OWASP AU Conference 2009 Presentations - Revision history

Adish at 17:23, 27 February 2009

2009-02-27T17:23:38Z

AlexK at 04:57, 9 February 2009

2009-02-09T04:57:00Z

Bergo: /* Peter Frieberg */ - updated surname to correct spelling.

2009-02-02T04:55:35Z

‎Peter Frieberg: - updated surname to correct spelling.

Jderry: /* Ann Marie Westgate */

2009-01-20T23:08:01Z

‎Ann Marie Westgate

Jderry: /* Christian Heinrich */

2009-01-16T01:53:31Z

‎Christian Heinrich

Jderry: /* Malathi Carthigaser */

2009-01-14T17:21:52Z

‎Malathi Carthigaser

Jderry at 03:48, 11 January 2009

2009-01-11T03:48:40Z

Jderry at 03:47, 11 January 2009

2009-01-11T03:47:13Z

Jderry at 03:12, 11 January 2009

2009-01-11T03:12:22Z

Jderry at 03:09, 11 January 2009

2009-01-11T03:09:36Z

← Older revision		Revision as of 17:23, 27 February 2009
Line 243:		Line 243:

	Alex Kouzemtchenko has been an active member of the web application security research community for the past several years, publishing several papers and has presented his findings at several conferences such as Bluehat, the Chaos Communications Congress, RUXCON, Power of Community and XCon. Alex is the R&D Team Lead at SIFT where he gets paid to find new ways to break things and apply that work to consulting engagements.		Alex Kouzemtchenko has been an active member of the web application security research community for the past several years, publishing several papers and has presented his findings at several conferences such as Bluehat, the Chaos Communications Congress, RUXCON, Power of Community and XCon. Alex is the R&D Team Lead at SIFT where he gets paid to find new ways to break things and apply that work to consulting engagements.
		+
		+	== Adi Sharabani ==
		+	'''Active Man in the Middle Attacks'''
		+
		+	We've all known for a long time that using a public wireless network is risky. We all think twice before logging into our bank account or accessing any kind of sensitive information. But what about simply reading the news on our favorite news site?
		+	In this presentation, we will show how using a public network can expose you to practically any web-related client-side security issue on any domain, no matter how careful you think you're being. These issues range from XSS on any domain, through XSRF, to leaking of browser data and more.
		+
		+	We will show how the currently known best practices, which are supposed to keep you from harm when reading a blog in the neighborhood coffee shop, may be overcome. We'll demonstrate how such best practices are only useful against what we call "Passive" attacks, which are passively gathering data from the network. We will introduce a new type of attack coined "Active attacks", and see how they easily work around a careful user's attempt to browse responsibly in a public network. We will demonstrate how these attacks can steal information from past browsing activities. and how they can monitor your future browsing, inside the safetey of your home and your organization's networks.
		+
		+	* More information on these attacks can be found on the [http://blog.watchfire.com/wfblog/2009/02/active-man-in-the-middle-attacks.html Watchfire's blog]
		+
		+	Bio:
		+
		+	Adi Sharabani manages the IBM Rational Application Security Research Group, responsible for product and industry research activities that pertain to Web application security. Adi joined IBM through the acquisition of Watchfire, a market leader in web application security testing. Prior to security research, Adi was a senior software developer on the AppScan team responsible for the invention and development of many of its key features.

← Older revision		Revision as of 04:57, 9 February 2009
Line 222:		Line 222:

	On the long term Browser Rider aims at becoming a complete solution to execute, develop and test browser based attacks for security consultants.		On the long term Browser Rider aims at becoming a complete solution to execute, develop and test browser based attacks for security consultants.
		+
		+	== Paul Theriault ==
		+	'''Plug-in Purgatory'''
		+
		+	Browser plug-ins allow web developers to embed content in web pages which is otherwise unsupported by the browser. This additional content requires additional system resources and sometimes extended system privileges in order to run. Most plug-ins are expected to release these resources once a page has been unloaded, but as will be discussed in this presentation, bugs and unexpected side-effects in the implementation of these plug-ins may allow an attacker to develop content which does not get unloaded as intended. As a result, an attacker is able to execute attacks ranging from simple abuse of system resources, to persistent bi-directional command and control channels.
		+	This talk will discuss several approaches to this attack, and also examine the susceptibility to these attacks in common browser plug-ins.
		+
		+	Bio
		+
		+	Paul Theriault is a Senior Consultant with SIFT, and has extensive experience in both technical and policy areas of IT security ranging from application code review and testing, to business-wide risk assessment and management. With a background in web development, Paul's security research interests are centered on all things web - browsers, bytecode and everything in between.
		+
		+	== Alex Kouzemtchenko ==
		+	'''Examining and Bypassing the IE8 XSS Filter'''
		+
		+	Even with continued focus on XSS vulnerabilities, they are clearly not going away, and the issues are not being properly solved by even the safest frameworks, such as .NET. As such Microsoft has implemented defence-in-depth client-side protections inside Internet Explorer 8 in the form of the XSS Filter to make exploitation of these vulnerabilities either harder or impossible.
		+
		+	This talk will examine the specific situations that the XSS Filter tries to protect users in, the scenarios where it does not prevent attacks, several bypass techniques for these filters and ways in which the XSS Filter's functionality can be abused to help perform attacks, such as Clickjacking or even XSS.
		+
		+	Bio:
		+
		+	Alex Kouzemtchenko has been an active member of the web application security research community for the past several years, publishing several papers and has presented his findings at several conferences such as Bluehat, the Chaos Communications Congress, RUXCON, Power of Community and XCon. Alex is the R&D Team Lead at SIFT where he gets paid to find new ways to break things and apply that work to consulting engagements.

