OWASP - User contributions [en]

Front Range OWASP Conference 2012

2012-03-09T00:25:32Z

Kathleen Thaxton:

__NOTOC__




====Welcome====

'''Welcome to SnowFROC 2012, the fourth Front Range OWASP Application Security Conference!'''

After successful FROC's in June of 2008, [http://www.owasp.org/index.php/Front_Range_OWASP_Conference_2009 March of 2009], and [https://www.owasp.org/index.php/Front_Range_OWASP_Conference_2010 2010] we are back in Denver, Colorado USA on '''Thursday the 22nd of March'''!

This year we again present a full day, multi-track event, which will provide valuable information for managers and executives as well as developers and engineers. '''ALSO''', on Friday March 23rd several instructors from OWASP will be conducting day-long deep-dives!

In 2010, we attracted a packed venue with our great AppSec speakers, and we hope to achieve the same again in 2012. 

====Registration====

[http://snowfroc2012.eventbrite.com Registration for SnowFROC is now open!]

$20 covers breakfast, lunch, and a WORLD-CLASS AppSec conference!


Click [http://snowfroc2012.eventbrite.com HERE] to register now for SnowFROC!

Click [[Denver,_Colorado|here]] to register for OWASP Deep Dives in Denver!



==Agenda and Presentations: 22 March 2012==

The agenda follows the successful OWASP conference multi track format, with opening keynotes and presentations in the main room, split tracks in the middle of the day, and closing panel discussions back in the main room.

{| style="width:86%" border="0" align="center"
! colspan="4" align="center" style="background:#4058A0; color:white" | March 22nd, 2012
|-
| style="width:10%; background:#7B8ABD" | 07:45-08:30 || colspan="3" style="width:80%; background:#C2C2C2" align="left" | Registration and Continental Breakfast in the Adirondack Room
|-
| style="width:10%; background:#7B8ABD" | 08:30-08:45 || colspan="3" style="width:80%; background:#F2F2F2" align="center" | Welcome to SnowFROC 2012 Conference

''OWASP Denver and OWASP Boulder Chapter Leaders''
|-
| style="width:10%; background:#7B8ABD" | 08:45-09:10 || colspan="3" style="width:80%; background:#F2F2F2" align="center" |
'''State of OWASP'''

''Matt Tesauro''
|-
| style="width:10%; background:#7B8ABD" | 09:10-10:10 || colspan="3" style="width:80%; background:#F2F2F2" align="center" | '''Keynote:'''

''John Pirc, Co-Author of [http://www.amazon.com/Cybercrime-Espionage-Analysis-Subversive-Multi-Vector/dp/1597496138/ref=sr_1_1?s=books&ie=UTF8&qid=1330542019&sr=1-1 "Cybercrime and Espionage: An Analysis of Subversive Multi-Vector Threats"]''

|-

| style="width:10%; background:#7B8ABD" | 10:10-10:30 || colspan="3" style="width:80%; background:#C2C2C2" align="left" | Break - Expo
|-

| style="width:10%; background:#7B8ABD" | || colspan="1" style="width:45%; background:#BC857A" | '''Tech Track - Zenith Room 640'''
| colspan="1" style="width:45%; background:#BCA57A" | '''Management Track - Senate Chamber'''

|-

| style="width:10%; background:#7B8ABD" | 10:30-11:15 || style="width:45%; background:#BC857A" align="left" | OWASP Passfault
''Cameron Morris''

| style="width:45%; background:#BCA57A" align="left" | Managing IT Risk in a Cloud Environment
''Karl Steinkamp''


|-

| style="width:10%; background:#7B8ABD" | 11:15-12:00 || style="width:45%; background:#BC857A" align="left" | State of Web Security: Monitored Attacks

''Robert Rowley''

| style="width:45%; background:#BCA57A" align="left" | PCI vs Risk Management
''Doug Landoll''


|-

| style="width:10%; background:#7B8ABD" | 12:00-13:00 || colspan="3" style="width:80%; background:#C2C2C2" align="left" | Lunch - Expo
|-

| style:"width:10%; background: WebGoat.net
Jerry Hoff

| style="width:45%; background:#BCA57A" align="left" | Securing Data from the Web Tier
''Mike Fleck''



|-

| style="width:10%; background:#7B8ABD" | 13:50-14:40 || style="width:45%; background:#BC857A" align="left" | Gray, the new black: Gray box vulnerability testing
''Adam Hills''

| style="width:45%; background:#BCA57A" align="left" | What the Cyber Criminals are Doing on Your Website Right Now.
''LAZ''


|-

| style="width:10%; background:#7B8ABD" | 14:40-15:00 || colspan="3" style="width:80%; background:#C2C2C2" align="left" | BREAK
|-

| style="width:10%; background:#7B8ABD" | 15:00-15:50 || style="width:45%; background:#BC857A" align="left" | "The Mobile Top 10"
''Mike Zussman''

| style="width:45%; background:#BCA57A" align="left" | A Scalable Secure Development Program
''Rajiv Sharma''


|-
| style="width:10%; background:#7B8ABD" | 15:50-16:30 || colspan="3" style="width:80%; background:#F2F2F2" align="left" | End of Conference Panel Discussion:

Topic: ''The Crystal Ball and the 2-headed Calf - What's on the Horizon and Why Does It Seem So Unnatural?''

Moderator: Steve Kosten or Andy Lewis
Panelists: Laz, Matt Tesauro, John Pirc, Tanner Coltrin, Steve Kosten, others
|-

|-
| style="width:10%; background:#7B8ABD" | 16:30-17:30 || colspan="3" style="width:80%; background:#C2C2C2" align="left" | Wrap up, vendor raffles!
|-

|}

====Logistics====
[[Image:Denver_mountains.JPG]]

This year, the conference will again be held at University of Colorado, Denver at the Tivoli Center.



=====Accomodation=====
OWASP is in the process of negotiating discounted rates with the uber-pimpin [http://www.hotelteatro.com/ Hotel Teatro]. Rooms under the FROC rate will be competitively priced and include courtesy Cadillac Escalade transportation to and from Auraria Campus. Currently a "petite queen" room will be reduced from $279/night to $149 by mentioning SnowFROC.

To reserve a room, contact Hotel Teatro at +1.303.228.1100 and mention SnowFROC or use the [https://reservations.ihotelier.com/crs/g_reservation.cfm?groupID=464765&hotelID=14708 iHotelier.com link here].

=====How to get to the venue?=====

*By taxi: taxi from the airport to venue is about $50 USD

*From hotel: transport from the conference hotel (Hotel Teatro) by limo is free

*By car: there is plenty of parking at the Tivoli. Attendees should park at the Tivoli lot (as in past years). Parking validation will be provided for registered FROC participants.

====Call for Presentations====

The [[Front_Range_OWASP_Conference_2012_CFP|call for presentations]] closed February 23rd. If you've got a compelling presentation involving bleeding-edge research please contact steve dot kosten /\+ owasp d0+ org for consideration.







====Conference Committee====

FROC 2012 Planning Committee Chair: Kathy Thaxton - kthaxton at hosting dot com

Presentation Selection Committee:
* Steve Kosten
* Denver OWASP Board

Colorado Chapter Hosts:
* Andy Lewis - OWASP Denver - alewis at owasp dot org
* Mark Major - OWASP Boulder - mark dot major at owasp dot org
* Might have a CO Springs chapter in time for SnowFROC; stay tuned...

Vendor Exhibition POC: Kathy Thaxton - kthaxton at hosting dot com



====Sponsors====

If you are interested in sponsoring the Front Range OWASP Conference, please contact Kathy Thaxton at kthaxton at hosting dot com.


