This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Summit 2011 Working Sessions/Session002"

From OWASP
Jump to: navigation, search
 
(27 intermediate revisions by 15 users not shown)
Line 1: Line 1:
<noinclude>{{:Category:Summit_2011_Browser_Security_Track}}</noinclude>
+
{{Template:<includeonly>{{{1}}}</includeonly><noinclude>Summit 2011 Working Sessions test tab</noinclude>
<includeonly>{{Template:{{{1}}}
 
 
|-
 
|-
  
| summit_session_attendee_name1 =  
+
| summit_session_attendee_name1 = John Wilander
| summit_session_attendee_email1 =  
+
| summit_session_attendee_email1 = [email protected]
 +
| summit_session_attendee_username1 = John.wilander
 
| summit_session_attendee_company1=
 
| summit_session_attendee_company1=
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed1=
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed1=
  
| summit_session_attendee_name2 =  
+
| summit_session_attendee_name2 = Michael Coates
| summit_session_attendee_email2 =  
+
| summit_session_attendee_email2 = [email protected]
 +
| summit_session_attendee_username2 = MichaelCoates
 
| summit_session_attendee_company2=
 
| summit_session_attendee_company2=
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed2=
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed2=
  
| summit_session_attendee_name3 =  
+
| summit_session_attendee_name3 = Tony UcedaVelez
| summit_session_attendee_email3 =  
+
| summit_session_attendee_email3 = [email protected]
| summit_session_attendee_company3=
+
| summit_session_attendee_username3 = Tony UcedaVelez
 +
| summit_session_attendee_company3= VerSprite
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed3=
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed3=
  
| summit_session_attendee_name4 =  
+
| summit_session_attendee_name4 = Stefano Di Paola
 
| summit_session_attendee_email4 =  
 
| summit_session_attendee_email4 =  
 +
| summit_session_attendee_username4 =
 
| summit_session_attendee_company4=
 
| summit_session_attendee_company4=
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed4=
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed4=
  
| summit_session_attendee_name5 =  
+
| summit_session_attendee_name5 = Isaac Dawson
 
| summit_session_attendee_email5 =  
 
| summit_session_attendee_email5 =  
| summit_session_attendee_company5=
+
| summit_session_attendee_username5 =
 +
| summit_session_attendee_company5= Veracode
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed5=
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed5=
  
| summit_session_attendee_name6 =  
+
| summit_session_attendee_name6 = Chris Eng
| summit_session_attendee_email6 =  
+
| summit_session_attendee_email6 = [email protected]
| summit_session_attendee_company6=
+
| summit_session_attendee_username6=  
 +
| summit_session_attendee_company6= Veracode
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed6=
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed6=
  
| summit_session_attendee_name7 =  
+
| summit_session_attendee_name7 = Nishi Kumar
| summit_session_attendee_email7 =  
+
| summit_session_attendee_email7 = [email protected]
| summit_session_attendee_company7=
+
| summit_session_attendee_username7=  
 +
| summit_session_attendee_company7= FIS
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed7=
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed7=
  
| summit_session_attendee_name8 =  
+
| summit_session_attendee_name8 = Elke Roth-Mandutz
| summit_session_attendee_email8 =  
+
| summit_session_attendee_email8 = [email protected]
| summit_session_attendee_company8=
+
| summit_session_attendee_username8=  
 +
| summit_session_attendee_company8=GSO-University of Applied Science
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed8=
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed8=
  
| summit_session_attendee_name9 =  
+
| summit_session_attendee_name9 = Giorgio Fedon
 
| summit_session_attendee_email9 =  
 
| summit_session_attendee_email9 =  
 +
| summit_session_attendee_username9= gfedon
 
| summit_session_attendee_company9=
 
| summit_session_attendee_company9=
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed9=
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed9=
  