@@ Line 98: / Line 98: @@
 Sumit Siddharth (sid) works as a senior IT security consultant for Portcullis Computer Security Ltd in U.K. Sid has authored a number of articles, advisories, white papers over the years and has been a speaker at a number of IT security conferences. He also owns the popular IT security blog www.notsosecure.com.
-== Peter Frieberg ==
+== Peter Freiberg ==
 '''Determining attack surface and creating security test cases through observing business testing'''

@@ Line 89: / Line 89: @@
 Kai is part of E&Y Global Information Security group, and is responsible for reviewing and advising security matters for a wide range of applications and information systems consumed by E&Y.  Prior to GIS, Kai was a member of the E&Y Advanced Security Center, performing web application, internet, intranet tests for EY's Fortune 500 clients.  Kai's primary areas of interest are web application security and VOIP research and tool development.  Prior to E&Y, Kai worked at CIGNA as a CIRT member.
-== Ann Marie Westgate ==
+== Sumit Siddharth  ==
-''' Web Application Security and the PA-DSS '''
+''' Recent Advancements in SQL Injection Exploitation Techniques '''
-The Payment Card Industry's (PCI) Payment Application Data Security Standards (PA-DSS) version 1.2 was released in November 2008, and has implications for every payment application vendor whose product is sold, distributed, or licensed without customization for a specific client.
+This talk will cover different variants of SQL Injections and will demonstrate a variety of exploitation techniques. Starting with the very basics, the talk will progress to more complex scenarios and will discuss exploiting SQL injections which seem to be un-exploitable. The talk will have a number of demonstrations including the scenarios where this vulnerability goes undetected even by the most popular commercial scanners costing $$. Along the way, a number of freely available tools for exploiting SQL Injections will be discussed along with their pros and cons.
-This discussion will begin with a brief description of the PA-DSS and the differences between PA and PCI. We will then provide a soft introduction to the payment application audit procedures and will match PA requirements to each phase of the software development lifecycle. Since the audit procedures are written for the PA-QSA and not the subject of audit, it can be daunting to the application vendor. Instead we will present most of the requirements listed in the PA-DSS relative to the following stages:
- Project Initiation and Planning
+'''About the Speaker:'''
- Definition and Design
- Development
+Sumit Siddharth (sid) works as a senior IT security consultant for Portcullis Computer Security Ltd in U.K. Sid has authored a number of articles, advisories, white papers over the years and has been a speaker at a number of IT security conferences. He also owns the popular IT security blog www.notsosecure.com.
 == Peter Frieberg ==

@@ Line 15: / Line 15: @@
 '''TCP Input Text & Download Indexed Cache'''
-To be provided.
+Two Proof of Concept (PoC) will be demonstrated that implement the Google SOAP Search API to support the "reconnaissance" phase of a Penetration Test:
 == Andrew Vanderstock ==

@@ Line 191: / Line 191: @@
 '''STRAW - A security Threat & Risk Assessment Methodology for Web Applications'''
-To Be Provided.
+Myriad threat and risk assessment methodologies exist, but few that are considered suitable for adequately communicating the risks associated with web applications. In this presentation, a new methodology, the STRAW model will be outlined, that is consistent with current models (such as OWASP Risk Rating Methodology, AS 4360, STRIDE/DREAD etc.), but which extends upon them to provide the following benefits:
 == Benjamin Mossé ==

← Older revision		Revision as of 03:48, 11 January 2009
Line 192:		Line 192:

	To Be Provided.		To Be Provided.
		+
		+	== Benjamin Mossé ==
		+	'''Browser Rider: what you never expected your browser could do to you'''
		+
		+	Browser exploitation is in fashion but it doesn't seem that there's a popular tool to build and run attacks. Browser Rider will try to fill the gap by providing a framework to build, deploy and manage payloads that exploit the browser. This project aims on the long term to provide a powerful, simple and flexible interface to any client side attack for hackers.
		+
		+	Proposal
		+
		+	Browser security has become one of the most discussed subjects. This is mainly due to two things: First, nowadays malwares are not spread over emails any longer but through web application often using JavaScript obfuscation to avoid anti-virus detection. Second as the web is growing new technologies are constantly appearing to enhance the user experience but also offering many new attack vectors. In both cases it is important to understand that the browser offers an easy mechanism for bypassing firewalls and other perimeter security to gain unauthorised access or commit other security breach.
		+
		+	From a security consultant point of view it can be hard to justify the risk of vulnerabilities that affect the browser such as cross-site scripting, cross-site request forgery and unauthorized redirection vulnerabilities as they do not impact directly the server or the database.
		+
		+	Browser rider is a security tool to exploit browser vulnerabilities. It offers several existing payloads but also provides a complete programming framework to develop exploits. It also acts as a management system to deploy your attacks and control the infected browsers.
		+
		+	The first part of this presentation will introduce the audience to the tool and demonstrate many attacks that can be ported to the browser using the Browser Rider. The second part will technically explain how the tool works (i.e. obfuscation, signature detection avoidance, polymorphism, program architecture, framework), how to write your own exploits with it and deploy them.
		+
		+	On the long term Browser Rider aims at becoming a complete solution to execute, develop and test browser based attacks for security consultants.