We are proud to have the following sponsors for this year's conference:



*[http://www.accuvant.com/ Accuvant]
*[http://www.hosting.com/ Hosting.com]
*[http://www.whitehatsec.com/home/index.html Whitehat Security]
*[http://www.hpenterprisesecurity.com/register/esp-grand-slam-camp-hpesp-homepage HP ESP]
*[http://www.coalfire.com/Home Coalfire Systems]



[[Category:OWASP AppSec Conference]]



=== Speaker Bios ===

==== '''Laz''' =====

==== '''Mike Fleck''' ====



<headertabs />

Front Range OWASP Conference 2012

2012-03-09T00:24:07Z

Kathleen Thaxton:

__NOTOC__




====Welcome====

'''Welcome to SnowFROC 2012, the fourth Front Range OWASP Application Security Conference!'''

After successful FROC's in June of 2008, [http://www.owasp.org/index.php/Front_Range_OWASP_Conference_2009 March of 2009], and [https://www.owasp.org/index.php/Front_Range_OWASP_Conference_2010 2010] we are back in Denver, Colorado USA on '''Thursday the 22nd of March'''!

This year we again present a full day, multi-track event, which will provide valuable information for managers and executives as well as developers and engineers. '''ALSO''', on Friday March 23rd several instructors from OWASP will be conducting day-long deep-dives!

In 2010, we attracted a packed venue with our great AppSec speakers, and we hope to achieve the same again in 2012. 

====Registration====

[http://snowfroc2012.eventbrite.com Registration for SnowFROC is now open!]

$20 covers breakfast, lunch, and a WORLD-CLASS AppSec conference!


Click [http://snowfroc2012.eventbrite.com HERE] to register now for SnowFROC!

Click [[Denver,_Colorado|here]] to register for OWASP Deep Dives in Denver!



==Agenda and Presentations: 22 March 2012==

The agenda follows the successful OWASP conference multi track format, with opening keynotes and presentations in the main room, split tracks in the middle of the day, and closing panel discussions back in the main room.

{| style="width:86%" border="0" align="center"
! colspan="4" align="center" style="background:#4058A0; color:white" | March 22nd, 2012
|-
| style="width:10%; background:#7B8ABD" | 07:45-08:30 || colspan="3" style="width:80%; background:#C2C2C2" align="left" | Registration and Continental Breakfast in the Adirondack Room
|-
| style="width:10%; background:#7B8ABD" | 08:30-08:45 || colspan="3" style="width:80%; background:#F2F2F2" align="center" | Welcome to SnowFROC 2012 Conference

''OWASP Denver and OWASP Boulder Chapter Leaders''
|-
| style="width:10%; background:#7B8ABD" | 08:45-09:10 || colspan="3" style="width:80%; background:#F2F2F2" align="center" |
'''State of OWASP'''

''Matt Tesauro''
|-
| style="width:10%; background:#7B8ABD" | 09:10-10:10 || colspan="3" style="width:80%; background:#F2F2F2" align="center" | '''Keynote:'''

''John Pirc, Co-Author of [http://www.amazon.com/Cybercrime-Espionage-Analysis-Subversive-Multi-Vector/dp/1597496138/ref=sr_1_1?s=books&ie=UTF8&qid=1330542019&sr=1-1 "Cybercrime and Espionage: An Analysis of Subversive Multi-Vector Threats"]''

|-

| style="width:10%; background:#7B8ABD" | 10:10-10:30 || colspan="3" style="width:80%; background:#C2C2C2" align="left" | Break - Expo
|-

| style="width:10%; background:#7B8ABD" | || colspan="1" style="width:45%; background:#BC857A" | '''Tech Track - Zenith Room 640'''
| colspan="1" style="width:45%; background:#BCA57A" | '''Management Track - Senate Chamber'''

|-

| style="width:10%; background:#7B8ABD" | 10:30-11:15 || style="width:45%; background:#BC857A" align="left" | OWASP Passfault
''Cameron Morris''

| style="width:45%; background:#BCA57A" align="left" | Managing IT Risk in a Cloud Environment
''Karl Steinkamp''


|-

| style="width:10%; background:#7B8ABD" | 11:15-12:00 || style="width:45%; background:#BC857A" align="left" | State of Web Security: Monitored Attacks

''Robert Rowley''

| style="width:45%; background:#BCA57A" align="left" | PCI vs Risk Management
''Doug Landoll''


|-

| style="width:10%; background:#7B8ABD" | 12:00-13:00 || colspan="3" style="width:80%; background:#C2C2C2" align="left" | Lunch - Expo
|-

| style:"width:10%; background: WebGoat.net
Jerry Hoff

| style="width:45%; background:#BCA57A" align="left" | Securing Data from the Web Tier
''Mike Fleck''



|-

| style="width:10%; background:#7B8ABD" | 13:50-14:40 || style="width:45%; background:#BC857A" align="left" | Gray, the new black: Gray box vulnerability testing
''Adam Hills''

| style="width:45%; background:#BCA57A" align="left" | What the Cyber Criminals are Doing on Your Website Right Now.
- My experience as the Director of Information Security for a Fortune 50 Organization
''LAZ''


|-

| style="width:10%; background:#7B8ABD" | 14:40-15:00 || colspan="3" style="width:80%; background:#C2C2C2" align="left" | BREAK
|-

| style="width:10%; background:#7B8ABD" | 15:00-15:50 || style="width:45%; background:#BC857A" align="left" | "The Mobile Top 10"
''Mike Zussman''

| style="width:45%; background:#BCA57A" align="left" | A Scalable Secure Development Program
''Rajiv Sharma''


|-
| style="width:10%; background:#7B8ABD" | 15:50-16:30 || colspan="3" style="width:80%; background:#F2F2F2" align="left" | End of Conference Panel Discussion:

Topic: ''The Crystal Ball and the 2-headed Calf - What's on the Horizon and Why Does It Seem So Unnatural?''

Moderator: Steve Kosten or Andy Lewis
Panelists: Laz, Matt Tesauro, John Pirc, Tanner Coltrin, Steve Kosten, others
|-

|-
| style="width:10%; background:#7B8ABD" | 16:30-17:30 || colspan="3" style="width:80%; background:#C2C2C2" align="left" | Wrap up, vendor raffles!
|-

|}

====Logistics====
[[Image:Denver_mountains.JPG]]

This year, the conference will again be held at University of Colorado, Denver at the Tivoli Center.



=====Accomodation=====
OWASP is in the process of negotiating discounted rates with the uber-pimpin [http://www.hotelteatro.com/ Hotel Teatro]. Rooms under the FROC rate will be competitively priced and include courtesy Cadillac Escalade transportation to and from Auraria Campus. Currently a "petite queen" room will be reduced from $279/night to $149 by mentioning SnowFROC.

To reserve a room, contact Hotel Teatro at +1.303.228.1100 and mention SnowFROC or use the [https://reservations.ihotelier.com/crs/g_reservation.cfm?groupID=464765&hotelID=14708 iHotelier.com link here].

=====How to get to the venue?=====

*By taxi: taxi from the airport to venue is about $50 USD

*From hotel: transport from the conference hotel (Hotel Teatro) by limo is free

*By car: there is plenty of parking at the Tivoli. Attendees should park at the Tivoli lot (as in past years). Parking validation will be provided for registered FROC participants.

====Call for Presentations====

The [[Front_Range_OWASP_Conference_2012_CFP|call for presentations]] closed February 23rd. If you've got a compelling presentation involving bleeding-edge research please contact steve dot kosten /\+ owasp d0+ org for consideration.







====Conference Committee====

FROC 2012 Planning Committee Chair: Kathy Thaxton - kthaxton at hosting dot com

Presentation Selection Committee:
* Steve Kosten
* Denver OWASP Board

Colorado Chapter Hosts:
* Andy Lewis - OWASP Denver - alewis at owasp dot org
* Mark Major - OWASP Boulder - mark dot major at owasp dot org
* Might have a CO Springs chapter in time for SnowFROC; stay tuned...

