OWASP - User contributions [en]

User:Michael Hendrickx

2016-07-06T22:56:09Z

Michael Hendrickx:

Security Software Engineer working for a large software company. I used to be a security consultant, doing projects that are often security assessments, source code reviews and software development. For the past decade, I've been quite active in Web Application Security Assessments.

I live in Vancouver, BC now.

Pinning Cheat Sheet

2016-07-06T22:54:53Z

Michael Hendrickx: fixing typos

__NOTOC__
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Cheatsheets-header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |
Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''
= Introduction =
__TOC__{{TOC hidden}}
The [[Pinning Cheat Sheet]] is a technical guide to implementing certificate and public key pinning as discussed at the Virginia chapter's presentation [[Media:Securing-Wireless-Channels-in-the-Mobile-Space.ppt|Securing Wireless Channels in the Mobile Space]]. This guide is focused on providing clear, simple, actionable guidance for securing the channel in a hostile environment where actors could be malicious and the conference of trust a liability.

A verbose article is available at [[Certificate_and_Public_Key_Pinning|Certificate and Public Key Pinning]]. The article includes additional topics, such as Alternatives to Pinning, Ephemeral Keys, Pinning Gaps, Revocation, and X509 Validation.

== What's the problem? ==

Users, developers, and applications expect end-to-end security on their secure channels, but some secure channels are not meeting the expectation. Specifically, channels built using well known protocols such as VPN, SSL, and TLS can be vulnerable to a number of attacks.

== What Is Pinning? ==

Pinning is the process of associating a host with their ''expected'' X509 certificate or public key. Once a certificate or public key is known or seen for a host, the certificate or public key is associated or 'pinned' to the host. If more than one certificate or public key is acceptable, then the program holds a ''pinset'' (taking from [https://developers.google.com/events/io/sessions/gooio2012/107/ Jon Larimer and Kenny Root Google I/O talk]). In this case, the advertised identity must match one of the elements in the pinset.

A host or service's certificate or public key can be added to an application at development time, or it can be added upon first encountering the certificate or public key. The former - adding at development time - is preferred since ''preloading'' the certificate or public key ''out of band'' usually means the attacker cannot taint the pin.

=== When Do You Pin? ===

You should pin anytime you want to be relatively certain of the remote host's identity or when operating in a hostile environment. Since one or both are almost always true, you should probably pin all the time.

=== When Do You Whitelist? ===

If you are working for an organization which practices "egress filtering" as part of a Data Loss Prevention (DLP) strategy, you will likely encounter ''Interception Proxies''. I like to refer to these things as '''"good" bad guys''' (as opposed to '''"bad" bad guys''') since both break end-to-end security and we can't tell them apart. In this case, '''do not''' offer to whitelist the interception proxy since it defeats your security goals. Add the interception proxy's public key to your pinset after being '''instructed''' to do so by the folks in Risk Acceptance.

=== How Do You Pin? ===

The idea is to re-use the exiting protocols and infrastructure, but use them in a hardened manner. For re-use, a program would keep doing the things it used to do when establishing a secure connection.

To harden the channel, the program would would take advantage of the <tt>OnConnect</tt> callback offered by a library, framework or platform. In the callback, the program would verify the remote host's identity by validating its certificate or public key.

== What Should Be Pinned? ==

The first thing to decide is what should be pinned. For this choice, you have two options: you can (1) pin the certificate; or (2) pin the public key. If you choose public keys, you have two additional choices: (a) pin the <tt>subjectPublicKeyInfo</tt>; or (b) pin one of the concrete types such as <tt>RSAPublicKey</tt> or <tt>DSAPublicKey</tt>.

[[File:random-org-der-dump.png|thumb| 100px |subjectPublicKeyInfo]]The three choices are explained below in more detail. I would encourage you to pin the <tt>subjectPublicKeyInfo</tt> because it has the public parameters (such as <tt>{e,n}</tt> for an RSA public key) '''and''' contextual information such as an algorithm and OID. The context will help you keep your bearings at times, and the figure to the right shows the additional information available.

=== Certificate ===

[[File:pin-cert.png|thumb|right|100px|Certificate]] The certificate is easiest to pin. You can fetch the certificate out of band for the website, have the IT folks email your company certificate to you, use <tt>openssl s_client</tt> to retrieve the certificate etc. At runtime, you retrieve the website or server's certificate in the callback. Within the callback, you compare the retrieved certificate with the certificate embedded within the program. If the comparison fails, then fail the method or function.

There is a downside to pinning a certificate. If the site rotates its certificate on a regular basis, then your application would need to be updated regularly. For example, Google rotates its certificates, so you will need to update your application about once a month (if it depended on Google services). Even though Google rotates its certificates, the underlying public keys (within the certificate) remain static.

=== Public Key ===

[[File:pin-pubkey.png|thumb|right|100px|Public Key]] Public key pinning is more flexible but a little trickier due to the extra steps necessary to extract the public key from a certificate. As with a certificate, the program checks the extracted public key with its embedded copy of the public key.

