda | Main Conference: May 21st-22nd]]

'''Registration is available via the OWASP Conference Cvent site at: [http://guest.cvent.com/i.aspx?4W,M3,7b36ecdc-1234-4d63-bc08-898a7bf60b2a Cvent link]'''

'''If you are registering as a Speaker or Sponsor, please use the following link: [http://guest.cvent.com/i.aspx?4W,M3,49b0aaab-82ef-4a36-a982-6e56a485c531 Cvent link for speakers/sponsors]'''

==Agenda and Presentations - May 21-22==

The agenda follows the successful OWASP conference two tracks format, with opening keynotes and presentations in the main auditorium, split tracks in the middle of the day, and closing pannel discussions back in the main auditorium both days. As in the previous editions, the OWASP AppSec Europe 2008 conference will feature a refereed papers track.

{| style="width:80%" border="0" align="center"
! colspan="3" align="center" style="background:#4058A0; color:white" | Day 1 - May 21, 2008
|-
| style="width:10%; background:#7B8ABD" | || style="width:40%; background:#BC857A" | Track 1:
| style="width:40%; background:#BCA57A" | Track 2:
|-
| style="width:10%; background:#7B8ABD" | 08:00-09:00 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Registration and Coffee
|-
| style="width:10%; background:#7B8ABD" | 09:00-09:05 || colspan="2" style="width:80%; background:#F2F2F2" align="center" | Welcome to OWASP AppSec 2008 Conference
''Sebastien Deleersnyder''
|-
| style="width:10%; background:#7B8ABD" | 09:05-09:45 || colspan="2" style="width:80%; background:#F2F2F2" align="center" | Keynote: The Great Information Security Scrap Yard Challenge
''Mark Curphey, Microsoft''
|-
| style="width:10%; background:#7B8ABD" | 09:45-10:20 || colspan="2" style="width:80%; background:#F2F2F2" align="center" | Owasp State of the Union
''Dinis Cruz''
|-
| style="width:10%; background:#7B8ABD" | 10:20-10:40 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Break
|-
| style="width:10%; background:#7B8ABD" | 10:40-11:20 || style="width:40%; background:#BC857A" align="left" | [[AppSecEU08_The_OWASP_ESAPI_project | The OWASP ESAPI project]]
''[[User:Wichers | Dave Wichers]], Aspect Security''
| style="width:40%; background:#BCA57A" align="left" | [[AppSecEU08_Trends_in_Web_Hacking_Incidents:_What's_hot_for_2008 | Trends in Web Hacking Incidents: What's hot for 2008]]
''[http://blog.shezaf.com Ofer Shezaf], Breach''
|-
| style="width:10%; background:#7B8ABD" | 11:20-12:00 || style="width:40%; background:#BC857A" align="left" | [[AppSecEU08_Evaluation_Criteria_for_Web_Application_Firewalls | Evaluation Criteria for Web Application Firewalls]]
''[http://blog.ivanristic.com Ivan Ristic], Breach''
| style="width:40%; background:#BCA57A" align="left" | HTML5 security
''Thomas Roessler''
|-
| style="width:10%; background:#7B8ABD" | 12:00-12:30 || style="width:40%; background:#BC857A" align="left" | [[AppSecEU08_The_OWASP_ORIZON_project | The OWASP Orizon Project internals]]
''Paolo Perego''
| style="width:40%; background:#BCA57A" align="left" | Remo presentation (Positive ModSecurity rulesets / Input validation)
''Christian Folini''
|-
| style="width:10%; background:#7B8ABD" | 12:30-14:00 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Lunch
|-
| style="width:10%; background:#7B8ABD" | 14:00-14:40 || style="width:40%; background:#BC857A" align="left" | [[AppSecEU08_Best_Practices_Guide_Web_Application_Firewalls | Best Practices Guide: Web Application Firewalls (OWASP German chapter)]]
''Alexander Meisel''
| style="width:40%; background:#BCA57A" align="left" | Google-Hacking and Google-Shielding
''Amichai Shulman''
|-
| style="width:10%; background:#7B8ABD" | 14:40-15:20 || style="width:40%; background:#BC857A" align="left" | NTLM Relay Attacks
''Eric Rachner''