Vendor Exhibition POC: Kathy Thaxton - kthaxton at hosting dot com



====Sponsors====

If you are interested in sponsoring the Front Range OWASP Conference, please contact Kathy Thaxton at kthaxton at hosting dot com.


We are proud to have the following sponsors for this year's conference:



*[http://www.accuvant.com/ Accuvant]
*[http://www.hosting.com/ Hosting.com]
*[http://www.whitehatsec.com/home/index.html Whitehat Security]
*[http://www.hpenterprisesecurity.com/register/esp-grand-slam-camp-hpesp-homepage HP ESP]
*[http://www.coalfire.com/Home Coalfire Systems]



[[Category:OWASP AppSec Conference]]



=== Speaker Bios ===

==== '''Laz''' =====

==== '''Mike Fleck''' ====



<headertabs />

Front Range OWASP Conference 2012

2012-03-09T00:20:00Z

Kathleen Thaxton:

__NOTOC__




====Welcome====

'''Welcome to SnowFROC 2012, the fourth Front Range OWASP Application Security Conference!'''

After successful FROC's in June of 2008, [http://www.owasp.org/index.php/Front_Range_OWASP_Conference_2009 March of 2009], and [https://www.owasp.org/index.php/Front_Range_OWASP_Conference_2010 2010] we are back in Denver, Colorado USA on '''Thursday the 22nd of March'''!

This year we again present a full day, multi-track event, which will provide valuable information for managers and executives as well as developers and engineers. '''ALSO''', on Friday March 23rd several instructors from OWASP will be conducting day-long deep-dives!

In 2010, we attracted a packed venue with our great AppSec speakers, and we hope to achieve the same again in 2012. 

====Registration====

[http://snowfroc2012.eventbrite.com Registration for SnowFROC is now open!]

$20 covers breakfast, lunch, and a WORLD-CLASS AppSec conference!


Click [http://snowfroc2012.eventbrite.com HERE] to register now for SnowFROC!

Click [[Denver,_Colorado|here]] to register for OWASP Deep Dives in Denver!



==Agenda and Presentations: 22 March 2012==

The agenda follows the successful OWASP conference multi track format, with opening keynotes and presentations in the main room, split tracks in the middle of the day, and closing panel discussions back in the main room.

{| style="width:86%" border="0" align="center"
! colspan="4" align="center" style="background:#4058A0; color:white" | March 22nd, 2012
|-
| style="width:10%; background:#7B8ABD" | 07:45-08:30 || colspan="3" style="width:80%; background:#C2C2C2" align="left" | Registration and Continental Breakfast in the Adirondack Room
|-
| style="width:10%; background:#7B8ABD" | 08:30-08:45 || colspan="3" style="width:80%; background:#F2F2F2" align="center" | Welcome to SnowFROC 2012 Conference

''OWASP Denver and OWASP Boulder Chapter Leaders''
|-
| style="width:10%; background:#7B8ABD" | 08:45-09:10 || colspan="3" style="width:80%; background:#F2F2F2" align="center" |
'''State of OWASP'''

''Matt Tesauro''
|-
| style="width:10%; background:#7B8ABD" | 09:10-10:10 || colspan="3" style="width:80%; background:#F2F2F2" align="center" | '''Keynote:'''

''John Pirc, Co-Author of [http://www.amazon.com/Cybercrime-Espionage-Analysis-Subversive-Multi-Vector/dp/1597496138/ref=sr_1_1?s=books&ie=UTF8&qid=1330542019&sr=1-1 "Cybercrime and Espionage: An Analysis of Subversive Multi-Vector Threats"]''

|-

| style="width:10%; background:#7B8ABD" | 10:10-10:30 || colspan="3" style="width:80%; background:#C2C2C2" align="left" | Break - Expo
|-

| style="width:10%; background:#7B8ABD" | || colspan="1" style="width:45%; background:#BC857A" | '''Tech Track - Zenith Room 640'''
| colspan="1" style="width:45%; background:#BCA57A" | '''Management Track - Senate Chamber'''

|-

| style="width:10%; background:#7B8ABD" | 10:30-11:15 || style="width:45%; background:#BC857A" align="left" | OWASP Passfault
''Cameron Morris''

| style="width:45%; background:#BCA57A" align="left" | Managing IT Risk in a Cloud Environment
''Karl Steinkamp''


|-

| style="width:10%; background:#7B8ABD" | 11:15-12:00 || style="width:45%; background:#BC857A" align="left" | State of Web Security: Monitored Attacks

''Robert Rowley''

| style="width:45%; background:#BCA57A" align="left" | PCI vs Risk Management
''Doug Landoll''


|-

| style="width:10%; background:#7B8ABD" | 12:00-13:00 || colspan="3" style="width:80%; background:#C2C2C2" align="left" | Lunch - Expo
|-

| WebGoat.net
Jerry Hoff

| style="width:45%; background:#BCA57A" align="left" | Securing Data from the Web Tier
''Mike Fleck''



|-

| style="width:10%; background:#7B8ABD" | 13:50-14:40 || style="width:45%; background:#BC857A" align="left" | Gray, the new black: Gray box vulnerability testing
''Adam Hills''

| style="width:45%; background:#BCA57A" align="left" | Web Session Intelligence

''LAZ''


|-

| style="width:10%; background:#7B8ABD" | 14:40-15:00 || colspan="3" style="width:80%; background:#C2C2C2" align="left" | BREAK
|-

| style="width:10%; background:#7B8ABD" | 15:00-15:50 || style="width:45%; background:#BC857A" align="left" | "The Mobile Top 10"
''Mike Zussman''

| style="width:45%; background:#BCA57A" align="left" | A Scalable Secure Development Program
''Rajiv Sharma''


|-
| style="width:10%; background:#7B8ABD" | 15:50-16:30 || colspan="3" style="width:80%; background:#F2F2F2" align="left" | End of Conference Panel Discussion:

Topic: ''The Crystal Ball and the 2-headed Calf - What's on the Horizon and Why Does It Seem So Unnatural?''

Moderator: Steve Kosten or Andy Lewis
Panelists: Laz, Matt Tesauro, John Pirc, Tanner Coltrin, Steve Kosten, others
|-

|-
| style="width:10%; background:#7B8ABD" | 16:30-17:30 || colspan="3" style="width:80%; background:#C2C2C2" align="left" | Wrap up, vendor raffles!
|-

|}

====Logistics====
[[Image:Denver_mountains.JPG]]

This year, the conference will again be held at University of Colorado, Denver at the Tivoli Center.



=====Accomodation=====
OWASP is in the process of negotiating discounted rates with the uber-pimpin [http://www.hotelteatro.com/ Hotel Teatro]. Rooms under the FROC rate will be competitively priced and include courtesy Cadillac Escalade transportation to and from Auraria Campus. Currently a "petite queen" room will be reduced from $279/night to $149 by mentioning SnowFROC.

To reserve a room, contact Hotel Teatro at +1.303.228.1100 and mention SnowFROC or use the [https://reservations.ihotelier.com/crs/g_reservation.cfm?groupID=464765&hotelID=14708 iHotelier.com link here].

=====How to get to the venue?=====

*By taxi: taxi from the airport to venue is about $50 USD

*From hotel: transport from the conference hotel (Hotel Teatro) by limo is free

*By car: there is plenty of parking at the Tivoli. Attendees should park at the Tivoli lot (as in past years). Parking validation will be provided for registered FROC participants.

====Call for Presentations====

The [[Front_Range_OWASP_Conference_2012_CFP|call for presentations]] closed February 23rd. If you've got a compelling presentation involving bleeding-edge research please contact steve dot kosten /\+ owasp d0+ org for consideration.