There are two downsides to public key pinning. First, it's harder to work with keys (versus certificates) since you must extract the key from the certificate. Extraction is a minor inconvenience in Java and .Net, buts it's uncomfortable in Cocoa/CocoaTouch and OpenSSL. Second, the key is static and may violate key rotation policies.

=== Hashing ===

While the three choices above used DER encoding, its also acceptable to use a hash of the information. In fact, the original sample programs were written using digested certificates and public keys. The samples were changed to allow a programmer to inspect the objects with tools like <tt>dumpasn1</tt> and other ASN.1 decoders.

Hashing also provides three additional benefits. First, hashing allows you to anonymize a certificate or public key. This might be important if you application is concerned about leaking information during decompilation and re-engineering. Second, a digested certificate fingerprint is often available as a native API for many libraries, so its convenient to use.

Finally, an organization might want to supply a reserve (or back-up) identity in case the primary identity is compromised. Hashing ensures your adversaries do not see the reserved certificate or public key in advance of its use. In fact, Google's IETF draft ''websec-key-pinning'' uses the technique.

== Examples of Pinning ==

This section discusses certificate and public key pinning in Android Java, iOS, .Net, and OpenSSL. Code has been omitted for brevity, but the key points for the platform are highlighted. All programs attempt to connect to [https://www.random.org random.org] and fetch bytes (Dr. Mads Haahr participates in AOSP's pinning program, so the site should have a static key). The programs enjoy a pre-existing relationship with the site (more correctly, ''a priori'' knowledge), so they include a copy of the site's public key and pin the identity on the key.

=== Android ===

This example is using the concept from [https://developer.android.com/training/articles/security-ssl.html#UnknownCa developer.android.com unknown CA implementation document]. Basically you can teach HttpsURLConnection to trust a specific set of CAs.

Download: [https://github.com/riramar/pubkey-pin-android Android app pubkey-pin-android]

=== iOS ===

An open-source SSL pinning library for iOS and OS X was released at Black Hat 2015, which provides an easy-to-use API for deploying pinning within an App: https://github.com/datatheorem/TrustKit .

Otherwise and when using NSURLConnection, iOS pinning is performed through a <tt>NSURLConnectionDelegate</tt>. The delegate must implement <tt>connection:canAuthenticateAgainstProtectionSpace:</tt> and <tt>connection:didReceiveAuthenticationChallenge:</tt>. Within <tt>connection:didReceiveAuthenticationChallenge:</tt>, the delegate must call <tt>SecTrustEvaluate</tt> to perform customary X509 checks.

Download: [[Media:pubkey-pin-ios.zip|iOS sample program]].

=== .Net ===

.Net pinning can be achieved by using <tt>ServicePointManager</tt>.

Download: [[Media:pubkey-pin-dotnet.zip|.Net sample program]].

=== OpenSSL ===

Pinning can occur at one of two places with OpenSSL. First is the user supplied <tt>verify_callback</tt>. Second is after the connection is established via <tt>SSL_get_peer_certificate</tt>. Either method will allow you to access the peer's certificate.

Though OpenSSL performs the X509 checks, you must fail the connection and tear down the socket on error. By design, a server that does not supply a certificate will result in <tt>X509_V_OK</tt> with a '''NULL''' certificate. To check the result of the customary verification: (1) you must call <tt>SSL_get_verify_result</tt> and verify the return code is <tt>X509_V_OK</tt>; and (2) you must call <tt>SSL_get_peer_certificate</tt> and verify the certificate is '''non-NULL'''.

Download: [[Media:pubkey-pin-openssl.zip|OpenSSL sample program]].

== References ==

* OWASP [[Injection_Theory|Injection Theory]]
* OWASP [[Data_Validation|Data Validation]]
* OWASP [[Transport_Layer_Protection_Cheat_Sheet|Transport Layer Protection Cheat Sheet]]
* IETF [http://www.ietf.org/rfc/rfc1421.txt RFC 1421 (PEM Encoding)]
* IETF [http://www.ietf.org/rfc/rfc4648.txt RFC 4648 (Base16, Base32, and Base64 Encodings)]
* IETF [http://www.ietf.org/rfc/rfc5280.txt RFC 5280 (Internet X.509, PKIX)]
* IETF [http://www.ietf.org/rfc/rfc3279.txt RFC 3279 (PKI, X509 Algorithms and CRL Profiles)]
* IETF [http://www.ietf.org/rfc/rfc4055.txt RFC 4055 (PKI, X509 Additional Algorithms and CRL Profiles)]
* IETF [http://www.ietf.org/rfc/rfc2246.txt RFC 2246 (TLS 1.0)]
* IETF [http://www.ietf.org/rfc/rfc4346.txt RFC 4346 (TLS 1.1)]
* IETF [http://www.ietf.org/rfc/rfc5246.txt RFC 5246 (TLS 1.2)]
* RSA Laboratories [http://www.rsa.com/rsalabs/node.asp?id=2125 PKCS#1, RSA Encryption Standard]
* RSA Laboratories [http://www.rsa.com/rsalabs/node.asp?id=2128 PKCS#6, Extended-Certificate Syntax Standard]