| style="width:40%; background:#BCA57A" align="left" | PHPIDS Monitoring attack surface activity
''Mario Heiderich''
|-
| style="width:10%; background:#7B8ABD" | 15:20-15:50 || style="width:40%; background:#BC857A" align="left" | [[AppSecEU08_Agile_Security_Breaking_the_Waterfall_Mindset | Agile Security - Breaking the Waterfall Mindset of the Security Industry]]
''[[User:Wichers | Dave Wichers]], Aspect Security''
| style="width:40%; background:#BCA57A" align="left" | Security framework is not in the code
''Sam Reghenzi''
|-
| style="width:10%; background:#7B8ABD" | 15:50-16:10 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Break
|-
| style="width:10%; background:#7B8ABD" | 16:10-17:00 || style="width:40%; background:#BC857A" align="left" | [[AppSecEU08_Exploiting_Online_Games | Exploiting Online Games]]
''[[User:gem | Gary McGraw]], Cigital''
| style="width:40%; background:#BCA57A" align="left" | [[AppSecEU08 SHIELDS: metrics, tools and Internet services to improve security in application developments | SHIELDS: metrics, tools and Internet services to improve security in application developments]]
''[[AppSecEU08 Eva Coscia | Eva Coscia]]''
|-
| style="width:10%; background:#7B8ABD" | 17:00-18:00 || colspan="2" style="width:40%; background:#F2F2F2" align="left" | Panel: “tbd”
Moderator:tbd
Panelists: tbd
|-
| style="width:10%; background:#7B8ABD" | 18:00-19:00 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | OWASP Leader Meeting - Organized by Matteo Meucci
|-
| style="width:10%; background:#7B8ABD" | 19:00-21:00 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | OWASP Social Gathering: Dinner and Drinks at the Monasterium
|-
! colspan="3" align="center" style="background:#4058A0; color:white" | Day 2 - May 22, 2008
|-
| style="width:10%; background:#7B8ABD" | || style="width:40%; background:#BC857A" | Track 1:
| style="width:40%; background:#BCA57A" | Track 2:
|-
| style="width:10%; background:#7B8ABD" | 08:00-09:00 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Coffee
|-
| style="width:10%; background:#7B8ABD" | 09:00-9:40 || colspan="2" style="width:80%; background:#F2F2F2" align="center" | Keynote: [[AppSecEU08 Software Security State of the Practice 2008 | Software Security: State of the Practice 2008]]
''[[user:gem | Gary McGraw]], Cigital''
|-
| style="width:10%; background:#7B8ABD" | 9:40-10:20 || colspan="2" style="width:80%; background:#F2F2F2" align="center" | Tour of OWASP projects
''Dinis Cruz (Chief OWASP Evangelist), [[User:Wichers | Dave Wichers]] (OWASP Board), Michael Eddington (OWASP Encoding Project, .NET Web Service Validation Project) and Mark Roxberry (OWASP .NET Project)''
|-
| style="width:10%; background:#7B8ABD" | 10:20-10:40 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Break
|-
| style="width:10%; background:#7B8ABD" | 10:40-11:20 || style="width:40%; background:#BC857A" align="left" | Graph Analysis for WebApps: From Nodes to Edges
''Simon Roses Femerling, Microsoft''
| style="width:40%; background:#BCA57A" align="left" | The OWASP Education Project
''Martin Knobloch''
|-
| style="width:10%; background:#7B8ABD" | 11:20-12:00 || style="width:40%; background:#BC857A" align="left" | Dynamic Taint Propagation: Finding Vulnerabilities Without Attacking
''Brian Chess, Fortify''
| style="width:40%; background:#BCA57A" align="left" | [[AppSecEU08_Threat_Modeling_for_Application_Designers_and_Architects | Threat Modeling for Application Designers & Architects]]
''[[AppSecEU08 Shay Zalalichin Shay Zalalichin | Shay Zalalichin]]''
|-
| style="width:10%; background:#7B8ABD" | 12:00-12:30 || style="width:40%; background:#BC857A" align="left" |
[[AppSecEU08_Scanstud_-_Evaluating_static_analysis_tools | Scanstud: Evaluating static analysis tools]]