====Conference Committee====

FROC 2012 Planning Committee Chair: Kathy Thaxton - kthaxton at hosting dot com

Presentation Selection Committee:
* Steve Kosten
* Denver OWASP Board

Colorado Chapter Hosts:
* Andy Lewis - OWASP Denver - alewis at owasp dot org
* Mark Major - OWASP Boulder - mark dot major at owasp dot org
* Might have a CO Springs chapter in time for SnowFROC; stay tuned...

Vendor Exhibition POC: Kathy Thaxton - kthaxton at hosting dot com



====Sponsors====

If you are interested in sponsoring the Front Range OWASP Conference, please contact Kathy Thaxton at kthaxton at hosting dot com.


We are proud to have the following sponsors for this year's conference:



*[http://www.accuvant.com/ Accuvant]
*[http://www.hosting.com/ Hosting.com]
*[http://www.whitehatsec.com/home/index.html Whitehat Security]
*[http://www.hpenterprisesecurity.com/register/esp-grand-slam-camp-hpesp-homepage HP ESP]
*[http://www.coalfire.com/Home Coalfire Systems]



[[Category:OWASP AppSec Conference]]



=== Speaker Bios ===

==== '''Laz''' =====

==== '''Mike Fleck''' ====



<headertabs />

Boulder

2009-11-05T19:54:01Z

Kathleen Thaxton:

{{Chapter Template|chaptername=Boulder|extra=The chapter leaders are [mailto:kthaxton@businesspartnersolutions.com Kathy Thaxton], [mailto:mrhits777@gmail.com Jeremy Martinez], and [mailto:Andrew.Riesel@GMail.com Andrew Riesel]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-boulder|emailarchives=http://lists.owasp.org/pipermail/owasp-boulder}}

<paypal>Boulder</paypal>

'''November Meeting combined with the Denver Chapter meeting:'''

Wednesday 18 November 2009, 6pm @ Raytheon Polar Services

Anton Rager: "The Evils of XSS: Its not just for cookies anymore"

Many security professionals, security administrators and developers are aware of Cross-Site Scripting (XSS) vulnerabilities, but disregard them as a significant risk to an organization. Traditionally XSS attacks have either involved nuisance re-direction of a client or leakage of client cookies/state information to an attacker. They are almost always a one-shot XSS exploit against a vulnerable server and dont have the ability to execute multiple transactions against an XSS vulnerable site.

This presentation briefly outlines current XSS attacks, then discusses and demonstrates methods to create multi-transaction XSS attacks or persistent XSS based browser hi-jacking. Browser hi-jacking uses the victim browser to leverage existing trust that a browser may have with an XSS vulnerable site, and performs an arbitrary number of transactions from the victim browser against the vulnerable site. This means that the attacker can use the victims browser to attack a site that is behind a firewall, requires client-side certificates, filters IP addresses, or has a cached authentication with the victim browser this is way beyond cookie theft as an attacker is actually using the victims browser to access the site. Attack modes can include transparent site traversal thru victim browser (read and/or write to server with access of victim from remote attack console), passive monitoring of victim interaction with target site, or active MITM content modification of information to/from victim browser.

A custom tool (XSS-Proxy) will be demonstrated that demonstrates the ability for a remote attacker to perform these XSS based attacks. XSS persistence and commands are controlled from a Perl based HTTP attack server with victim/XSS target content forwarded to the same server. This does not rely on any new vulnerability in browsers and currently works in modern JavaScript enabled IE and Mozilla/Firefox based browsers.

Presenter: Anton Rager

Anton Rager is an independent security researcher focused on vulnerability exploitation, VPN security and wireless security. He is currently a programmer with an undisclosed network storage startup where he focuses on application development, Linux network magic, and Linux kernel/driver hacking.
He is best known for his work with 802.11 wireless WEP security and associated testing/analysis tools. In 2001 he released WEPCrack, the first open-source, public domain utility to validate the WEP/RC4 attack discovered by Fluhrer, Mantin and Shamir. Anton was also a Contributing Technical Editor to the book Maximum Wireless Security. In 2003 he continued researching 802.11/WEP and developed an injection attack and open-source tool (WEPWedgie) that allows network scanning attacks of WEP encrypted networks without knowledge of WEP keys. This tool/attack is mentioned in the book WI-FOO: The Secrets of Wireless Hacking as well as multiple online articles.

Anton has also focused heavily on IPSec VPN security issues and in 2001 implemented the first open-source utility to allow password attacks against IKE based IPSec VPN connections (IKECrack). Follow-on IPSec research resulted in an IKE protocol testing tool (IKEProber) that highlighted multiple vulnerabilities in common IPSec client/gateway implementations.

More recently he has been working with web application security issues and in 2005 devised a novel Cross-Site-Scripting (XSS) attack method and open-source tool (XSS-Proxy) to allow browser hijacking with XSS vulnerable sites. This tool/attack is also highlighted in Phishing Exposed book and as well as the book XSS-Attacks that he co-authored with other leading XSS researchers.
Anton has presented at well-known security conferences and has conducted many security training and security awareness primers with industry and government sectors. He currently resides and works near Denver, Colorado. In addition to an addictive computer security hobby, Anton is also an extreme mountain biker, snowboarder, naturalist, guitarist and philosopher hack.

Agenda

• 6pm: Pizza & pop @ Raytheon Polar Services, courtesy of Accuvant

• 6:30pm: Introduction and Chapter business

• 6:45pm --> 8pm: Presentation

Boulder

2009-11-05T19:53:44Z

Kathleen Thaxton:

{{Chapter Template|chaptername=Boulder|extra=The chapter leaders are [mailto:kthaxton@businesspartnersolutions.com Kathy Thaxton], [mailto:mrhits777@gmail.com Jeremy Martinez], and [mailto:Andrew.Riesel@GMail.com Andrew Riesel]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-boulder|emailarchives=http://lists.owasp.org/pipermail/owasp-boulder}}

<paypal>Boulder</paypal>

Next Meeting of the Boulder OWASP will be September 24, 2009 at Staples in Broomfield.

'''November Meeting combined with the Denver Chapter meeting:'''

Wednesday 18 November 2009, 6pm @ Raytheon Polar Services

Anton Rager: "The Evils of XSS: Its not just for cookies anymore"

Many security professionals, security administrators and developers are aware of Cross-Site Scripting (XSS) vulnerabilities, but disregard them as a significant risk to an organization. Traditionally XSS attacks have either involved nuisance re-direction of a client or leakage of client cookies/state information to an attacker. They are almost always a one-shot XSS exploit against a vulnerable server and dont have the ability to execute multiple transactions against an XSS vulnerable site.

This presentation briefly outlines current XSS attacks, then discusses and demonstrates methods to create multi-transaction XSS attacks or persistent XSS based browser hi-jacking. Browser hi-jacking uses the victim browser to leverage existing trust that a browser may have with an XSS vulnerable site, and performs an arbitrary number of transactions from the victim browser against the vulnerable site. This means that the attacker can use the victims browser to attack a site that is behind a firewall, requires client-side certificates, filters IP addresses, or has a cached authentication with the victim browser this is way beyond cookie theft as an attacker is actually using the victims browser to access the site. Attack modes can include transparent site traversal thru victim browser (read and/or write to server with access of victim from remote attack console), passive monitoring of victim interaction with target site, or active MITM content modification of information to/from victim browser.

A custom tool (XSS-Proxy) will be demonstrated that demonstrates the ability for a remote attacker to perform these XSS based attacks. XSS persistence and commands are controlled from a Perl based HTTP attack server with victim/XSS target content forwarded to the same server. This does not rely on any new vulnerability in browsers and currently works in modern JavaScript enabled IE and Mozilla/Firefox based browsers.