== Authors and Editors ==

* Jeffrey Walton - jeffrey, owasp.org
* John Steven - john, owasp.org
* Jim Manico - jim, owasp.org
* Kevin Wall - kevin, owasp.org
* Ricardo Iramar - ricardo.iramar@gmail.com

== Other Cheatsheets ==

{{Cheatsheet_Navigation_Body}}

|}

[[Category:Cheatsheets]]

User:Michael Hendrickx

2016-03-25T19:00:10Z

Michael Hendrickx:

I am an Information Security Professional working for a software company. I used to be a consultant in the Middle East, doing projects that are often security assessments, source code reviews and software development. For the past decade, I've been quite active in Web Application Security Assessments, and in a previous life, I even made a few open source tools.
I live in Vancouver, BC now.

Dubai

2014-08-28T06:15:26Z

Michael Hendrickx:

{{Chapter Template|chaptername=Dubai|extra=The chapter leaders are [mailto:amro@owasp.org Amro AlOlaqi] and [mailto:tarek@owasp.org Tarek Naja]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-dubai|emailarchives=http://lists.owasp.org/pipermail/owasp-dubai}}

<br>

== Local News ==

'''OWASP Moves to MediaWiki Portal - 11:15, 20 May 2006 (EDT)'''

== Past Events ==
'''27th of August 2014 at 6:30pm'''
Nakheel Sales Office [https://maps.google.com/maps?q=Nakheel+Sales+Center+-+Al+Sufouh+-+Dubai+-+United+Arab+Emirates&hl=en&ll=25.104759,55.156517&spn=0.038589,0.066047&sll=31.128199,-72.773437&sspn=71.247495,135.263672&oq=Nakheel&dirflg=r&ttype=now&noexp=0&noal=0&sort=def&hq=Nakheel+Sales+Center+-&hnear=Al+Sufouh+-+Dubai+-+United+Arab+Emirates&t=m&z=15 MAP]
Al Sufouh Road,
Jumeirah - Dubai
United Arab Emirates

Topics:
; OWASP Top 10 A2 - Broken Authentication and session management
: Speaker: [http://ae.linkedin.com/in/tareknaja Tarek Naja]
: Bio: Tarek is the OWASP UAE chapter leader. He is a seasoned security consultant who focuses on penetration testing.

; OWASP Top 10 A3 - Cross site scripting (XSS)
: Speaker: [http://ae.linkedin.com/in/mhendrickx Michael Hendrickx]
: Bio: Michael is an experienced IT security professional with strong, deep technical knowledge on wide variety of applications.

----
'''28th of May, 2014. 6:30pm'''
Nakheel Sales Office [https://maps.google.com/maps?q=Nakheel+Sales+Center+-+Al+Sufouh+-+Dubai+-+United+Arab+Emirates&hl=en&ll=25.104759,55.156517&spn=0.038589,0.066047&sll=31.128199,-72.773437&sspn=71.247495,135.263672&oq=Nakheel&dirflg=r&ttype=now&noexp=0&noal=0&sort=def&hq=Nakheel+Sales+Center+-&hnear=Al+Sufouh+-+Dubai+-+United+Arab+Emirates&t=m&z=15 MAP]
Al Sufouh Road,
Jumeirah - Dubai
United Arab Emirates

We're honored to have our guest speak [http://ae.linkedin.com/pub/ammar-almarzooqi/30/b11/b86 Ammar Almarzooqi] - Chief Information Security Officer at Abu Dhabi Department of Economic Development.

Ammar will be talking about seamless implementation of security controls. If you're dealing with some elements that are inherently secure, such as an application that cannot be modified, how would you be able to secure your environment? Ammar will be addressing this question and discussing a real case scenario from his organization.

<br/>
Our other presenter is [http://ae.linkedin.com/in/tareknaja Tarek Naja] - Senior Security Consultant.
Tarek will be answering questions about the vulnerability you all heard about recently: Heart Bleed. Tarek specializes in penetration testing, mainly web application and mobile application penetration testing.

----
'''19th of Feb 2014 at 8pm'''
Cafe Rider [http://cafe-rider.com/styled-4/index.html MAP]
Close to Mall of the Emirates
Al Quoz Industrial - Dubai
United Arab Emirates

Topics:
; Managing Web & Application Security with OWASP – bringing it all together
: Setting up, managing and improving your global information security organisation using mature OWASP projects and tools. Achieving cost-effective application security and bringing it all together on the management level. A journey through different organisational stages and how OWASP tools help organisations moving forward improving their web and application security. This talk will discuss a number of quick wins and how to effectively manage global security initiatives and use OWASP tools inside your organisation

; Application Security for managers: OWASP CISO Guide and CISO Survey
: The OWASP CISO guide and CISO report 2013. This talk will present two new OWASP projects, the CISO guide and the newly released results of the OWASP CISO Survey report 2013. Their main goal is to provide guidance on application and web security for senior managers and to introduce Chief Information Security Officers (CISO) to the OWASP Application Security Guide and the results of the CISO Survey. Over the last years, we noticed that application security risks and threats have been on the rise and OWASP has started the CISO survey project to gather intelligence and provide it to CISOs and senior managers in order to improve their security strategies, assess their priorities and learn from their peers about what works best protecting web and application security in organizations across various industries.

