This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Summit 2011 Working Sessions/Session002"
Sarah Baso (talk | contribs) |
|||
(29 intermediate revisions by 15 users not shown) | |||
Line 1: | Line 1: | ||
− | + | {{Template:<includeonly>{{{1}}}</includeonly><noinclude>Summit 2011 Working Sessions test tab</noinclude> | |
− | <includeonly> | ||
|- | |- | ||
− | | summit_session_attendee_name1 = | + | | summit_session_attendee_name1 = John Wilander |
− | | summit_session_attendee_email1 = | + | | summit_session_attendee_email1 = [email protected] |
+ | | summit_session_attendee_username1 = John.wilander | ||
| summit_session_attendee_company1= | | summit_session_attendee_company1= | ||
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed1= | | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed1= | ||
− | | summit_session_attendee_name2 = | + | | summit_session_attendee_name2 = Michael Coates |
− | | summit_session_attendee_email2 = | + | | summit_session_attendee_email2 = [email protected] |
+ | | summit_session_attendee_username2 = MichaelCoates | ||
| summit_session_attendee_company2= | | summit_session_attendee_company2= | ||
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed2= | | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed2= | ||
− | | summit_session_attendee_name3 = | + | | summit_session_attendee_name3 = Tony UcedaVelez |
− | | summit_session_attendee_email3 = | + | | summit_session_attendee_email3 = [email protected] |
− | | summit_session_attendee_company3= | + | | summit_session_attendee_username3 = Tony UcedaVelez |
+ | | summit_session_attendee_company3= VerSprite | ||
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed3= | | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed3= | ||
− | | summit_session_attendee_name4 = | + | | summit_session_attendee_name4 = Stefano Di Paola |
| summit_session_attendee_email4 = | | summit_session_attendee_email4 = | ||
+ | | summit_session_attendee_username4 = | ||
| summit_session_attendee_company4= | | summit_session_attendee_company4= | ||
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed4= | | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed4= | ||
− | | summit_session_attendee_name5 = | + | | summit_session_attendee_name5 = Isaac Dawson |
| summit_session_attendee_email5 = | | summit_session_attendee_email5 = | ||
− | | summit_session_attendee_company5= | + | | summit_session_attendee_username5 = |
+ | | summit_session_attendee_company5= Veracode | ||
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed5= | | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed5= | ||
− | | summit_session_attendee_name6 = | + | | summit_session_attendee_name6 = Chris Eng |
− | | summit_session_attendee_email6 = | + | | summit_session_attendee_email6 = [email protected] |
− | | summit_session_attendee_company6= | + | | summit_session_attendee_username6= |
+ | | summit_session_attendee_company6= Veracode | ||
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed6= | | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed6= | ||
− | | summit_session_attendee_name7 = | + | | summit_session_attendee_name7 = Nishi Kumar |
− | | summit_session_attendee_email7 = | + | | summit_session_attendee_email7 = [email protected] |
− | | summit_session_attendee_company7= | + | | summit_session_attendee_username7= |
+ | | summit_session_attendee_company7= FIS | ||
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed7= | | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed7= | ||
− | | summit_session_attendee_name8 = | + | | summit_session_attendee_name8 = Elke Roth-Mandutz |
− | | summit_session_attendee_email8 = | + | | summit_session_attendee_email8 = [email protected] |
− | | summit_session_attendee_company8= | + | | summit_session_attendee_username8= |
+ | | summit_session_attendee_company8=GSO-University of Applied Science | ||
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed8= | | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed8= | ||
− | | summit_session_attendee_name9 = | + | | summit_session_attendee_name9 = Giorgio Fedon |