← Older revision		Revision as of 03:47, 11 January 2009
Line 187:		Line 187:
	of threats, targeted and opportunistic attacks, pathways, data compromises, discover methods,		of threats, targeted and opportunistic attacks, pathways, data compromises, discover methods,
	anti-forensics, and unknown unknowns.		anti-forensics, and unknown unknowns.
		+
		+	== Malathi Carthigaser ==
		+	'''STRAW - A security Threat & Risk Assessment Methodology for Web Applications'''
		+
		+	To Be Provided.

← Older revision		Revision as of 03:12, 11 January 2009
Line 155:		Line 155:

	The information provided will assist attendees in the decision between roll-your-own, WAF appliance or full scale code re-write.		The information provided will assist attendees in the decision between roll-your-own, WAF appliance or full scale code re-write.
		+
		+	== Mark Goudie ==
		+	'''An Insight into the World of Computer Forensics'''
		+
		+	Security breaches and the compromise of sensitive information are a very real concern for
		+	organisations worldwide. When such incidents occur, rapid response is critical. The damage
		+	must be contained quickly, customer data protected, the root cause found and remedied, and an
		+	accurate record of events and losses produced for authorities.
		+	Furthermore, the investigation process must collect this evidence without adversely affecting the
		+	integrity of the information assets involved in the crime.
		+	The Data Breach Investigations Report – a study that integrates a vast amount of factual
		+	evidence from forensic investigations over the last four years – provides a unique insight into
		+	the world of computer forensics.
		+	The Report is unique in that it offers an objective, first-hand view of data breaches directly from
		+	casebooks, which represent a large proportion of total known compromised records during 2006
		+	and 2007, including three of the five largest data breaches ever reported. Industry sectors
		+	covered include Financial Services; Food and Beverage; Retail; and Technology.
		+	The expansive statistical data set generated through activities including litigation support, ediscovery,
		+	expert witness testimony, chain-of-custody, mock-incident training, and incident
		+	response program development offers an interesting glimpse into the trends surrounding
		+	computer crime and data compromise.
		+	In a finding that may surprise some, the study found that most data breaches were caused by
		+	external sources (73%). Breaches attributed to insiders (18%), though fewer in number, were
		+	much larger than those caused by outsiders when they did occur.
		+	Notably, at the commencement of the study, the main avenue of attack was the network or
		+	operating system. However over time, the typical attack vector has moved up the stack to the
		+	application layer.
		+	And Asia Pacific is becoming a “hot” region for both the source and victim for the data breach,
		+	with the vast majority of these cases involving software failure at some level.
		+	Key points to be covered in the presentation include demographics, data breach sources, types
		+	of threats, targeted and opportunistic attacks, pathways, data compromises, discover methods,
		+	anti-forensics, and unknown unknowns.

← Older revision		Revision as of 03:09, 11 January 2009
Line 146:		Line 146:

	The second part of the paper calls for a collaborative effort from the Developers, Testers, Marketing people and users. The paper also suggests that Web application Security should be an intrinsic factor of the Design, Development & Testing phases. The importance of Decision makers to understand, support and promote the web application security is discussed. The theme of “Securing Web applications – Passion, Art and Character” is advocated.		The second part of the paper calls for a collaborative effort from the Developers, Testers, Marketing people and users. The paper also suggests that Web application Security should be an intrinsic factor of the Design, Development & Testing phases. The importance of Decision makers to understand, support and promote the web application security is discussed. The theme of “Securing Web applications – Passion, Art and Character” is advocated.
		+
		+	== Drew Ames ==
		+	'''Improving Application Security using pre-processing input filters – a case study'''
		+
		+	Recently, CQR Consulting were engaged to assist one of our customers who was having significant difficulties due to compromise through their published web applications. A review of their code and development practices showed that the quickest and most efficient way to prevent multiple attacks was through the implementation of a pre-processing validation filter.
		+
		+	This presentation will discuss the issues, approach and results of the development effort in creating a pre-processing validation filter. It will present the risks which can be mitigated in such a way and others which need further controls to successfully manage.
		+
		+	The information provided will assist attendees in the decision between roll-your-own, WAF appliance or full scale code re-write.