| summit_session_attendee_name10 =  
+
| summit_session_attendee_name10 = Paolo Perego
| summit_session_attendee_email10 =  
+
| summit_session_attendee_email10 = [email protected]
| summit_session_attendee_company10=
+
| summit_session_attendee_username10= thesp0nge
 +
| summit_session_attendee_company10= Armoredcode.com
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed10=
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed10=
  
| summit_session_attendee_name11 =  
+
| summit_session_attendee_name11 = Eduardo Vela
| summit_session_attendee_email11 =  
+
| summit_session_attendee_email11 = [email protected]
| summit_session_attendee_company11=
+
| summit_session_attendee_username11= EduardoVela
 +
| summit_session_attendee_company11= Google
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed11=
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed11=
  
| summit_session_attendee_name12 =  
+
| summit_session_attendee_name12 = Abraham Kang
| summit_session_attendee_email12 =  
+
| summit_session_attendee_email12 = [email protected]
| summit_session_attendee_company12=
+
| summit_session_attendee_username12= Abraham Kang
 +
| summit_session_attendee_company12 =
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed12=
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed12=
  
| summit_session_attendee_name13 =  
+
| summit_session_attendee_name13 = Nuno Loureiro
| summit_session_attendee_email13 =  
+
| summit_session_attendee_email13 = [email protected]
| summit_session_attendee_company13=
+
| summit_session_attendee_username13 =  
 +
| summit_session_attendee_company13= SAPO
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed13=
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed13=
  
| summit_session_attendee_name14 =  
+
| summit_session_attendee_name14 = Alexandre Miguel Aniceto
| summit_session_attendee_email14 =  
+
| summit_session_attendee_email14 = [email protected]
| summit_session_attendee_company14=
+
| summit_session_attendee_username14= Alexandre Miguel Aniceto
 +
| summit_session_attendee_company14= Willway
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed14=  
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed14=  
  
 
| summit_session_attendee_name15 =  
 
| summit_session_attendee_name15 =  
 
| summit_session_attendee_email15 =  
 
| summit_session_attendee_email15 =  
 +
| summit_session_attendee_username15=
 
| summit_session_attendee_company15=
 
| summit_session_attendee_company15=
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed15=
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed15=
Line 80: Line 94:
 
| summit_session_attendee_name16 =  
 
| summit_session_attendee_name16 =  
 
| summit_session_attendee_email16 =  
 
| summit_session_attendee_email16 =  
 +
| summit_session_attendee_username16=
 
| summit_session_attendee_company16=
 
| summit_session_attendee_company16=
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed16=
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed16=
Line 85: Line 100:
 
| summit_session_attendee_name17 =  
 
| summit_session_attendee_name17 =  
 
| summit_session_attendee_email17 =  
 
| summit_session_attendee_email17 =  
 +
| summit_session_attendee_username17=
 
| summit_session_attendee_company17=
 
| summit_session_attendee_company17=
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed17=
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed17=
Line 90: Line 106:
 
| summit_session_attendee_name18 =  
 
| summit_session_attendee_name18 =  
 
| summit_session_attendee_email18 =  
 
| summit_session_attendee_email18 =  
 +
| summit_session_attendee_username18=
 
| summit_session_attendee_company18=
 
| summit_session_attendee_company18=
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed18=
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed18=
Line 95: Line 112:
 
| summit_session_attendee_name19 =  
 
| summit_session_attendee_name19 =  
 
| summit_session_attendee_email19 =  
 
| summit_session_attendee_email19 =  
 +
| summit_session_attendee_username19=
 
| summit_session_attendee_company19=
 
| summit_session_attendee_company19=
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed19=
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed19=
Line 100: Line 118:
 
| summit_session_attendee_name20 =  
 
| summit_session_attendee_name20 =  
 
| summit_session_attendee_email20 =  
 
| summit_session_attendee_email20 =  
 +
| summit_session_attendee_username20=
 
| summit_session_attendee_company20=
 
| summit_session_attendee_company20=
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed20=
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed20=
  