Speaker: [http://hk.linkedin.com/in/gondrom Tobias Gondrom]

Tobias Gondrom is a global board member of OWASP (Open Web Application Security Project) and CEO at Thames Stanley, a boutique Global CISO and Information Security & Risk Management Advisory based in Hong Kong, United Kingdom and Germany.

----
'''14th of Dec 2013 at 6-8pm.'''

MAKE Business Hub [https://maps.google.com/maps?ie=UTF8&q=MAKE+Business+Hub+Cafe&fb=1&hq=make+business+hub&cid=1882949530944650280&hnear=&ll=25.079127,55.136797&spn=0.011816,0.021136&t=m&z=16&vpsrc=0&iwloc=A MAP ]
Al Fattan Tower - Dubai
United Arab Emirates
+971 4 392 9216
Speaker: Peter Dowley
Topic: Security Architecture for Applications, titled "What's the difference between a security bug and a security flaw?"

Speaker bio : Peter has been working in computer security for over 10 years, after
another decade in other areas of IT - System & infrastructure architecture,
Windows desktop & server design & management, database modelling & design,
programming. He has strong expertise in security architecture (especially
for banking systems) and how this relates to risk and fraud management. He
is a senior security consultant with Hewlett-Packard (HP) in Dubai and has
been based in the Gulf region for 5 years.

'''Download the presentation:''' [https://www.owasp.org/index.php/File:Security_Bugs_vs_Flaws.pptx "What's the difference between a security bug and a security flaw"]

----
'''Casual OWASP meetup'''
This will be our first meeting in a while. It will be an opportunity to get introduced to the other members of the OWASP UAE Chapter and discuss the type of events you'd like to see in the future.

This will be a casual meeting at a Caribou Coffee at DIFC

http://www.mealadvisors.com/uae/dubai/restaurant/map/branch_id/1294

Gathering agenda will be:

Meeting on Saturday the 9th of November 2013 at 6pm.
Introductions
Intro to OWASP
Open discussion about Dubai chapter
Networking
Conclude at 8pm

----

'''IDC's IT Security Roadshow 2013 - Dubai '''

Date and Time : Wednesday, April 3, 2013
Venue: Mina A' Salam Hotel (Madinat Jumeirah)
Web Application Security "Think like a hacker"
Speaker: Amro Alolaqi

Reference: http://idc-cema.com/eng/events/50679-idc-s-it-security-roadshow-2013/11-speakers

----

'''Cyber Security Summit 2012- DUBAI'''

Date and Time : 2nd & 3rd of October 2012 - 9:00 AM to 4:00 PM
Venue: Grand Hayat - Dubai
Web Application Critical Vulnerabilities (OWASP top ten)
Speaker: Amro AlOlaqi

http://we-initiative.com/wp-content/uploads/2012/07/Cyber-Security-UAE-2012-EM12.pdf
----

'''ISACA UAE - ISAFE conference 2011 - Dubai'''

Date and Time : 18th - 9:00 AM to 4:00 PM
Venue: The Address Hotel - Dubai Mall
Web Application Critical Vulnerabilities and Threat Modeling
Speaker: Amro AlOlaqi

http://www.isacauae.org/isafe2011/doc/isafe2011brochure.pdf

https://plus.google.com/photos/117947441088827793360/albums/5712379217298867441?banner=pwa

----

'''IT For Government 2011- DUBAI'''

''Location: Dusit Thani Hotel - 133, Sheikh Zayed Road <br>''

''Date: 4/Oct/2011''

''Registration 8:00 AM''

''NAUGURAL KEYNOTE PRESENTATION BY His Excellency Salem Khamis Al Shair Al Suwaidi Emirates e-Government Director General''

OWASP's session: 11:20 PM
Speaker: Amro AlOlaqi
Subject: The Ten Web Application Critical Risks

For more information about the event, please visit http://www.fleminggulf.com/cms/uploads/conference/downloads/Postshow_report_DBTC15.pdf

[[Category:United Arab Emirates]]

Dubai

2014-08-28T06:14:38Z

Michael Hendrickx:

{{Chapter Template|chaptername=Dubai|extra=The chapter leaders are [mailto:amro@owasp.org Amro AlOlaqi] and [mailto:tarek@owasp.org Tarek Naja]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-dubai|emailarchives=http://lists.owasp.org/pipermail/owasp-dubai}}

<br>

== Local News ==

'''OWASP Moves to MediaWiki Portal - 11:15, 20 May 2006 (EDT)'''

== Past Events ==
'''27th of August 2014 at 6:30pm'''
Nakheel Sales Office [https://maps.google.com/maps?q=Nakheel+Sales+Center+-+Al+Sufouh+-+Dubai+-+United+Arab+Emirates&hl=en&ll=25.104759,55.156517&spn=0.038589,0.066047&sll=31.128199,-72.773437&sspn=71.247495,135.263672&oq=Nakheel&dirflg=r&ttype=now&noexp=0&noal=0&sort=def&hq=Nakheel+Sales+Center+-&hnear=Al+Sufouh+-+Dubai+-+United+Arab+Emirates&t=m&z=15 MAP]
Al Sufouh Road,
Jumeirah - Dubai
United Arab Emirates

Topics:
; OWASP Top 10 A2 - Broken Authentication and session management
: Speaker: Tarek Naja
: Bio: Tarek is the OWASP UAE chapter leader. He is a seasoned security consultant who focuses on penetration testing.