| summit_session_attendee_email9 = | | summit_session_attendee_email9 = | ||
+ | | summit_session_attendee_username9= gfedon | ||
| summit_session_attendee_company9= | | summit_session_attendee_company9= | ||
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed9= | | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed9= | ||
− | | summit_session_attendee_name10 = | + | | summit_session_attendee_name10 = Paolo Perego |
− | | summit_session_attendee_email10 = | + | | summit_session_attendee_email10 = [email protected] |
− | | summit_session_attendee_company10= | + | | summit_session_attendee_username10= thesp0nge |
+ | | summit_session_attendee_company10= Armoredcode.com | ||
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed10= | | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed10= | ||
− | | summit_session_attendee_name11 = | + | | summit_session_attendee_name11 = Eduardo Vela |
− | | summit_session_attendee_email11 = | + | | summit_session_attendee_email11 = [email protected] |
− | | summit_session_attendee_company11= | + | | summit_session_attendee_username11= EduardoVela |
+ | | summit_session_attendee_company11= Google | ||
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed11= | | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed11= | ||
− | | summit_session_attendee_name12 = | + | | summit_session_attendee_name12 = Abraham Kang |
− | | summit_session_attendee_email12 = | + | | summit_session_attendee_email12 = [email protected] |
− | | summit_session_attendee_company12= | + | | summit_session_attendee_username12= Abraham Kang |
+ | | summit_session_attendee_company12 = | ||
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed12= | | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed12= | ||
− | | summit_session_attendee_name13 = | + | | summit_session_attendee_name13 = Nuno Loureiro |
− | | summit_session_attendee_email13 = | + | | summit_session_attendee_email13 = [email protected] |
− | | summit_session_attendee_company13= | + | | summit_session_attendee_username13 = |
+ | | summit_session_attendee_company13= SAPO | ||
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed13= | | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed13= | ||
− | | summit_session_attendee_name14 = | + | | summit_session_attendee_name14 = Alexandre Miguel Aniceto |
− | | summit_session_attendee_email14 = | + | | summit_session_attendee_email14 = [email protected] |
− | | summit_session_attendee_company14= | + | | summit_session_attendee_username14= Alexandre Miguel Aniceto |
+ | | summit_session_attendee_company14= Willway | ||
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed14= | | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed14= | ||
| summit_session_attendee_name15 = | | summit_session_attendee_name15 = | ||
| summit_session_attendee_email15 = | | summit_session_attendee_email15 = | ||
+ | | summit_session_attendee_username15= | ||
| summit_session_attendee_company15= | | summit_session_attendee_company15= | ||
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed15= | | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed15= | ||
Line 80: | Line 94: | ||
| summit_session_attendee_name16 = | | summit_session_attendee_name16 = | ||
| summit_session_attendee_email16 = | | summit_session_attendee_email16 = | ||
+ | | summit_session_attendee_username16= | ||
| summit_session_attendee_company16= | | summit_session_attendee_company16= | ||
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed16= | | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed16= | ||
Line 85: | Line 100: | ||
| summit_session_attendee_name17 = | | summit_session_attendee_name17 = | ||
| summit_session_attendee_email17 = | | summit_session_attendee_email17 = | ||
+ | | summit_session_attendee_username17= | ||
| summit_session_attendee_company17= | | summit_session_attendee_company17= | ||
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed17= | | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed17= | ||
Line 90: | Line 106: | ||