''[http://www.informatik.uni-hamburg.de/SVS/personnel/martin/index.php Martin Johns]'', ''Moritz Jodeit'', ''Wolfgang Koeppl'', ''Martin Wimmer''
| style="width:40%; background:#BCA57A" align="left" | Office 2.0: Software as a Service, Security on the Sidelines?
''John Heasman''
|-
| style="width:10%; background:#7B8ABD" | 12:30-14:00 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Lunch
|-
| style="width:10%; background:#7B8ABD" | 14:00-14:40 || style="width:40%; background:#BC857A" align="left" | [[AppSecEU08 How Data Privacy affects Applications and Databases | How Data Privacy affects Applications and Databases]]
''[[AppSecEU08 Dirk De Maeyer | Dirk De Maeyer]]''
| style="width:40%; background:#BCA57A" align="left" | [http://www.cs.kuleuven.be/~lieven/AppSec2008/program.html Refereed papers track]
|-
| style="width:10%; background:#7B8ABD" | 14:40-15:20 || style="width:40%; background:#BC857A" align="left" | [[AppSecEU08_The_OWASP_Anti-Samy_project | The OWASP Anti-Samy project]]
''Jason Li, Aspect Security''
| style="width:40%; background:#BCA57A" align="left" | [http://www.cs.kuleuven.be/~lieven/AppSec2008/program.html Refereed papers track]
|-
| style="width:10%; background:#7B8ABD" | 15:20-15:50 || style="width:40%; background:#BC857A" align="left" | [[AppSecEU08_Input_validation:_the_Good,_the_Bad_and_the_Ugly|
Input validation: the Good, the Bad and the Ugly]]
[[Johan_Peeters|''Johan Peeters'']]
| style="width:40%; background:#BCA57A" align="left" | [http://www.cs.kuleuven.be/~lieven/AppSec2008/program.html Refereed papers track]
|-
| style="width:10%; background:#7B8ABD" | 15:50-16:10 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Break
|-
| style="width:10%; background:#7B8ABD" | 16:10-17:00 || style="width:40%; background:#BC857A" align="left" | Client-side security
''pdp''
| style="width:40%; background:#BCA57A" align="left" | [http://www.cs.kuleuven.be/~lieven/AppSec2008/program.html Refereed papers track]
|-
| style="width:10%; background:#7B8ABD" | 17:00-18:00 || style="width:40%; background:#F2F2F2" align="left" | Panel: Responsible "tbd"
Moderator: tbd

Panelists: tbd
| style="width:40%; background:#F2F2F2" align="left" | Panel: "tbd"
Moderator: tbd
Panelists: tbd
|-
| style="width:10%; background:#7B8ABD" | 18:00-18:10 || colspan="2" style="width:40%; background:#F2F2F2" align="left" | Conference Wrap Up - Dave Wichers, OWASP Conferences Chair
|-
|}

Venue: Aula, Ghent University, Voldersstraat 9, 9000 Ghent [http://maps.google.com/maps?f=q&hl=en&geocode=&q=Voldersstraat+9,+9000+Gent&jsv=107&sll=50.994753,3.745665&sspn=0.154284,0.466919&ie=UTF8&ll=51.054749,3.723121&spn=0.00963,0.029182&z=15&iwloc=addr Google Maps Link]

Registration is available via the OWASP Conference Cvent site at: [http://guest.cvent.com/i.aspx?4W,M3,7b36ecdc-1234-4d63-bc08-898a7bf60b2a Cvent link]