; OWASP Top 10 A3 - Cross site scripting (XSS)
: Speaker: Michael Hendrickx
: Bio: Michael is an experienced IT security professional with strong, deep technical knowledge on wide variety of applications.

----
'''28th of May, 2014. 6:30pm'''
Nakheel Sales Office [https://maps.google.com/maps?q=Nakheel+Sales+Center+-+Al+Sufouh+-+Dubai+-+United+Arab+Emirates&hl=en&ll=25.104759,55.156517&spn=0.038589,0.066047&sll=31.128199,-72.773437&sspn=71.247495,135.263672&oq=Nakheel&dirflg=r&ttype=now&noexp=0&noal=0&sort=def&hq=Nakheel+Sales+Center+-&hnear=Al+Sufouh+-+Dubai+-+United+Arab+Emirates&t=m&z=15 MAP]
Al Sufouh Road,
Jumeirah - Dubai
United Arab Emirates

We're honored to have our guest speak [http://ae.linkedin.com/pub/ammar-almarzooqi/30/b11/b86 Ammar Almarzooqi] - Chief Information Security Officer at Abu Dhabi Department of Economic Development.

Ammar will be talking about seamless implementation of security controls. If you're dealing with some elements that are inherently secure, such as an application that cannot be modified, how would you be able to secure your environment? Ammar will be addressing this question and discussing a real case scenario from his organization.

<br/>
Our other presenter is [http://ae.linkedin.com/in/tareknaja Tarek Naja] - Senior Security Consultant.
Tarek will be answering questions about the vulnerability you all heard about recently: Heart Bleed. Tarek specializes in penetration testing, mainly web application and mobile application penetration testing.

----
'''19th of Feb 2014 at 8pm'''
Cafe Rider [http://cafe-rider.com/styled-4/index.html MAP]
Close to Mall of the Emirates
Al Quoz Industrial - Dubai
United Arab Emirates

Topics:
; Managing Web & Application Security with OWASP – bringing it all together
: Setting up, managing and improving your global information security organisation using mature OWASP projects and tools. Achieving cost-effective application security and bringing it all together on the management level. A journey through different organisational stages and how OWASP tools help organisations moving forward improving their web and application security. This talk will discuss a number of quick wins and how to effectively manage global security initiatives and use OWASP tools inside your organisation

; Application Security for managers: OWASP CISO Guide and CISO Survey
: The OWASP CISO guide and CISO report 2013. This talk will present two new OWASP projects, the CISO guide and the newly released results of the OWASP CISO Survey report 2013. Their main goal is to provide guidance on application and web security for senior managers and to introduce Chief Information Security Officers (CISO) to the OWASP Application Security Guide and the results of the CISO Survey. Over the last years, we noticed that application security risks and threats have been on the rise and OWASP has started the CISO survey project to gather intelligence and provide it to CISOs and senior managers in order to improve their security strategies, assess their priorities and learn from their peers about what works best protecting web and application security in organizations across various industries.

Speaker: [http://hk.linkedin.com/in/gondrom Tobias Gondrom]

Tobias Gondrom is a global board member of OWASP (Open Web Application Security Project) and CEO at Thames Stanley, a boutique Global CISO and Information Security & Risk Management Advisory based in Hong Kong, United Kingdom and Germany.

----
'''14th of Dec 2013 at 6-8pm.'''

MAKE Business Hub [https://maps.google.com/maps?ie=UTF8&q=MAKE+Business+Hub+Cafe&fb=1&hq=make+business+hub&cid=1882949530944650280&hnear=&ll=25.079127,55.136797&spn=0.011816,0.021136&t=m&z=16&vpsrc=0&iwloc=A MAP ]
Al Fattan Tower - Dubai
United Arab Emirates
+971 4 392 9216
Speaker: Peter Dowley
Topic: Security Architecture for Applications, titled "What's the difference between a security bug and a security flaw?"

Speaker bio : Peter has been working in computer security for over 10 years, after
another decade in other areas of IT - System & infrastructure architecture,
Windows desktop & server design & management, database modelling & design,
programming. He has strong expertise in security architecture (especially
for banking systems) and how this relates to risk and fraud management. He
is a senior security consultant with Hewlett-Packard (HP) in Dubai and has
been based in the Gulf region for 5 years.