 
|-
 
|-
| summit_session_name = Sandboxing
+
| summit_track_logo = [[Image:T._browser_security.jpg]]
 +
| summit_ws_logo = [[Image:WS._browser_security.jpg]]
 +
| summit_session_name = HTML5 Security
 
| summit_session_url = http://www.owasp.org/index.php/Summit_2011_Working_Sessions/Session002
 
| summit_session_url = http://www.owasp.org/index.php/Summit_2011_Working_Sessions/Session002
| mailing_list =
+
| mailing_list = https://groups.google.com/group/owasp-summit-browsersec
 
|-
 
|-
  
| short_working_session_description= Is sandboxing the right way forward? Can sandboxing be harmonized with the origin policies for cookies, scripting, and ajax - i.e. share the same compartmentalization? How should we apply sandboxing to plugins
+
| short_working_session_description=  
 
 
 
|-
 
|-
  
| related_project_name1 =  
+
| related_project_name1 = Browser Security Track - main page
| related_project_url_1 =  
+
| related_project_url_1 = http://www.owasp.org/index.php/Category:Summit_2011_Browser_Security_Track
  
| related_project_name2 =  
+
| related_project_name2 = Google Group for the Browser Security Track
| related_project_url_2 =  
+
| related_project_url_2 = https://groups.google.com/group/owasp-summit-browsersec
  
 
| related_project_name3 =  
 
| related_project_name3 =  
Line 130: Line 150:
 
|-
 
|-
  
| summit_session_objective_name1=  
+
| summit_session_objective_name1= '''Handle autofocus in a unified and secure way'''.<noinclude> Make sure SOP applies for autofocus usage in frame/iframe'd websites. Re-discuss necessity for (future) attributes like this.</noinclude>
  
| summit_session_objective_name2 =  
+
| summit_session_objective_name2 = '''Discuss necessity and capability for the HTML5 form controls'''.<noinclude> Do we need a non-SOP formaction attribute and why? </noinclude>
  
| summit_session_objective_name3 =  
+
| summit_session_objective_name3 = <noinclude>'''Goal I''':</noinclude>  Initiate and create documentation and references for developers that address security issues. <noinclude>Html5sec.org is a start but impossible to continue or extend large scale without vendor help</noinclude>
  
| summit_session_objective_name4 =  
+
| summit_session_objective_name4 = <noinclude>'''Goal II''':</noinclude>Discuss and heavily restrict SVG capabilities - especially when deployed in CSS backgrounds and <img> tags. <noinclude>Mainly Opera and Mozilla are addressed here.</noinclude>
 
 
| summit_session_objective_name5 = 
 
  
 +
| summit_session_objective_name5 =  '''Long Term Goal(s)''': Provide a working and easy to use as well as vendor supported HTML5 compliant filter software such as HTMLPurifier. <noinclude>Browser vendors should participate in creating security software and filters - not undermine them as we could experience in the last decade.</noinclude>
 
|-
 
|-
  
| working_session_date_and_time =  
+
| working_session_date_and_time = Tuesday, 09 February <br> Time: TBA
  
 
|-
 
|-
  
| discussion_model = participants and attendees
+
| discussion_model = The working form will most probably be short presentations to frame the topic and then round table discussions. Depending on number of attendees we'll break into groups.
  
 
|-
 
|-
Line 154: Line 173:
 
|-
 
|-
  
| working_session_additional_details =  
+
| working_session_additional_details = <br>
 +
 
 +
[[Image:Html5_mario_hackvertor.jpg‎‎]]
 +
 
 +
===Co-chair Mario Heiderich===
 +
Mario Heiderich works as a researcher for the Ruhr-University in Bochum, Germany and currently focuses on HTML5, SVG security and security implications of the ES5 specification draft. Mario invoked the [http://html5sec.org/ HTML5 security cheat-sheet] and maintains the [http://php-ids.org/ PHPIDS filter rules]. In his spare time he delivers trainings and security consultancy for larger German and international companies. He is also one of the co-authors of [http://www.amazon.com/Web-Application-Obfuscation-WAFs-Evasion-Filters-alert/dp/1597496049 Web Application Obfuscation: '-/WAFs..Evasion..Filters//alert(/Obfuscation/)-'] – a book on how an attacker would bypass different types of security controls including IDS/IPS.
 +
 