==Tutorial Days - May 19-20==

OWASP arranged for several Application Security tutorials on May 19th-20th, the days prior to the conference.
{| style="width:80%" border="0" align="center"
! align="center" style="background:#4058A0; color:white" | T1. Building and Testing Secure Web Applications
|-
| style="background:#F2F2F2" | Most developers, IT professionals, and auditors learn what they know about application security on the job, usually by making mistakes. Application security is just not a part of many computer science curricula today and most organizations have not focused on instituting a culture that includes application security as a core part of their IT security efforts. This powerful two day course focuses on the most common web application security problems, including the OWASP Top Ten. The course will introduce and demonstrate hacking techniques, illustrating how application vulnerabilities can be exploited so students really understand how to avoid introducing such vulnerabilities into their code.

Trainer: Jason Li, [http://www.aspectsecurity.com Aspect Security] - [[OWASP_AppSec_Europe_2008_-_Belgium/Training | Read more here!]]
|-
! align="center" style="background:#4058A0; color:white" | T2. Leading the Development of Secure Applications
|-
| style="background:#F2F2F2" | In this one-day management session you’ll get the answers to the ten key questions that most CIOs and development managers face when trying to improve security in the development process. The course provides proven techniques and valuable lessons learned that can be applied to projects at any phase of their application’s lifecycle.

Trainer: Arshan Dabirsiaghi, [http://www.aspectsecurity.com Aspect Security] - [[OWASP_AppSec_Europe_2008_-_Belgium/Training | Read more here!]]
|-
! align="center" style="background:#4058A0; color:white" | T3. Building Secure Rich Internet Applications
|-
| style="background:#F2F2F2" | Rich Internet applications using technologies like Ajax, Flash, ActiveX, and Java Applets require special attention to secure. This one day training addresses the special issues that arise in this type of application development.

Trainer: Arshan Dabirsiaghi, [http://www.aspectsecurity.com Aspect Security] - [[OWASP_AppSec_Europe_2008_-_Belgium/Training | Read more here!]]
|-
! align="center" style="background:#4058A0; color:white" | T4. Building Secure Web Services
|-
| style="background:#F2F2F2" | The movement towards Web Services and Service Oriented architecture (SOA) paradigms requires new security paradigms to deal with new risks posed by these architectures. This session takes a pragmatic approach towards identifying Web Services security risks and selecting and applying countermeasures to the application, code, web servers, databases, application, and identity servers and related software. Many enterprises are currently developing new Web Services and/or adding and acquiring Web Services functionality into existing applications -- now is the time to build security into the system!

Trainer: [[User:wichers | Dave Wichers]], [http://www.aspectsecurity.com Aspect Security] - [[OWASP_AppSec_Europe_2008_-_Belgium/Training | Read more here!]]
|-
! align="center" style="background:#4058A0; color:white" | T5. Open Source ModSecurity Training
|-
| style="background:#F2F2F2" | ModSecurity is currently the most widely deployed web application firewall (WAF) product. This two-day class is for those people who want to learn how to build, deploy, and use ModSecurity in the most effective manner. The course will cover the open source ModSecurity Console, which helps manage alerts on suspicious web activity targeting your web servers. The course also provides an in-depth look at the extremely powerful ModSecurity Rules Language.

Trainer: Ryan Barnett, Breach - [[OWASP_AppSec_Europe_2008_-_Belgium/Training | Read more here!]]
|}
More information about the tutorials are [[OWASP_AppSec_Europe_2008_-_Belgium/Training | online]].

Venue: Monasterium PoortAckere, Oude Houtlei 56, 9000 Gent [http://www.monasterium.be/ http://www.monasterium.be/]

==Evening Social Event - May 21==

At every conference we have an evening social event the first night. This allows participants to have some unstructured time to mingle with the other attendees. They are always fun and typically attract about half the conference attendees. This year's event will be a Flemish buffet with special Belgian beers at the Monasterium (near the conference location).