'''Download the presentation:''' [https://www.owasp.org/index.php/File:Security_Bugs_vs_Flaws.pptx "What's the difference between a security bug and a security flaw"]

----
'''Casual OWASP meetup'''
This will be our first meeting in a while. It will be an opportunity to get introduced to the other members of the OWASP UAE Chapter and discuss the type of events you'd like to see in the future.

This will be a casual meeting at a Caribou Coffee at DIFC

http://www.mealadvisors.com/uae/dubai/restaurant/map/branch_id/1294

Gathering agenda will be:

Meeting on Saturday the 9th of November 2013 at 6pm.
Introductions
Intro to OWASP
Open discussion about Dubai chapter
Networking
Conclude at 8pm

----

'''IDC's IT Security Roadshow 2013 - Dubai '''

Date and Time : Wednesday, April 3, 2013
Venue: Mina A' Salam Hotel (Madinat Jumeirah)
Web Application Security "Think like a hacker"
Speaker: Amro Alolaqi

Reference: http://idc-cema.com/eng/events/50679-idc-s-it-security-roadshow-2013/11-speakers

----

'''Cyber Security Summit 2012- DUBAI'''

Date and Time : 2nd & 3rd of October 2012 - 9:00 AM to 4:00 PM
Venue: Grand Hayat - Dubai
Web Application Critical Vulnerabilities (OWASP top ten)
Speaker: Amro AlOlaqi

http://we-initiative.com/wp-content/uploads/2012/07/Cyber-Security-UAE-2012-EM12.pdf
----

'''ISACA UAE - ISAFE conference 2011 - Dubai'''

Date and Time : 18th - 9:00 AM to 4:00 PM
Venue: The Address Hotel - Dubai Mall
Web Application Critical Vulnerabilities and Threat Modeling
Speaker: Amro AlOlaqi

http://www.isacauae.org/isafe2011/doc/isafe2011brochure.pdf

https://plus.google.com/photos/117947441088827793360/albums/5712379217298867441?banner=pwa

----

'''IT For Government 2011- DUBAI'''

''Location: Dusit Thani Hotel - 133, Sheikh Zayed Road <br>''

''Date: 4/Oct/2011''

''Registration 8:00 AM''

''NAUGURAL KEYNOTE PRESENTATION BY His Excellency Salem Khamis Al Shair Al Suwaidi Emirates e-Government Director General''

OWASP's session: 11:20 PM
Speaker: Amro AlOlaqi
Subject: The Ten Web Application Critical Risks

For more information about the event, please visit http://www.fleminggulf.com/cms/uploads/conference/downloads/Postshow_report_DBTC15.pdf

[[Category:United Arab Emirates]]

Dubai

2014-08-28T05:39:20Z

Michael Hendrickx:

{{Chapter Template|chaptername=Dubai|extra=The chapter leaders are [mailto:amro@owasp.org Amro AlOlaqi] and [mailto:tarek@owasp.org Tarek Naja]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-dubai|emailarchives=http://lists.owasp.org/pipermail/owasp-dubai}}

<br>

== Local News ==

'''OWASP Moves to MediaWiki Portal - 11:15, 20 May 2006 (EDT)'''

== Past Events ==
'''27th of August 2014 at 6:30pm'''
Nakheel Sales Office [https://maps.google.com/maps?q=Nakheel+Sales+Center+-+Al+Sufouh+-+Dubai+-+United+Arab+Emirates&hl=en&ll=25.104759,55.156517&spn=0.038589,0.066047&sll=31.128199,-72.773437&sspn=71.247495,135.263672&oq=Nakheel&dirflg=r&ttype=now&noexp=0&noal=0&sort=def&hq=Nakheel+Sales+Center+-&hnear=Al+Sufouh+-+Dubai+-+United+Arab+Emirates&t=m&z=15 MAP]
Al Sufouh Road,
Jumeirah - Dubai
United Arab Emirates

Topics:
; OWASP Top 10 A2 - Broken Authentication and session management
: Speaker: Tarek Naja
: Bio: Tarek is the OWASP UAE chapter leader. He is a seasoned security consultant who focuses on penetration testing.

; OWASP Top 10 A3 - Cross site scripting (XSS)
: Speaker: Michael Hendrickx
: Bio: Michael is an experienced IT security professional with strong, deep technical knowledge on wide variety of applications.

----
'''28th of May, 2014. 6:30pm'''
Nakheel Sales Office [https://maps.google.com/maps?q=Nakheel+Sales+Center+-+Al+Sufouh+-+Dubai+-+United+Arab+Emirates&hl=en&ll=25.104759,55.156517&spn=0.038589,0.066047&sll=31.128199,-72.773437&sspn=71.247495,135.263672&oq=Nakheel&dirflg=r&ttype=now&noexp=0&noal=0&sort=def&hq=Nakheel+Sales+Center+-&hnear=Al+Sufouh+-+Dubai+-+United+Arab+Emirates&t=m&z=15 MAP]
Al Sufouh Road,
Jumeirah - Dubai
United Arab Emirates

We're honored to have our guest speak Ammar Almarzooqi - Chief Information Security Officer at Abu Dhabi Department of Economic Development.