 +
===Co-chair Gareth Heyes===
 +
Gareth "Gaz" Heyes calls himself Chief Conspiracy theorist and is affiliated with Microsoft. He is the designer and developer behind [http://www.owasp.org/index.php/OWASP_JavaScript_Sandboxes#tab=JSReg JSReg] – a Javascript sandbox which converts code using regular expressions; [http://www.owasp.org/index.php/OWASP_JavaScript_Sandboxes#tab=HTMLReg HTMLReg] & [http://www.owasp.org/index.php/OWASP_JavaScript_Sandboxes#tab=CSSReg CSSReg] – converters of malicious HTML/CSS into a safe form of HTML. He is also one of the co-authors of [http://www.amazon.com/Web-Application-Obfuscation-WAFs-Evasion-Filters-alert/dp/1597496049 Web Application Obfuscation: '-/WAFs..Evasion..Filters//alert(/Obfuscation/)-'] – a book on how an attacker would bypass different types of security controls including IDS/IPS.
  
 
|-
 
|-
  
|summit_session_deliverable_name1 =  
+
|summit_session_deliverable_name1 = Browser Security Report
 
|summit_session_deliverable_url_1 =  
 
|summit_session_deliverable_url_1 =  
  
|summit_session_deliverable_name2 =  
+
|summit_session_deliverable_name2 = Browser Security Priority Report
 
|summit_session_deliverable_url_2 =  
 
|summit_session_deliverable_url_2 =  
  
Line 172: Line 199:
 
|summit_session_deliverable_name5 =  
 
|summit_session_deliverable_name5 =  
 
|summit_session_deliverable_url_5 =  
 
|summit_session_deliverable_url_5 =  
 +
 +
|summit_session_deliverable_name6 =
 +
|summit_session_deliverable_url_6 =
 +
 +
|summit_session_deliverable_name7 =
 +
|summit_session_deliverable_url_7 =
 +
 +
|summit_session_deliverable_name8 =
 +
|summit_session_deliverable_url_8 =
  
 
|-
 
|-
  
| summit_session_leader_name1 =  
+
| summit_session_leader_name1 = Mario Heiderich
 
| summit_session_leader_email1 =  
 
| summit_session_leader_email1 =  
 +
| summit_session_leader_username1 =
  
| summit_session_leader_name2 =  
+
| summit_session_leader_name2 = Gareth Heyes
| summit_session_leader_email2 =  
+
| summit_session_leader_email2 = [email protected]
 +
| summit_session_leader_username2 = Gareth Heyes
  
| summit_session_leader_name3 =  
+
| summit_session_leader_name3 =
 
| summit_session_leader_email3 =  
 
| summit_session_leader_email3 =  
 +
| summit_session_leader_username3 =
  
 
|-
 
|-
  
| operational_leader_name1 =
+
| operational_leader_name1 = John Wilander
| operational_leader_email1 =
+
| operational_leader_email1 = [email protected]
 
+
| operational_leader_username1 = John.wilander
  
 
|-
 
|-
 
 
| meeting_notes =  
 
| meeting_notes =  
 
 
|-
 
|-
 
| session_name_mask = <!--Please replace DO NOT EDIT this string --> Session002
 
| session_name_mask = <!--Please replace DO NOT EDIT this string --> Session002
| session_home_page = <!--Please replace DO NOT EDIT this string --> Summit_2011_Working_Sessions/Session002  
+
| session_home_page = <!--Please replace DO NOT EDIT this string --> Summit_2011_Working_Sessions/Session002
 
}}
 
}}
 +
</includeonly>

Latest revision as of 23:59, 7 February 2011

Global Summit 2011 Home Page
Global Summit 2011 Tracks

WS. browser security.jpg HTML5 Security
Please see/use the 'discussion' page for more details about this Working Session
Working Sessions Operational Rules - Please see here the general frame of rules.
WORKING SESSION IDENTIFICATION
Short Work Session Description
Related Projects (if any)