Registration is available via the OWASP Conference Cvent site at: [http://guest.cvent.com/i.aspx?4W,M3,7b36ecdc-1234-4d63-bc08-898a7bf60b2a Cvent link]

==Accommodations==

* OWASP arranged for a room block of 20 Executive Deluxe rooms at the [http://www.nh-hotels.com/nh/en/hotels/belgium/ghent/nh-gent-belfort.html NH Gent Belfort] at a rate of €199 per night. This room block is being held through April 11!! After that date, there is no guarantee that rooms at this rate will be available at the NH Gent Belfort.
* OWASP attendees have an option for 20 rooms at € 122 and 10 rooms at € 132 per night at the [http://www.monasterium.be Hotel Monasterium PoortAckere] up until April 30. Use OWASP as reference when booking your room. Please note that there are no more rooms for the night of May 22.
* OWASP arranged for a room block of 25 rooms at the IBIS hotels. You can already contact them on [http://www.ibishotel.com/ibis/fichehotel/gb/ibi/1455/fiche_hotel.shtml Hotel Ibis Gent Centrum Opera] (€ 89 per night - 10 rooms) and [http://www.ibishotel.com/ibis/fichehotel/gb/ibi/0961/fiche_hotel.shtml Hotel Ibis Gent Centrum Kathedraal] (€ 99 per night - 15 rooms of which 3 still available for the 22nd) - reservations through e-mail: H0961-RE at accor.com or fax: 0032/9 233 10 00 (before April 19 - reference OWASP).

It is difficult getting rooms at reduced prices, as there is a medical congress around the same time in Ghent. You will find it difficult to get a room for the night of May 22. We recommend you then book a room for one night near the airport of [http://maps.google.com/maps?f=q&hl=en&geocode=&q=hotels+zaventem,+belgium&ie=UTF8&z=11 Brussels].

The following is a list of nearby accommodations that may have availability:

* [http://www.gent.be/eCache/THE/44/235.html List of hotels in Ghent]
* [http://www.hotelnazareth.be/ Hotel Vandervalken Nazareth - on Highway 5 minutes from Ghent]
* [http://www.bedandbreakfast-gent.be/en/home.php A list of bed and breakfasts in Ghent]
* [http://www.jeugdherbergen.be/jeugdherbergen/gent/ Youth hostels in Ghent]

==Registration and Conference Fees==

Registration is available via the OWASP Conference Cvent site at: [http://guest.cvent.com/i.aspx?4W,M3,7b36ecdc-1234-4d63-bc08-898a7bf60b2a Cvent link]

The conference fee for this conference is :

* Standard: 350 Euros, OWASP Members: 300 Euros, Students: 225 Euros.
* Conference Dinner (Evening of May 21st): 50 Euros
* Conference Tutorials: 825 Euros, Student Fee: 430 Euros
* [http://2008.confidence.org.pl/ CONFidence Poland 2008] members get a € 35 reduction on OWASP (see OWASP On a Plane below).
* [http://www.issa-be.org ISSA], [http://www.isaca.be ISACA] and [http://www.lsec.be L-SEC] Members get a € 35 reduction.

Note: To save on processing expenses, all fees paid for the OWASP conference are non-refundable. OWASP can accomodate transfers of registrations from one person to another, if such an adjustment becomes necessary.

==OWASP on a Plane - CONFidence 2008==
This year's [http://2008.confidence.org.pl/lang-pref/en/ CONFidence 2008] will take place on 16-17.05.2008 in Cracow (Poland). They have decided to spend Saturday morning talking about OWASP-related projects. No more excuses: you can attend 2 OWASP events in a row in Europe!

==Conference Committee==

OWASP Conferences Chair: Dave Wichers - Aspect Security - dave.wichers 'at' owasp.org

2008 EU Planning Committee Chair: Sebastien Deleersnyder - Telindus - seba 'at' owasp.org

Vendor Exhibition Chair: Pravir Chandra - Cigital - chandra 'at' cigital.com

Capture the Flag Chair: Pieter Danhieux - Ernst & Young - pieter.danhieux 'at' be.ey.com

Refereed Papers Chair: Lieven Desmet - KU Leuven - Lieven.Desmet 'at' cs.kuleuven.ac.be

== Affiliated Partners ==
We are glad to have the local support of:
* ISACA
* ISSA
* L-SEC

==[[OWASP AppSec Conference Sponsors | Conference Sponsors]]==

The following organizations are sponsors for this conference. If you are interested in sponsoring an OWASP conference, please contact OWASP at: conferences 'at' owasp.org.