Presenter: Anton Rager

Anton Rager is an independent security researcher focused on vulnerability exploitation, VPN security and wireless security. He is currently a programmer with an undisclosed network storage startup where he focuses on application development, Linux network magic, and Linux kernel/driver hacking.
He is best known for his work with 802.11 wireless WEP security and associated testing/analysis tools. In 2001 he released WEPCrack, the first open-source, public domain utility to validate the WEP/RC4 attack discovered by Fluhrer, Mantin and Shamir. Anton was also a Contributing Technical Editor to the book Maximum Wireless Security. In 2003 he continued researching 802.11/WEP and developed an injection attack and open-source tool (WEPWedgie) that allows network scanning attacks of WEP encrypted networks without knowledge of WEP keys. This tool/attack is mentioned in the book WI-FOO: The Secrets of Wireless Hacking as well as multiple online articles.

Anton has also focused heavily on IPSec VPN security issues and in 2001 implemented the first open-source utility to allow password attacks against IKE based IPSec VPN connections (IKECrack). Follow-on IPSec research resulted in an IKE protocol testing tool (IKEProber) that highlighted multiple vulnerabilities in common IPSec client/gateway implementations.

More recently he has been working with web application security issues and in 2005 devised a novel Cross-Site-Scripting (XSS) attack method and open-source tool (XSS-Proxy) to allow browser hijacking with XSS vulnerable sites. This tool/attack is also highlighted in Phishing Exposed book and as well as the book XSS-Attacks that he co-authored with other leading XSS researchers.
Anton has presented at well-known security conferences and has conducted many security training and security awareness primers with industry and government sectors. He currently resides and works near Denver, Colorado. In addition to an addictive computer security hobby, Anton is also an extreme mountain biker, snowboarder, naturalist, guitarist and philosopher hack.

Agenda

• 6pm: Pizza & pop @ Raytheon Polar Services, courtesy of Accuvant

• 6:30pm: Introduction and Chapter business

• 6:45pm --> 8pm: Presentation

Boulder

2009-11-05T19:53:22Z

Kathleen Thaxton:

{{Chapter Template|chaptername=Boulder|extra=The chapter leaders are [mailto:kthaxton@businesspartnersolutions.com Kathy Thaxton], [mailto:mrhits777@gmail.com Jeremy Martinez], and [mailto:Andrew.Riesel@GMail.com Andrew Riesel]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-boulder|emailarchives=http://lists.owasp.org/pipermail/owasp-boulder}}

<paypal>Boulder</paypal>

Next Meeting of the Boulder OWASP will be September 24, 2009 at Staples in Broomfield.

'''November Meeting combined with the Denver Chapter meeting:'''

Wednesday 18 November 2009, 6pm @ Raytheon Polar Services

Anton Rager: "The Evils of XSS: Its not just for cookies anymore"

Many security professionals, security administrators and developers are aware of Cross-Site Scripting (XSS) vulnerabilities, but disregard them as a significant risk to an organization. Traditionally XSS attacks have either involved nuisance re-direction of a client or leakage of client cookies/state information to an attacker. They are almost always a one-shot XSS exploit against a vulnerable server and dont have the ability to execute multiple transactions against an XSS vulnerable site.

This presentation briefly outlines current XSS attacks, then discusses and demonstrates methods to create multi-transaction XSS attacks or persistent XSS based browser hi-jacking. Browser hi-jacking uses the victim browser to leverage existing trust that a browser may have with an XSS vulnerable site, and performs an arbitrary number of transactions from the victim browser against the vulnerable site. This means that the attacker can use the victims browser to attack a site that is behind a firewall, requires client-side certificates, filters IP addresses, or has a cached authentication with the victim browser this is way beyond cookie theft as an attacker is actually using the victims browser to access the site. Attack modes can include transparent site traversal thru victim browser (read and/or write to server with access of victim from remote attack console), passive monitoring of victim interaction with target site, or active MITM content modification of information to/from victim browser.

A custom tool (XSS-Proxy) will be demonstrated that demonstrates the ability for a remote attacker to perform these XSS based attacks. XSS persistence and commands are controlled from a Perl based HTTP attack server with victim/XSS target content forwarded to the same server. This does not rely on any new vulnerability in browsers and currently works in modern JavaScript enabled IE and Mozilla/Firefox based browsers.

Presenter: Anton Rager

Anton Rager is an independent security researcher focused on vulnerability exploitation, VPN security and wireless security. He is currently a programmer with an undisclosed network storage startup where he focuses on application development, Linux network magic, and Linux kernel/driver hacking.
He is best known for his work with 802.11 wireless WEP security and associated testing/analysis tools. In 2001 he released WEPCrack, the first open-source, public domain utility to validate the WEP/RC4 attack discovered by Fluhrer, Mantin and Shamir. Anton was also a Contributing Technical Editor to the book Maximum Wireless Security. In 2003 he continued researching 802.11/WEP and developed an injection attack and open-source tool (WEPWedgie) that allows network scanning attacks of WEP encrypted networks without knowledge of WEP keys. This tool/attack is mentioned in the book WI-FOO: The Secrets of Wireless Hacking as well as multiple online articles.

Anton has also focused heavily on IPSec VPN security issues and in 2001 implemented the first open-source utility to allow password attacks against IKE based IPSec VPN connections (IKECrack). Follow-on IPSec research resulted in an IKE protocol testing tool (IKEProber) that highlighted multiple vulnerabilities in common IPSec client/gateway implementations.

More recently he has been working with web application security issues and in 2005 devised a novel Cross-Site-Scripting (XSS) attack method and open-source tool (XSS-Proxy) to allow browser hijacking with XSS vulnerable sites. This tool/attack is also highlighted in Phishing Exposed book and as well as the book XSS-Attacks that he co-authored with other leading XSS researchers.
Anton has presented at well-known security conferences and has conducted many security training and security awareness primers with industry and government sectors. He currently resides and works near Denver, Colorado. In addition to an addictive computer security hobby, Anton is also an extreme mountain biker, snowboarder, naturalist, guitarist and philosopher hack.

Agenda
• 6pm: Pizza & pop @ Raytheon Polar Services, courtesy of Accuvant
• 6:30pm: Introduction and Chapter business
• 6:45pm --> 8pm: Presentation

Boulder

2009-11-05T19:51:43Z

Kathleen Thaxton: /* December - Date TBA “Capture the Holiday flag” */

{{Chapter Template|chaptername=Boulder|extra=The chapter leaders are [mailto:kthaxton@businesspartnersolutions.com Kathy Thaxton], [mailto:mrhits777@gmail.com Jeremy Martinez], and [mailto:Andrew.Riesel@GMail.com Andrew Riesel]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-boulder|emailarchives=http://lists.owasp.org/pipermail/owasp-boulder}}

<paypal>Boulder</paypal>

Next Meeting of the Boulder OWASP will be September 24, 2009 at Staples in Broomfield.

NEXT MEETING SEPTEMBER 24TH. SEE AGENDA BELOW

November Meeting combined with the Denver Chapter meeting:

Wednesday 18 November 2009, 6pm @ Raytheon Polar Services
Anton Rager: "The Evils of XSS: Its not just for cookies anymore"
Many security professionals, security administrators and developers are aware of Cross-Site Scripting (XSS) vulnerabilities, but disregard them as a significant risk to an organization. Traditionally XSS attacks have either involved nuisance re-direction of a client or leakage of client cookies/state information to an attacker. They are almost always a one-shot XSS exploit against a vulnerable server and dont have the ability to execute multiple transactions against an XSS vulnerable site.
This presentation briefly outlines current XSS attacks, then discusses and demonstrates methods to create multi-transaction XSS attacks or persistent XSS based browser hi-jacking. Browser hi-jacking uses the victim browser to leverage existing trust that a browser may have with an XSS vulnerable site, and performs an arbitrary number of transactions from the victim browser against the vulnerable site. This means that the attacker can use the victims browser to attack a site that is behind a firewall, requires client-side certificates, filters IP addresses, or has a cached authentication with the victim browser this is way beyond cookie theft as an attacker is actually using the victims browser to access the site. Attack modes can include transparent site traversal thru victim browser (read and/or write to server with access of victim from remote attack console), passive monitoring of victim interaction with target site, or active MITM content modification of information to/from victim browser.
A custom tool (XSS-Proxy) will be demonstrated that demonstrates the ability for a remote attacker to perform these XSS based attacks. XSS persistence and commands are controlled from a Perl based HTTP attack server with victim/XSS target content forwarded to the same server. This does not rely on any new vulnerability in browsers and currently works in modern JavaScript enabled IE and Mozilla/Firefox based browsers.