Ammar will be talking about seamless implementation of security controls. If you're dealing with some elements that are inherently secure, such as an application that cannot be modified, how would you be able to secure your environment? Ammar will be addressing this question and discussing a real case scenario from his organization.

<br/>
Our other presenter is Tarek Naja - Senior Security Consultant.
Tarek will be answering questions about the vulnerability you all heard about recently: Heart Bleed. Tarek specializes in penetration testing, mainly web application and mobile application penetration testing.

----
'''14th of Dec 2013 at 6-8pm.'''

MAKE Business Hub [https://maps.google.com/maps?ie=UTF8&q=MAKE+Business+Hub+Cafe&fb=1&hq=make+business+hub&cid=1882949530944650280&hnear=&ll=25.079127,55.136797&spn=0.011816,0.021136&t=m&z=16&vpsrc=0&iwloc=A MAP ]
Al Fattan Tower - Dubai
United Arab Emirates
+971 4 392 9216
Speaker: Peter Dowley
Topic: Security Architecture for Applications, titled "What's the difference between a security bug and a security flaw?"

Speaker bio : Peter has been working in computer security for over 10 years, after
another decade in other areas of IT - System & infrastructure architecture,
Windows desktop & server design & management, database modelling & design,
programming. He has strong expertise in security architecture (especially
for banking systems) and how this relates to risk and fraud management. He
is a senior security consultant with Hewlett-Packard (HP) in Dubai and has
been based in the Gulf region for 5 years.

'''Download the presentation:''' [https://www.owasp.org/index.php/File:Security_Bugs_vs_Flaws.pptx "What's the difference between a security bug and a security flaw"]

----
'''Casual OWASP meetup'''
This will be our first meeting in a while. It will be an opportunity to get introduced to the other members of the OWASP UAE Chapter and discuss the type of events you'd like to see in the future.

This will be a casual meeting at a Caribou Coffee at DIFC

http://www.mealadvisors.com/uae/dubai/restaurant/map/branch_id/1294

Gathering agenda will be:

Meeting on Saturday the 9th of November 2013 at 6pm.
Introductions
Intro to OWASP
Open discussion about Dubai chapter
Networking
Conclude at 8pm

----

'''IDC's IT Security Roadshow 2013 - Dubai '''

Date and Time : Wednesday, April 3, 2013
Venue: Mina A' Salam Hotel (Madinat Jumeirah)
Web Application Security "Think like a hacker"
Speaker: Amro Alolaqi

Reference: http://idc-cema.com/eng/events/50679-idc-s-it-security-roadshow-2013/11-speakers

----

'''Cyber Security Summit 2012- DUBAI'''

Date and Time : 2nd & 3rd of October 2012 - 9:00 AM to 4:00 PM
Venue: Grand Hayat - Dubai
Web Application Critical Vulnerabilities (OWASP top ten)
Speaker: Amro AlOlaqi

http://we-initiative.com/wp-content/uploads/2012/07/Cyber-Security-UAE-2012-EM12.pdf
----

'''ISACA UAE - ISAFE conference 2011 - Dubai'''

Date and Time : 18th - 9:00 AM to 4:00 PM
Venue: The Address Hotel - Dubai Mall
Web Application Critical Vulnerabilities and Threat Modeling
Speaker: Amro AlOlaqi

http://www.isacauae.org/isafe2011/doc/isafe2011brochure.pdf

https://plus.google.com/photos/117947441088827793360/albums/5712379217298867441?banner=pwa

----

'''IT For Government 2011- DUBAI'''

''Location: Dusit Thani Hotel - 133, Sheikh Zayed Road <br>''

''Date: 4/Oct/2011''

''Registration 8:00 AM''

''NAUGURAL KEYNOTE PRESENTATION BY His Excellency Salem Khamis Al Shair Al Suwaidi Emirates e-Government Director General''

OWASP's session: 11:20 PM
Speaker: Amro AlOlaqi
Subject: The Ten Web Application Critical Risks

For more information about the event, please visit http://www.fleminggulf.com/cms/uploads/conference/downloads/Postshow_report_DBTC15.pdf

[[Category:United Arab Emirates]]

Double Free

2014-06-02T19:17:11Z

Michael Hendrickx:

{{Template:Vulnerability}}
{{Template:Fortify}}

Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''

[[ASDR_TOC_Vulnerabilities|Vulnerabilities Table of Contents]]

==Description==

Double free errors occur when free() is called more than once with the same memory address as an argument.

Calling free() twice on the same value can lead to memory leak. When a program calls free() twice with the same argument, the program's memory management data structures become corrupted and could allow a malicious user to write values in arbitrary memory spaces. This corruption can cause the program to crash or, in some circumstances, alter the execution flow. By overwriting particular registers or memory spaces, an attacker can trick the program into executing code of his/her own choosing, often resulting in an interactive shell with elevated .

When a buffer is free()'d, a linked list of free buffers is read to rearrange and combine the chunks of free memory (to be able to allocate larger buffers in the future). These chunks are laid out in a double linked list which points to previous and next chunks. Unlinking an unused buffer (which is what happens when free() is called) could allow an attacker to write arbitrary values in memory; essentially overwriting valuable registers, calling shellcode from it's own buffer.