[http://www.aspectsecurity.com https://www.owasp.org/images/d/d1/Aspect_logo.gif]

More information about conference sponsorship is available [[OWASP AppSec Conference Sponsors | here]].

[[Category:OWASP AppSec Conference]]

AppSecEU08 NTLM Relay Attacks

2008-04-21T03:29:05Z

Erachner:

'''NTLM Relay Attacks'''

NTLM relay attacks have been around for years. Since 2001, in fact. Until now, every implementation of this attack has been SMB-based, using it to access the victim’s hidden c$ file share. But NTLM relay attacks can be launched against any protocol that uses NTLM authentication. Besides SMB, that includes more or less every Microsoft enterprise software product, and more or less every third-party app ever to leverage Windows Integrated Authentication.

Simply put, whenever an Active Directory domain user authenticates to a web server in a Windows enterprise environment, that web server's operator can then access ''arbitrary network resources'' as the victim.

Although this vulnerability has been exploitable for over seven years, nobody has paid much attention to the fact that it can also be used to access HTTP-based resources -- until now. In this talk, Eric Rachner will demonstrate Scurvy, a new tool for launching NTLM relay attacks. The underlying mechanics of NTLM relay attacks will also be discussed, along with mitigation options.

'''About the Speaker:''' Eric Rachner is an independent security consultant, researcher, and enthusiast specializing in security analysis and penetration testing of network applications and systems. He began his career at Microsoft in 1994, where in 2002 he helped Microsoft start the Application Consulting Engineering (ACE) team, leading efforts such as application penetration testing, code reviews, design reviews of applications throughout Microsoft's global IT organization. In 2005, Eric left Microsoft to pursue an independent career, providing services to large global enterprises in North America and Europe. Outside of the office, his hobbies include motorsports and yet still more IT security activity; he was also a core member of the hacking team that won the prestigious "Capture the Flag" contest at Def Con in 1999, 2000, and 2001.

AppSecEU08 NTLM Relay Attacks

2008-04-21T03:21:57Z

Erachner: New page: '''NTLM Relay Attacks''' NTLM relay attacks have been around for years. Since 2001, in fact. Until now, every implementation of this attack has been SMB-based, using it to access the vict...

'''NTLM Relay Attacks'''

NTLM relay attacks have been around for years. Since 2001, in fact. Until now, every implementation of this attack has been SMB-based, using it to access the victim’s hidden c$ file share.

But NTLM relay attacks can be launched against any protocol that uses NTLM authentication. Besides SMB, that includes more or less every Microsoft enterprise software product, and more or less every third-party app ever to leverage Windows Integrated Auth.

In the simplest scenario, whenever an Active Directory domain user authenticates to a web server in a Windows enterprise environment, that web server's operator can then access '''arbitrary network resources''' as the victim.

Although people have been exploiting this problem for seven years, nobody has paid much attention to the fact that it can also be used to access HTTP-based resources until now.

In this talk, Eric Rachner will demonstrate Scurvy, a new tool for launching NTLM relay attacks. The underlying mechanics of NTLM relay attacks will also be discussed, along with mitigation options.

'''About the Speaker:''' Eric Rachner is an independent security consultant, researcher, and enthusiast specializing in security analysis, vulnerability assessment, and penetration testing of network applications and systems. He began his career at Microsoft in 1994, where in 2002 he helped Microsoft start the Application Consulting Engineering (ACE) team. As a senior member of the ACE team, he led efforts such as application penetration testing, code reviews, design reviews and security awareness training for internal application teams throughout Microsoft's global IT organization. Also during this time, he wrote the feature article for the August 2004 issue of asp.net PRO Magazine on the subject of the attack technique that has since become known as Cross-Site Request Forgery.