Presenter: Anton Rager
Anton Rager is an independent security researcher focused on vulnerability exploitation, VPN security and wireless security. He is currently a programmer with an undisclosed network storage startup where he focuses on application development, Linux network magic, and Linux kernel/driver hacking.
He is best known for his work with 802.11 wireless WEP security and associated testing/analysis tools. In 2001 he released WEPCrack, the first open-source, public domain utility to validate the WEP/RC4 attack discovered by Fluhrer, Mantin and Shamir. Anton was also a Contributing Technical Editor to the book Maximum Wireless Security. In 2003 he continued researching 802.11/WEP and developed an injection attack and open-source tool (WEPWedgie) that allows network scanning attacks of WEP encrypted networks without knowledge of WEP keys. This tool/attack is mentioned in the book WI-FOO: The Secrets of Wireless Hacking as well as multiple online articles.
Anton has also focused heavily on IPSec VPN security issues and in 2001 implemented the first open-source utility to allow password attacks against IKE based IPSec VPN connections (IKECrack). Follow-on IPSec research resulted in an IKE protocol testing tool (IKEProber) that highlighted multiple vulnerabilities in common IPSec client/gateway implementations.
More recently he has been working with web application security issues and in 2005 devised a novel Cross-Site-Scripting (XSS) attack method and open-source tool (XSS-Proxy) to allow browser hijacking with XSS vulnerable sites. This tool/attack is also highlighted in Phishing Exposed book and as well as the book XSS-Attacks that he co-authored with other leading XSS researchers.
Anton has presented at well-known security conferences and has conducted many security training and security awareness primers with industry and government sectors. He currently resides and works near Denver, Colorado. In addition to an addictive computer security hobby, Anton is also an extreme mountain biker, snowboarder, naturalist, guitarist and philosopher hack.

Agenda
• 6pm: Pizza & pop @ Raytheon Polar Services, courtesy of Accuvant
• 6:30pm: Introduction and Chapter business
• 6:45pm --> 8pm: Presentation

Boulder

2009-11-05T19:50:35Z

Kathleen Thaxton: /* October and November 2009 Meetings will be joint with the Denver OWASP at a downtown location TBA */

{{Chapter Template|chaptername=Boulder|extra=The chapter leaders are [mailto:kthaxton@businesspartnersolutions.com Kathy Thaxton], [mailto:mrhits777@gmail.com Jeremy Martinez], and [mailto:Andrew.Riesel@GMail.com Andrew Riesel]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-boulder|emailarchives=http://lists.owasp.org/pipermail/owasp-boulder}}

<paypal>Boulder</paypal>

Next Meeting of the Boulder OWASP will be September 24, 2009 at Staples in Broomfield.

NEXT MEETING SEPTEMBER 24TH. SEE AGENDA BELOW

November Meeting combined with the Denver Chapter meeting:

Wednesday 18 November 2009, 6pm @ Raytheon Polar Services
Anton Rager: "The Evils of XSS: Its not just for cookies anymore"
Many security professionals, security administrators and developers are aware of Cross-Site Scripting (XSS) vulnerabilities, but disregard them as a significant risk to an organization. Traditionally XSS attacks have either involved nuisance re-direction of a client or leakage of client cookies/state information to an attacker. They are almost always a one-shot XSS exploit against a vulnerable server and dont have the ability to execute multiple transactions against an XSS vulnerable site.
This presentation briefly outlines current XSS attacks, then discusses and demonstrates methods to create multi-transaction XSS attacks or persistent XSS based browser hi-jacking. Browser hi-jacking uses the victim browser to leverage existing trust that a browser may have with an XSS vulnerable site, and performs an arbitrary number of transactions from the victim browser against the vulnerable site. This means that the attacker can use the victims browser to attack a site that is behind a firewall, requires client-side certificates, filters IP addresses, or has a cached authentication with the victim browser this is way beyond cookie theft as an attacker is actually using the victims browser to access the site. Attack modes can include transparent site traversal thru victim browser (read and/or write to server with access of victim from remote attack console), passive monitoring of victim interaction with target site, or active MITM content modification of information to/from victim browser.
A custom tool (XSS-Proxy) will be demonstrated that demonstrates the ability for a remote attacker to perform these XSS based attacks. XSS persistence and commands are controlled from a Perl based HTTP attack server with victim/XSS target content forwarded to the same server. This does not rely on any new vulnerability in browsers and currently works in modern JavaScript enabled IE and Mozilla/Firefox based browsers.

Presenter: Anton Rager
Anton Rager is an independent security researcher focused on vulnerability exploitation, VPN security and wireless security. He is currently a programmer with an undisclosed network storage startup where he focuses on application development, Linux network magic, and Linux kernel/driver hacking.
He is best known for his work with 802.11 wireless WEP security and associated testing/analysis tools. In 2001 he released WEPCrack, the first open-source, public domain utility to validate the WEP/RC4 attack discovered by Fluhrer, Mantin and Shamir. Anton was also a Contributing Technical Editor to the book Maximum Wireless Security. In 2003 he continued researching 802.11/WEP and developed an injection attack and open-source tool (WEPWedgie) that allows network scanning attacks of WEP encrypted networks without knowledge of WEP keys. This tool/attack is mentioned in the book WI-FOO: The Secrets of Wireless Hacking as well as multiple online articles.
Anton has also focused heavily on IPSec VPN security issues and in 2001 implemented the first open-source utility to allow password attacks against IKE based IPSec VPN connections (IKECrack). Follow-on IPSec research resulted in an IKE protocol testing tool (IKEProber) that highlighted multiple vulnerabilities in common IPSec client/gateway implementations.
More recently he has been working with web application security issues and in 2005 devised a novel Cross-Site-Scripting (XSS) attack method and open-source tool (XSS-Proxy) to allow browser hijacking with XSS vulnerable sites. This tool/attack is also highlighted in Phishing Exposed book and as well as the book XSS-Attacks that he co-authored with other leading XSS researchers.
Anton has presented at well-known security conferences and has conducted many security training and security awareness primers with industry and government sectors. He currently resides and works near Denver, Colorado. In addition to an addictive computer security hobby, Anton is also an extreme mountain biker, snowboarder, naturalist, guitarist and philosopher hack.

Agenda
• 6pm: Pizza & pop @ Raytheon Polar Services, courtesy of Accuvant
• 6:30pm: Introduction and Chapter business
• 6:45pm --> 8pm: Presentation

== December - Date TBA “Capture the Holiday flag” ==

We are planning on reserving space at a restaurant. What better way to Capture the Flag than over a couple of beers?

Boulder

2009-11-05T19:49:44Z

Kathleen Thaxton: /* Logistics */

Boulder

2009-11-05T19:49:02Z

Kathleen Thaxton: /* Agenda */

Boulder

2009-11-05T19:48:17Z

Kathleen Thaxton: /* Directions to Staples: */

Boulder

2009-09-22T22:12:03Z

Kathleen Thaxton: /* October and November 2009 Meetings will be joint with the Denver OWASP at a downtown location TBA */

Boulder

2009-09-22T22:11:49Z

Kathleen Thaxton: /* December - Date TBA “Capture the Holiday flag” */

Boulder

2009-09-22T22:09:19Z

Kathleen Thaxton: /* Boulder OWASP 2009 AGENDA */

Boulder

2009-08-20T16:40:20Z

Kathleen Thaxton: /* Directions to Staples: */

{{Chapter Template|chaptername=Boulder|extra=The chapter leaders are [mailto:kthaxton@businesspartnersolutions.com Kathy Thaxton], [mailto:mrhits777@gmail.com Jeremy Martinez], and [mailto:Andrew.Riesel@GMail.com Andrew Riesel]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-boulder|emailarchives=http://lists.owasp.org/pipermail/owasp-boulder}}

<paypal>Boulder</paypal>

Next Meeting of the Boulder OWASP will be September 24, 2009 at Staples in Broomfield.