| summit_session_attendee_name18 = | | summit_session_attendee_name18 = | ||
| summit_session_attendee_email18 = | | summit_session_attendee_email18 = | ||
+ | | summit_session_attendee_username18= | ||
| summit_session_attendee_company18= | | summit_session_attendee_company18= | ||
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed18= | | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed18= | ||
Line 95: | Line 112: | ||
| summit_session_attendee_name19 = | | summit_session_attendee_name19 = | ||
| summit_session_attendee_email19 = | | summit_session_attendee_email19 = | ||
+ | | summit_session_attendee_username19= | ||
| summit_session_attendee_company19= | | summit_session_attendee_company19= | ||
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed19= | | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed19= | ||
Line 100: | Line 118: | ||
| summit_session_attendee_name20 = | | summit_session_attendee_name20 = | ||
| summit_session_attendee_email20 = | | summit_session_attendee_email20 = | ||
+ | | summit_session_attendee_username20= | ||
| summit_session_attendee_company20= | | summit_session_attendee_company20= | ||
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed20= | | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed20= | ||
|- | |- | ||
− | | summit_session_name = | + | | summit_track_logo = [[Image:T._browser_security.jpg]] |
+ | | summit_ws_logo = [[Image:WS._browser_security.jpg]] | ||
+ | | summit_session_name = HTML5 Security | ||
| summit_session_url = http://www.owasp.org/index.php/Summit_2011_Working_Sessions/Session002 | | summit_session_url = http://www.owasp.org/index.php/Summit_2011_Working_Sessions/Session002 | ||
− | | mailing_list = | + | | mailing_list = https://groups.google.com/group/owasp-summit-browsersec |
|- | |- | ||
− | | short_working_session_description= | + | | short_working_session_description= |
− | |||
|- | |- | ||
− | | related_project_name1 = | + | | related_project_name1 = Browser Security Track - main page |
− | | related_project_url_1 = | + | | related_project_url_1 = http://www.owasp.org/index.php/Category:Summit_2011_Browser_Security_Track |
− | | related_project_name2 = | + | | related_project_name2 = Google Group for the Browser Security Track |
− | | related_project_url_2 = | + | | related_project_url_2 = https://groups.google.com/group/owasp-summit-browsersec |
| related_project_name3 = | | related_project_name3 = | ||
Line 130: | Line 150: | ||
|- | |- | ||
− | | summit_session_objective_name1= | + | | summit_session_objective_name1= '''Handle autofocus in a unified and secure way'''.<noinclude> Make sure SOP applies for autofocus usage in frame/iframe'd websites. Re-discuss necessity for (future) attributes like this.</noinclude> |
− | | summit_session_objective_name2 = | + | | summit_session_objective_name2 = '''Discuss necessity and capability for the HTML5 form controls'''.<noinclude> Do we need a non-SOP formaction attribute and why? </noinclude> |
− | | summit_session_objective_name3 = | + | | summit_session_objective_name3 = <noinclude>'''Goal I''':</noinclude> Initiate and create documentation and references for developers that address security issues. <noinclude>Html5sec.org is a start but impossible to continue or extend large scale without vendor help</noinclude> |
− | | summit_session_objective_name4 = | + | | summit_session_objective_name4 = <noinclude>'''Goal II''':</noinclude>Discuss and heavily restrict SVG capabilities - especially when deployed in CSS backgrounds and <img> tags. <noinclude>Mainly Opera and Mozilla are addressed here.</noinclude> |
− | |||
− | |||
+ | | summit_session_objective_name5 = '''Long Term Goal(s)''': Provide a working and easy to use as well as vendor supported HTML5 compliant filter software such as HTMLPurifier. <noinclude>Browser vendors should participate in creating security software and filters - not undermine them as we could experience in the last decade.</noinclude> | ||
|- | |- | ||
− | | working_session_date_and_time = | + | | working_session_date_and_time = Tuesday, 09 February <br> Time: TBA |