In 2005, Eric left Microsoft to pursue an independent career as a security consultant providing services to large global enterprises in North America and Europe. Outside of the office, his hobbies include motorsports and yet still more IT security activity; he was also a core member of the hacking team that won the prestigious "Capture the Flag" contest at Def Con in 1999, 2000, and 2001.

XPATH Injection

2007-04-23T13:33:01Z

Erachner: Cleaning up references to "XML injection" where "XPath injection" is more accurate

{{Template:Attack}}

==Author==
Contact Author: [mailto:mark.bradshaw@gmail.com Mark Bradshaw]

==Description==
Similar to SQL Injection, XPath Injection attacks occur when a web site uses user-supplied information to constract an XPath query for XML data. By sending intentionally malformed information into the web site, an attacker can find out how the XML data is structured or access data that they may not normally have access to. They may even be able to elevate their privileges on the web site if the xml data is being used for authentication (such as an xml based user file).

Querying XML is done with XPath, a type of simple descriptive statement that allows the xml query to locate a piece of information. Like SQL you can specify certain attributes to find and patterns to match. When using XML for a web site it is common to accept some form of input on the query string to identify the content to locate and display on the page. This input '''must''' be sanitized to verify that it doesn't mess up the XPath query and return the wrong data.

==Examples ==

We'll use this xml snippet for the examples.

<pre>
<?xml version="1.0" encoding="utf-8"?>
<Employees>
<Employee ID="1">
<FirstName>Arnold</FirstName>
<LastName>Baker</LastName>
<UserName>ABaker</UserName>
<Password>SoSecret</Password>
<Type>Admin</Type>
</Employee>
<Employee ID="2">
<FirstName>Peter</FirstName>
<LastName>Pan</LastName>
<UserName>PPan</UserName>
<Password>NotTelling</Password>
<Type>User</Type>
</Employee>
</Employees>
</pre>

Suppose we have a user authentication system on a web page that used a data file of this sort to login users. Once a username and password had been supplied the software might use an XPath to lookup the user such as this:

<pre>
VB:
Dim FindUserXPath as String
FindUserXPath = "//Employee[UserName/text()='" & Request("Username") & "' And
Password/text()='" & Request("Password") & "']"

C#:
String FindUserXPath;
FindUserXPath = "//Employee[UserName/text()='" + Request("Username") + "' And
Password/text()='" + Request("Password") + "']";
</pre>

With a normal username and password this XPath would work, but an attacker may send a bad username and password and get an xml node selected without knowing the username or password, like this:

<pre>
Username: blah' or 1=1 or 'a'='a
Password: blah

FindUserXPath becomes //Employee[UserName/text()='blah' or 1=1 or
'a'='a' And Password/text()='blah']

Logically this is equivalent to:
//Employee[(UserName/text()='blah' or 1=1) or
('a'='a' And Password/text()='blah')]
</pre>

In this case, only the first part of the XPath needs to be true. The password part becomes irrelevant, and the UserName part will match ALL employees because of the "1=1" part.

Just like SQL injection, in order to protect yourself you must escape single quotes (or double quotes) if your application uses them.

<pre>
VB:
Dim FindUserXPath as String
FindUserXPath = "//Employee[UserName/text()='" & Request("Username").Replace("'", "'") & "' And
Password/text()='" & Request("Password").Replace("'", "'") & "']"

C#:
String FindUserXPath;
FindUserXPath = "//Employee[UserName/text()='" + Request("Username").Replace("'", "'") + "' And
Password/text()='" + Request("Password").Replace("'", "'") + "']";
</pre>

Another better mitigation option is to use a precompiled XPath[http://www.tkachenko.com/blog/archives/000385.html]. Precompiled XPaths are already preset before the program executes, rather than created on the fly after the user's input has been added to the string. This is a better route because you don't have to worry about missing a character that should have been escaped.