NEXT MEETING SEPTEMBER 24TH. SEE AGENDA BELOW

=== Directions to Staples: ===

'''Staples: [http://maps.google.com/maps?q=1+Environmental+Way,+Broomfield,+CO+80021,+USA&sa=X&oi=map&ct=title One Environmental Way, Broomfield, Co. 80021]'''

=== Agenda ===
* 6 to 7:00 Dinner @ [http://maps.google.com/maps?f=q&hl=en&geocode=&q=Corporate+Express+1+Environmental+Way,+Broomfield+colorado&sll=39.935803,-105.13092&sspn=0.077395,0.144711&ie=UTF8&ll=39.926934,-105.126565&spn=0.009676,0.018089&z=16&iwloc=A Staples CE - Broomfield]

* 7pm to 8:30 pm Cross-site scripting lab
Sponsor: '''Nope, no sponsor. It'a your chapter, BYO dinner and/or order pizza at 6'ish'''

Speaker: tbd

=== Logistics ===
Please bring a wifi equipped laptop. We recommend the [http://www.owasp.org/index.php/Category:OWASP_Live_CD_2008_Project OWASP LiveCD]. Go ahead and download it and familiarize yourself with it ahead of time, if you're so inclined.

Following the meeting we will have informal discussions over beverages at the [http://maps.google.com/maps?f=q&hl=en&geocode=&q=Gordon+Biersch+Brewery+Broomfield+colorado&ie=UTF8&ll=39.935803,-105.13092&spn=0.077395,0.144711&z=13&iwloc=A Gordon Biersch Brewery and Restaurant].

-----------------------------------------------------------------------

== Boulder OWASP 2009 AGENDA ==
=== May 21, 2009 Cross site scripting Lab ===
Lab to explain how to attack vulnerable sites –we will use three different examples and
Spend one half hour on each: Basic attacks, intermediate and advanced.
Teacher TBA.

We will be using the OWASP Live CD and will have them available.
Must have laptop with CD player.
Meeting will be at Staples: One Environmental Way, Broomfield, Co. 80021
Brown bag or we can order pizza when everyone gets there.
6pm to 7pm dinner and Lab from 7pm to 8:30
Drinks at Gordon Biersch after the lab. Topics up for discussion (we’ll choose one):

Black Hat DC researchers demonstrate new cross-site scripting browser hack that lets attackers retrieve data without a trace

[http://developers.slashdot.org/article.pl?sid=09/05/09/1339213 Should Developers Be Liable For Their Code?]

=== June 18, 2009 Part 2 Cross Site Scripting Lab – put it into practice – how to defend against Cross site scripting ===
We will defend against a basic attack, an intermediate and advanced.
Teacher TBA
Remember to bring your OWASP Live CD and your laptop with CD player.
Location will be at CSU in Fort Collins. Directions will be forthcoming.
6:30 to 7pm Dinner (Brown Bag or we will all order pizza) Lab from 7pm to 9pm.

=== No meetings July or August 2009 ===
We will try to put up the sites that we are defending against in the June Lab so that you can have a go at them over the break.

=== September 24, 2009 Sql injection ===
We will be using SQL injection to attack using authentication bypass, database enumeration, adding users through sql injection, Data mining, writing code
Teacher TBA
We will be using the OWASP Live CD and will have them available.
Must have laptop with CD player.
Meeting will be at Staples: One Environmental Way, Broomfield, Co. 80021
Brown bag or we can order pizza when everyone gets there.
6pm to 7pm dinner and Lab from 7pm to 8:30
Drinks at Gordon Biersch after the lab. Topics up for discussion (TBA).

=== October, 22, 2009 Defense against sql injection – how to sanitize user input ===
Teacher TBA
We will be using the OWASP Live CD and will have them available.
Must have laptop with CD player.
Meeting will be at Staples: One Environmental Way, Broomfield, Co. 80021
Brown bag or we can order pizza when everyone gets there.
6pm to 7pm dinner and Lab from 7pm to 8:30
Drinks at Gordon Biersch after the lab. Topics up for discussion (TBA).

=== November, 19, 2009 This Lab will put into action the SQL injection attack and the defense. ===
We will be using the attacks from the September meeting and then defending against them.
We will be using the OWASP Live CD and will have them available.
Must have laptop with CD player.
Meeting will be at Staples: One Environmental Way, Broomfield, Co. 80021
Brown bag or we can order pizza when everyone gets there.
6pm to 7pm dinner and Lab from 7pm to 8:30
Drinks at Gordon Biersch after the lab. Topics up for discussion (TBA).

=== December - Date TBA “Capture the Holiday flag” ===
We are planning on reserving space at a restaurant. What better way to Capture the Flag than over a couple of beers?

Boulder

2009-08-20T16:34:05Z

Kathleen Thaxton: /* September 17, 2009 Sql injection */

{{Chapter Template|chaptername=Boulder|extra=The chapter leaders are [mailto:kthaxton@businesspartnersolutions.com Kathy Thaxton], [mailto:mrhits777@gmail.com Jeremy Martinez], and [mailto:Andrew.Riesel@GMail.com Andrew Riesel]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-boulder|emailarchives=http://lists.owasp.org/pipermail/owasp-boulder}}

<paypal>Boulder</paypal>

Next Meeting of the Boulder OWASP will be September 24, 2009 at Staples in Broomfield.

=== Directions to Staples: ===

'''Staples: [http://maps.google.com/maps?q=1+Environmental+Way,+Broomfield,+CO+80021,+USA&sa=X&oi=map&ct=title One Environmental Way, Broomfield, Co. 80021]'''

=== Agenda ===
* 6 to 7:00 Dinner @ [http://maps.google.com/maps?f=q&hl=en&geocode=&q=Corporate+Express+1+Environmental+Way,+Broomfield+colorado&sll=39.935803,-105.13092&sspn=0.077395,0.144711&ie=UTF8&ll=39.926934,-105.126565&spn=0.009676,0.018089&z=16&iwloc=A Staples CE - Broomfield]

* 7pm to 8:30 pm Cross-site scripting lab
Sponsor: '''Nope, no sponsor. It'a your chapter, BYO dinner and/or order pizza at 6'ish'''

Speaker: tbd

=== Logistics ===
Please bring a wifi equipped laptop. We recommend the [http://www.owasp.org/index.php/Category:OWASP_Live_CD_2008_Project OWASP LiveCD]. Go ahead and download it and familiarize yourself with it ahead of time, if you're so inclined.

Following the meeting we will have informal discussions over beverages at the [http://maps.google.com/maps?f=q&hl=en&geocode=&q=Gordon+Biersch+Brewery+Broomfield+colorado&ie=UTF8&ll=39.935803,-105.13092&spn=0.077395,0.144711&z=13&iwloc=A Gordon Biersch Brewery and Restaurant].

-----------------------------------------------------------------------

== Boulder OWASP 2009 AGENDA ==
=== May 21, 2009 Cross site scripting Lab ===
Lab to explain how to attack vulnerable sites –we will use three different examples and
Spend one half hour on each: Basic attacks, intermediate and advanced.
Teacher TBA.