|- | |- | ||
− | | discussion_model = | + | | discussion_model = The working form will most probably be short presentations to frame the topic and then round table discussions. Depending on number of attendees we'll break into groups. |
|- | |- | ||
Line 154: | Line 173: | ||
|- | |- | ||
− | | working_session_additional_details = | + | | working_session_additional_details = <br> |
+ | |||
+ | [[Image:Html5_mario_hackvertor.jpg]] | ||
+ | |||
+ | ===Co-chair Mario Heiderich=== | ||
+ | Mario Heiderich works as a researcher for the Ruhr-University in Bochum, Germany and currently focuses on HTML5, SVG security and security implications of the ES5 specification draft. Mario invoked the [http://html5sec.org/ HTML5 security cheat-sheet] and maintains the [http://php-ids.org/ PHPIDS filter rules]. In his spare time he delivers trainings and security consultancy for larger German and international companies. He is also one of the co-authors of [http://www.amazon.com/Web-Application-Obfuscation-WAFs-Evasion-Filters-alert/dp/1597496049 Web Application Obfuscation: '-/WAFs..Evasion..Filters//alert(/Obfuscation/)-'] – a book on how an attacker would bypass different types of security controls including IDS/IPS. | ||
+ | |||
+ | ===Co-chair Gareth Heyes=== | ||
+ | Gareth "Gaz" Heyes calls himself Chief Conspiracy theorist and is affiliated with Microsoft. He is the designer and developer behind [http://www.owasp.org/index.php/OWASP_JavaScript_Sandboxes#tab=JSReg JSReg] – a Javascript sandbox which converts code using regular expressions; [http://www.owasp.org/index.php/OWASP_JavaScript_Sandboxes#tab=HTMLReg HTMLReg] & [http://www.owasp.org/index.php/OWASP_JavaScript_Sandboxes#tab=CSSReg CSSReg] – converters of malicious HTML/CSS into a safe form of HTML. He is also one of the co-authors of [http://www.amazon.com/Web-Application-Obfuscation-WAFs-Evasion-Filters-alert/dp/1597496049 Web Application Obfuscation: '-/WAFs..Evasion..Filters//alert(/Obfuscation/)-'] – a book on how an attacker would bypass different types of security controls including IDS/IPS. | ||
|- | |- | ||
− | |summit_session_deliverable_name1 = | + | |summit_session_deliverable_name1 = Browser Security Report |
|summit_session_deliverable_url_1 = | |summit_session_deliverable_url_1 = | ||
− | |summit_session_deliverable_name2 = | + | |summit_session_deliverable_name2 = Browser Security Priority Report |
|summit_session_deliverable_url_2 = | |summit_session_deliverable_url_2 = | ||
Line 172: | Line 199: | ||
|summit_session_deliverable_name5 = | |summit_session_deliverable_name5 = | ||
|summit_session_deliverable_url_5 = | |summit_session_deliverable_url_5 = | ||
+ | |||
+ | |summit_session_deliverable_name6 = | ||
+ | |summit_session_deliverable_url_6 = | ||
+ | |||
+ | |summit_session_deliverable_name7 = | ||
+ | |summit_session_deliverable_url_7 = | ||
+ | |||
+ | |summit_session_deliverable_name8 = | ||
+ | |summit_session_deliverable_url_8 = | ||
|- | |- | ||
− | | summit_session_leader_name1 = | + | | summit_session_leader_name1 = Mario Heiderich |
| summit_session_leader_email1 = | | summit_session_leader_email1 = | ||
+ | | summit_session_leader_username1 = | ||
− | | summit_session_leader_name2 = | + | | summit_session_leader_name2 = Gareth Heyes |
− | | summit_session_leader_email2 = | + | | summit_session_leader_email2 = [email protected] |
+ | | summit_session_leader_username2 = Gareth Heyes | ||
− | | summit_session_leader_name3 = | + | | summit_session_leader_name3 = |
| summit_session_leader_email3 = | | summit_session_leader_email3 = | ||
+ | | summit_session_leader_username3 = | ||
|- | |- | ||
− | | operational_leader_name1 = | + | | operational_leader_name1 = John Wilander |
− | | operational_leader_email1 = | + | | operational_leader_email1 = [email protected] |
− | + | | operational_leader_username1 = John.wilander | |
|- | |- | ||
− | |||
| meeting_notes = | | meeting_notes = | ||
− | |||
|- | |- | ||