==Related Attacks==

* [[Injection problem]]
* [[SQL injection]]

==Categories==
[[Category:Attack]]
[[Category:Injection Attack]]

XML Injection

2007-02-21T08:38:12Z

Erachner: XML Injection moved to XPATH Injection: XML injection refers to issues where attacker-supplied data is inlined into an XML document. When user-supplied data is inlined into an XPATH query, it is XPATH injection.

#REDIRECT [[XPATH Injection]]

XPATH Injection

2007-02-21T08:38:12Z

{{Template:Attack}}

==Author==
Contact Author: [mailto:mark.bradshaw@gmail.com Mark Bradshaw]

==Description==
Similar to SQL Injection, XML Injection attacks occur when a web site uses user supplied information to query XML data. By sending intentionally malformed information into the web site, an attacker can find out how the XML data is structured or access data that they may not normally have access to. They may even be able to elevate their privileges on the web site if the xml data is being used for authentication (such as an xml based user file).

Querying XML is done with XPath, a type of simple descriptive statement that allows the xml query to locate a piece of information. Like SQL you can specify certain attributes to find and patterns to match. When using XML for a web site it is common to accept some form of input on the query string to identify the content to locate and display on the page. This input '''must''' be sanitized to verify that it doesn't mess up the XPath query and return the wrong data.

==Examples ==

We'll use this xml snippet for the examples.

<pre>
<?xml version="1.0" encoding="utf-8"?>
<Employees>
<Employee ID="1">
<FirstName>Arnold</FirstName>
<LastName>Baker</LastName>
<UserName>ABaker</UserName>
<Password>SoSecret</Password>
<Type>Admin</Type>
</Employee>
<Employee ID="2">
<FirstName>Peter</FirstName>
<LastName>Pan</LastName>
<UserName>PPan</UserName>
<Password>NotTelling</Password>
<Type>User</Type>
</Employee>
</Employees>
</pre>

Suppose we have a user authentication system on a web page that used a data file of this sort to login users. Once a username and password had been supplied the software might use an XPath to lookup the user such as this:

<pre>
VB:
Dim FindUserXPath as String
FindUserXPath = "//Employee[UserName/text()='" & Request("Username") & "' And
Password/text()='" & Request("Password") & "']"

C#:
String FindUserXPath;
FindUserXPath = "//Employee[UserName/text()='" + Request("Username") + "' And
Password/text()='" + Request("Password") + "']";
</pre>

With a normal username and password this XPath would work, but an attacker may send a bad username and password and get an xml node selected without knowing the username or password, like this:

<pre>
Username: blah' or 1=1 or 'a'='a
Password: blah

FindUserXPath becomes //Employee[UserName/text()='blah' or 1=1 or
'a'='a' And Password/text()='blah']

Logically this is equivalent to:
//Employee[(UserName/text()='blah' or 1=1) or
('a'='a' And Password/text()='blah')]
</pre>

In this case, only the first part of the XPath needs to be true. The password part becomes irrelevant, and the UserName part will match ALL employees because of the "1=1" part.

Just like SQL injection, in order to protect yourself you must escape single quotes (or double quotes) if your application uses them.

<pre>
VB:
Dim FindUserXPath as String
FindUserXPath = "//Employee[UserName/text()='" & Request("Username").Replace("'", "'") & "' And
Password/text()='" & Request("Password").Replace("'", "'") & "']"

C#:
String FindUserXPath;
FindUserXPath = "//Employee[UserName/text()='" + Request("Username").Replace("'", "'") + "' And
Password/text()='" + Request("Password").Replace("'", "'") + "']";
</pre>

Another better mitigation option is to use a precompiled XPath[http://www.tkachenko.com/blog/archives/000385.html]. Precompiled XPaths are already preset before the program executes, rather than created on the fly after the user's input has been added to the string. This is a better route because you don't have to worry about missing a character that should have been escaped.

==Related Attacks==

* [[Injection problem]]
* [[SQL injection]]

==Categories==
[[Category:Attack]]
[[Category:Injection Attack]]