==Risk Factors==

* Talk about the [[OWASP Risk Rating Methodology|factors]] that make this vulnerability likely or unlikely to actually happen
* Discuss the technical impact of a successful exploit of this vulnerability
* Consider the likely [business impacts] of a successful attack

==Examples==

The following code shows a simple example of a double free vulnerability.

<pre>
char* ptr = (char*)malloc (SIZE);
...
if (abrt) {
free(ptr);
}
...
free(ptr);
</pre>

Double free vulnerabilities have three common (and sometimes overlapping) causes:

* Error conditions and other exceptional circumstances
* Usage of the memory space after it's freed.
* Confusion over which part of the program is responsible for freeing the memory

Although some double free vulnerabilities are not much more complicated than the previous example, most are spread out across hundreds of lines of code or even different files. Programmers seem particularly susceptible to freeing global variables more than once.

==Related [[Attacks]]==

* [[Heap_overflow]]
* [[Buffer_overflow_attack]]

==Related [[Vulnerabilities]]==

* [[Vulnerability 1]]
* [[Vulnerabiltiy 2]]

==Related [[Controls]]==

* [[Control 1]]
* [[Control 2]]

==Related [[Technical Impacts]]==

* [[Technical Impact 1]]
* [[Technical Impact 2]]

==References==
TBD

[[Category:FIXME|add links

In addition, one should classify vulnerability based on the following subcategories: Ex:<nowiki>[[Category:Error Handling Vulnerability]]</nowiki>

Availability Vulnerability

Authorization Vulnerability

Authentication Vulnerability

Concurrency Vulnerability

Configuration Vulnerability

Cryptographic Vulnerability

Encoding Vulnerability

Error Handling Vulnerability

Input Validation Vulnerability

Logging and Auditing Vulnerability

Session Management Vulnerability]]

__NOTOC__

[[Category:OWASP ASDR Project]]
[[Category:Code Quality Vulnerability]]
[[Category:Implementation]]
[[Category:Code Snippet]]
[[Category:Vulnerability]]

User:Michael Hendrickx

2014-06-02T19:07:23Z

Michael Hendrickx:

I am an Information Security Professional working on projects primarily in Europe and the Middle East. These projects are often security assessments, source code reviews and software development. For the past decade, I've been quite active in Web Application Security Assessments, and in a previous life, I even made a few open source tools.

Double Free

2014-06-02T12:47:28Z

Michael Hendrickx:

{{Template:Vulnerability}}
{{Template:Fortify}}

Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''

[[ASDR_TOC_Vulnerabilities|Vulnerabilities Table of Contents]]

==Description==

Double free errors occur when free() is called more than once with the same memory address as an argument.

Calling free() twice on the same value can lead to memory leak. When a program calls free() twice with the same argument, the program's memory management data structures become corrupted and could allow a malicious user to write values in arbitrary memory spaces. This corruption can cause the program to crash or, in some circumstances, alter the execution flow. By overwriting particular registers or memory spaces, an attacker can trick the program into executing code of his/her own choosing.

==Risk Factors==

* Talk about the [[OWASP Risk Rating Methodology|factors]] that make this vulnerability likely or unlikely to actually happen
* Discuss the technical impact of a successful exploit of this vulnerability
* Consider the likely [business impacts] of a successful attack

==Examples==

The following code shows a simple example of a double free vulnerability.

<pre>
char* ptr = (char*)malloc (SIZE);
...
if (abrt) {
free(ptr);
}
...
free(ptr);
</pre>

Double free vulnerabilities have two common (and sometimes overlapping) causes:

* Error conditions and other exceptional circumstances
* Confusion over which part of the program is responsible for freeing the memory

Although some double free vulnerabilities are not much more complicated than the previous example, most are spread out across hundreds of lines of code or even different files. Programmers seem particularly susceptible to freeing global variables more than once.

==Related [[Attacks]]==

* [[Attack 1]]
* [[Attack 2]]

==Related [[Vulnerabilities]]==

* [[Vulnerability 1]]
* [[Vulnerabiltiy 2]]

==Related [[Controls]]==

* [[Control 1]]
* [[Control 2]]

==Related [[Technical Impacts]]==

* [[Technical Impact 1]]
* [[Technical Impact 2]]

==References==
TBD

[[Category:FIXME|add links

In addition, one should classify vulnerability based on the following subcategories: Ex:<nowiki>[[Category:Error Handling Vulnerability]]</nowiki>

Availability Vulnerability

Authorization Vulnerability

Authentication Vulnerability

Concurrency Vulnerability

Configuration Vulnerability

Cryptographic Vulnerability

Encoding Vulnerability

Error Handling Vulnerability

Input Validation Vulnerability

Logging and Auditing Vulnerability

Session Management Vulnerability]]

__NOTOC__

[[Category:OWASP ASDR Project]]
[[Category:Code Quality Vulnerability]]
[[Category:Implementation]]
[[Category:Code Snippet]]
[[Category:Vulnerability]]