| session_name_mask = <!--Please replace DO NOT EDIT this string --> Session002 | | session_name_mask = <!--Please replace DO NOT EDIT this string --> Session002 | ||
− | | session_home_page = <!--Please replace DO NOT EDIT this string --> Summit_2011_Working_Sessions/Session002 | + | | session_home_page = <!--Please replace DO NOT EDIT this string --> Summit_2011_Working_Sessions/Session002 |
}} | }} | ||
+ | </includeonly> |
Latest revision as of 23:59, 7 February 2011
Global Summit 2011 Home Page
Global Summit 2011 Tracks
HTML5 Security | ||||||
---|---|---|---|---|---|---|
Please see/use the 'discussion' page for more details about this Working Session | ||||||
Working Sessions Operational Rules - Please see here the general frame of rules. |
WORKING SESSION IDENTIFICATION | ||||||
---|---|---|---|---|---|---|
Short Work Session Description | | |||||
Related Projects (if any) |
| |||||
Email Contacts & Roles | Chair Mario Heiderich Gareth Heyes @ |
Operational Manager John Wilander @ |
Mailing list https://groups.google.com/group/owasp-summit-browsersec |
WORKING SESSION SPECIFICS | ||||||
---|---|---|---|---|---|---|
Objectives |
| |||||
Venue/Date&Time/Model | Venue/Room OWASP Global Summit Portugal 2011 |
Date & Time Tuesday, 09 February Time: TBA
|
Discussion Model The working form will most probably be short presentations to frame the topic and then round table discussions. Depending on number of attendees we'll break into groups. |
|
---|
WORKING SESSION OPERATIONAL RESOURCES | ||||||
---|---|---|---|---|---|---|
Projector, whiteboards, markers, Internet connectivity, power |
|
---|
WORKING SESSION ADDITIONAL DETAILS | ||||||
---|---|---|---|---|---|---|
Co-chair Mario HeiderichMario Heiderich works as a researcher for the Ruhr-University in Bochum, Germany and currently focuses on HTML5, SVG security and security implications of the ES5 specification draft. Mario invoked the HTML5 security cheat-sheet and maintains the PHPIDS filter rules. In his spare time he delivers trainings and security consultancy for larger German and international companies. He is also one of the co-authors of Web Application Obfuscation: '-/WAFs..Evasion..Filters//alert(/Obfuscation/)-' – a book on how an attacker would bypass different types of security controls including IDS/IPS. Co-chair Gareth HeyesGareth "Gaz" Heyes calls himself Chief Conspiracy theorist and is affiliated with Microsoft. He is the designer and developer behind JSReg – a Javascript sandbox which converts code using regular expressions; HTMLReg & CSSReg – converters of malicious HTML/CSS into a safe form of HTML. He is also one of the co-authors of Web Application Obfuscation: '-/WAFs..Evasion..Filters//alert(/Obfuscation/)-' – a book on how an attacker would bypass different types of security controls including IDS/IPS. |
WORKING SESSION OUTCOMES / DELIVERABLES | ||
---|---|---|
Proposed by Working Group | Approved by OWASP Board | |
After the Board Meeting - fill in here. | ||
After the Board Meeting - fill in here. | ||
After the Board Meeting - fill in here. | ||
After the Board Meeting - fill in here. | ||
After the Board Meeting - fill in here. | ||
After the Board Meeting - fill in here. | ||
After the Board Meeting - fill in here. | ||
After the Board Meeting - fill in here. |
Working Session Participants
(Add you name by clicking "edit" on the tab on the upper left side of this page)
WORKING SESSION PARTICIPANTS | ||||||
---|---|---|---|---|---|---|
Name | Company | Notes & reason for participating, issues to be discussed/addressed | ||||
John Wilander @ |
|
| ||||
Michael Coates @ |
| |||||
Tony UcedaVelez @ |
VerSprite |
| ||||
Stefano Di Paola |
| |||||
Isaac Dawson |
Veracode |
| ||||
Chris Eng @ |
Veracode |
| ||||
Nishi Kumar @ |
FIS |
| ||||
Elke Roth-Mandutz @ |
GSO-University of Applied Science |
| ||||
Giorgio Fedon |
| |||||
Paolo Perego @ |
Armoredcode.com |
| ||||
Eduardo Vela @ |
Google |
| ||||
Abraham Kang @ |
| |||||
Nuno Loureiro @ |
SAPO |
| ||||
Alexandre Miguel Aniceto @ |
Willway |
| ||||
|
| |||||
|
| |||||
|
| |||||
|
| |||||
|
| |||||
|
|
</includeonly>