Email Contacts & Roles Chair
Mario Heiderich
Gareth Heyes @
Operational Manager
John Wilander @
Mailing list
https://groups.google.com/group/owasp-summit-browsersec
WORKING SESSION SPECIFICS
Objectives
  1. Handle autofocus in a unified and secure way. Make sure SOP applies for autofocus usage in frame/iframe'd websites. Re-discuss necessity for (future) attributes like this.
  2. Discuss necessity and capability for the HTML5 form controls. Do we need a non-SOP formaction attribute and why?
  3. Goal I: Initiate and create documentation and references for developers that address security issues. Html5sec.org is a start but impossible to continue or extend large scale without vendor help
  4. Goal II:Discuss and heavily restrict SVG capabilities - especially when deployed in CSS backgrounds and <img> tags. Mainly Opera and Mozilla are addressed here.
  5. Long Term Goal(s): Provide a working and easy to use as well as vendor supported HTML5 compliant filter software such as HTMLPurifier. Browser vendors should participate in creating security software and filters - not undermine them as we could experience in the last decade.

Venue/Date&Time/Model Venue/Room
OWASP Global Summit Portugal 2011
Date & Time
Tuesday, 09 February
Time: TBA


Discussion Model
The working form will most probably be short presentations to frame the topic and then round table discussions. Depending on number of attendees we'll break into groups.

WORKING SESSION OPERATIONAL RESOURCES
Projector, whiteboards, markers, Internet connectivity, power

WORKING SESSION ADDITIONAL DETAILS

Html5 mario hackvertor.jpg

Co-chair Mario Heiderich

Mario Heiderich works as a researcher for the Ruhr-University in Bochum, Germany and currently focuses on HTML5, SVG security and security implications of the ES5 specification draft. Mario invoked the HTML5 security cheat-sheet and maintains the PHPIDS filter rules. In his spare time he delivers trainings and security consultancy for larger German and international companies. He is also one of the co-authors of Web Application Obfuscation: '-/WAFs..Evasion..Filters//alert(/Obfuscation/)-' – a book on how an attacker would bypass different types of security controls including IDS/IPS.

Co-chair Gareth Heyes

Gareth "Gaz" Heyes calls himself Chief Conspiracy theorist and is affiliated with Microsoft. He is the designer and developer behind JSReg – a Javascript sandbox which converts code using regular expressions; HTMLReg & CSSReg – converters of malicious HTML/CSS into a safe form of HTML. He is also one of the co-authors of Web Application Obfuscation: '-/WAFs..Evasion..Filters//alert(/Obfuscation/)-' – a book on how an attacker would bypass different types of security controls including IDS/IPS.

WORKING SESSION OUTCOMES / DELIVERABLES
Proposed by Working Group Approved by OWASP Board

Browser Security Report

After the Board Meeting - fill in here.

Browser Security Priority Report

After the Board Meeting - fill in here.

After the Board Meeting - fill in here.

After the Board Meeting - fill in here.

After the Board Meeting - fill in here.

After the Board Meeting - fill in here.

After the Board Meeting - fill in here.

After the Board Meeting - fill in here.

Working Session Participants

(Add you name by clicking "edit" on the tab on the upper left side of this page)

WORKING SESSION PARTICIPANTS
Name Company Notes & reason for participating, issues to be discussed/addressed
John Wilander @


Michael Coates @


Tony UcedaVelez @
VerSprite

Stefano Di Paola


Isaac Dawson
Veracode

Chris Eng @
Veracode

Nishi Kumar @
FIS

Elke Roth-Mandutz @
GSO-University of Applied Science

Giorgio Fedon


Paolo Perego @
Armoredcode.com

Eduardo Vela @
Google

Abraham Kang @


Nuno Loureiro @
SAPO

Alexandre Miguel Aniceto @
Willway



















</includeonly>