We will be using the OWASP Live CD and will have them available.
Must have laptop with CD player.
Meeting will be at Staples: One Environmental Way, Broomfield, Co. 80021
Brown bag or we can order pizza when everyone gets there.
6pm to 7pm dinner and Lab from 7pm to 8:30
Drinks at Gordon Biersch after the lab. Topics up for discussion (we’ll choose one):

Black Hat DC researchers demonstrate new cross-site scripting browser hack that lets attackers retrieve data without a trace

[http://developers.slashdot.org/article.pl?sid=09/05/09/1339213 Should Developers Be Liable For Their Code?]

=== June 18, 2009 Part 2 Cross Site Scripting Lab – put it into practice – how to defend against Cross site scripting ===
We will defend against a basic attack, an intermediate and advanced.
Teacher TBA
Remember to bring your OWASP Live CD and your laptop with CD player.
Location will be at CSU in Fort Collins. Directions will be forthcoming.
6:30 to 7pm Dinner (Brown Bag or we will all order pizza) Lab from 7pm to 9pm.

=== No meetings July or August 2009 ===
We will try to put up the sites that we are defending against in the June Lab so that you can have a go at them over the break.

=== September 24, 2009 Sql injection ===
We will be using SQL injection to attack using authentication bypass, database enumeration, adding users through sql injection, Data mining, writing code
Teacher TBA
We will be using the OWASP Live CD and will have them available.
Must have laptop with CD player.
Meeting will be at Staples: One Environmental Way, Broomfield, Co. 80021
Brown bag or we can order pizza when everyone gets there.
6pm to 7pm dinner and Lab from 7pm to 8:30
Drinks at Gordon Biersch after the lab. Topics up for discussion (TBA).

=== October, 22, 2009 Defense against sql injection – how to sanitize user input ===
Teacher TBA
We will be using the OWASP Live CD and will have them available.
Must have laptop with CD player.
Meeting will be at Staples: One Environmental Way, Broomfield, Co. 80021
Brown bag or we can order pizza when everyone gets there.
6pm to 7pm dinner and Lab from 7pm to 8:30
Drinks at Gordon Biersch after the lab. Topics up for discussion (TBA).

=== November, 19, 2009 This Lab will put into action the SQL injection attack and the defense. ===
We will be using the attacks from the September meeting and then defending against them.
We will be using the OWASP Live CD and will have them available.
Must have laptop with CD player.
Meeting will be at Staples: One Environmental Way, Broomfield, Co. 80021
Brown bag or we can order pizza when everyone gets there.
6pm to 7pm dinner and Lab from 7pm to 8:30
Drinks at Gordon Biersch after the lab. Topics up for discussion (TBA).

=== December - Date TBA “Capture the Holiday flag” ===
We are planning on reserving space at a restaurant. What better way to Capture the Flag than over a couple of beers?

Boulder

2009-08-20T16:33:24Z

Kathleen Thaxton: /* Next Meeting - XSS Lab - Postponed until August 20th, 2009 */

{{Chapter Template|chaptername=Boulder|extra=The chapter leaders are [mailto:kthaxton@businesspartnersolutions.com Kathy Thaxton], [mailto:mrhits777@gmail.com Jeremy Martinez], and [mailto:Andrew.Riesel@GMail.com Andrew Riesel]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-boulder|emailarchives=http://lists.owasp.org/pipermail/owasp-boulder}}

<paypal>Boulder</paypal>

Next Meeting of the Boulder OWASP will be September 24, 2009 at Staples in Broomfield.

=== Directions to Staples: ===

'''Staples: [http://maps.google.com/maps?q=1+Environmental+Way,+Broomfield,+CO+80021,+USA&sa=X&oi=map&ct=title One Environmental Way, Broomfield, Co. 80021]'''

=== Agenda ===
* 6 to 7:00 Dinner @ [http://maps.google.com/maps?f=q&hl=en&geocode=&q=Corporate+Express+1+Environmental+Way,+Broomfield+colorado&sll=39.935803,-105.13092&sspn=0.077395,0.144711&ie=UTF8&ll=39.926934,-105.126565&spn=0.009676,0.018089&z=16&iwloc=A Staples CE - Broomfield]

* 7pm to 8:30 pm Cross-site scripting lab
Sponsor: '''Nope, no sponsor. It'a your chapter, BYO dinner and/or order pizza at 6'ish'''

Speaker: tbd

=== Logistics ===
Please bring a wifi equipped laptop. We recommend the [http://www.owasp.org/index.php/Category:OWASP_Live_CD_2008_Project OWASP LiveCD]. Go ahead and download it and familiarize yourself with it ahead of time, if you're so inclined.

Following the meeting we will have informal discussions over beverages at the [http://maps.google.com/maps?f=q&hl=en&geocode=&q=Gordon+Biersch+Brewery+Broomfield+colorado&ie=UTF8&ll=39.935803,-105.13092&spn=0.077395,0.144711&z=13&iwloc=A Gordon Biersch Brewery and Restaurant].

-----------------------------------------------------------------------

== Boulder OWASP 2009 AGENDA ==
=== May 21, 2009 Cross site scripting Lab ===
Lab to explain how to attack vulnerable sites –we will use three different examples and
Spend one half hour on each: Basic attacks, intermediate and advanced.
Teacher TBA.

We will be using the OWASP Live CD and will have them available.
Must have laptop with CD player.
Meeting will be at Staples: One Environmental Way, Broomfield, Co. 80021
Brown bag or we can order pizza when everyone gets there.
6pm to 7pm dinner and Lab from 7pm to 8:30
Drinks at Gordon Biersch after the lab. Topics up for discussion (we’ll choose one):

Black Hat DC researchers demonstrate new cross-site scripting browser hack that lets attackers retrieve data without a trace

[http://developers.slashdot.org/article.pl?sid=09/05/09/1339213 Should Developers Be Liable For Their Code?]

=== June 18, 2009 Part 2 Cross Site Scripting Lab – put it into practice – how to defend against Cross site scripting ===
We will defend against a basic attack, an intermediate and advanced.
Teacher TBA
Remember to bring your OWASP Live CD and your laptop with CD player.
Location will be at CSU in Fort Collins. Directions will be forthcoming.
6:30 to 7pm Dinner (Brown Bag or we will all order pizza) Lab from 7pm to 9pm.

=== No meetings July or August 2009 ===
We will try to put up the sites that we are defending against in the June Lab so that you can have a go at them over the break.

=== September 17, 2009 Sql injection ===
We will be using SQL injection to attack using authentication bypass, database enumeration, adding users through sql injection, Data mining, writing code
Teacher TBA
We will be using the OWASP Live CD and will have them available.
Must have laptop with CD player.
Meeting will be at Staples: One Environmental Way, Broomfield, Co. 80021
Brown bag or we can order pizza when everyone gets there.
6pm to 7pm dinner and Lab from 7pm to 8:30
Drinks at Gordon Biersch after the lab. Topics up for discussion (TBA).

=== October, 22, 2009 Defense against sql injection – how to sanitize user input ===
Teacher TBA
We will be using the OWASP Live CD and will have them available.
Must have laptop with CD player.
Meeting will be at Staples: One Environmental Way, Broomfield, Co. 80021
Brown bag or we can order pizza when everyone gets there.
6pm to 7pm dinner and Lab from 7pm to 8:30
Drinks at Gordon Biersch after the lab. Topics up for discussion (TBA).

=== November, 19, 2009 This Lab will put into action the SQL injection attack and the defense. ===
We will be using the attacks from the September meeting and then defending against them.
We will be using the OWASP Live CD and will have them available.
Must have laptop with CD player.
Meeting will be at Staples: One Environmental Way, Broomfield, Co. 80021
Brown bag or we can order pizza when everyone gets there.
6pm to 7pm dinner and Lab from 7pm to 8:30
Drinks at Gordon Biersch after the lab. Topics up for discussion (TBA).

=== December - Date TBA “Capture the Holiday flag” ===
We are planning on reserving space at a restaurant. What better way to Capture the Flag than over a couple of beers?