This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "BeNeLux OWASP Day 2010"
Line 8: | Line 8: | ||
<center> | <center> | ||
===Confirmed Speakers:=== | ===Confirmed Speakers:=== | ||
− | Eoin Keary (OWASP Board, E&Y)<br> Sebastien Deleersnyder (OWASP Board, SAIT Zenitel)<br> Radu State (University of Luxembourg)<br> N Nikiforakis (Katholieke Universiteit Leuven)<br> Marco Balduzzi (Eurecom)<br> Walter Belgers (Madison Gurkha) <br> ... | + | Eoin Keary (OWASP Board, E&Y)<br> Sebastien Deleersnyder (OWASP Board, SAIT Zenitel)<br> Radu State (University of Luxembourg)<br> N Nikiforakis (Katholieke Universiteit Leuven)<br> Marco Balduzzi (Eurecom)<br> Walter Belgers (Madison Gurkha)<br> Thierry Zoller (Verizon Business, G-SEC)<br> ... |
Download the conference flyer [http://www.owasp.org/images/8/8d/OWASP_BeNeLux_2010_flyer_v1.5%282%29.jpg here].<br> All the presentations will be available for download in the [http://www.owasp.org/index.php/BeNeLux_OWASP_Day_2010#tab=Conference.2C_December_2nd agenda] tab. | Download the conference flyer [http://www.owasp.org/images/8/8d/OWASP_BeNeLux_2010_flyer_v1.5%282%29.jpg here].<br> All the presentations will be available for download in the [http://www.owasp.org/index.php/BeNeLux_OWASP_Day_2010#tab=Conference.2C_December_2nd agenda] tab. | ||
Line 141: | Line 141: | ||
:File sharing services are used daily by tens of thousands of people as a way of sharing files. Almost all such services, use a security-through-obscurity method of hiding the files of one user from others. For each uploaded file, the user is given a secret URL which supposedly cannot be guessed. The user can then share his uploaded file by sharing this URL with other users of his choice. Unfortunately though, a number of file sharing services are incorrectly implemented allowing an attacker to guess valid URLs of millions of files and thus allowing him to enumerate their file database and access all of the uploaded files. In this paper, we study some of these services and we record their incorrect implementations. We design automatic enumerators for two such services and a privacy-classifying module which characterises an uploaded file as private or public. Using this technique we gain access to thousands of private files ranging from private and company documents to personal photographs. We present a taxonomy of the private files found and ways that the users and services can protect themselves against such attacks. | :File sharing services are used daily by tens of thousands of people as a way of sharing files. Almost all such services, use a security-through-obscurity method of hiding the files of one user from others. For each uploaded file, the user is given a secret URL which supposedly cannot be guessed. The user can then share his uploaded file by sharing this URL with other users of his choice. Unfortunately though, a number of file sharing services are incorrectly implemented allowing an attacker to guess valid URLs of millions of files and thus allowing him to enumerate their file database and access all of the uploaded files. In this paper, we study some of these services and we record their incorrect implementations. We design automatic enumerators for two such services and a privacy-classifying module which characterises an uploaded file as private or public. Using this technique we gain access to thousands of private files ranging from private and company documents to personal photographs. We present a taxonomy of the private files found and ways that the users and services can protect themselves against such attacks. | ||
*'''Clickjacking: an empirical study with an automated testing/detection system''' (by Marco Balduzzi, Eurecom) | *'''Clickjacking: an empirical study with an automated testing/detection system''' (by Marco Balduzzi, Eurecom) | ||
+ | *'''How not to design and implement a cash back system''' (by Thierry Zoller, Verizon Business, G-SEC) | ||
:Clickjacking recently received new media attentions: Thousands of Facebook users have fallen victims of a worm that uses clickjacking techniques to propagate. | :Clickjacking recently received new media attentions: Thousands of Facebook users have fallen victims of a worm that uses clickjacking techniques to propagate. | ||
:In a clickjacking attack, a malicious page is constructed (or a benign page is hijacked) to trick the user into performing unintended clicks that are advantageous for the attacker, such as propagating a web worm, stealing confidential information or abusing of the user session. | :In a clickjacking attack, a malicious page is constructed (or a benign page is hijacked) to trick the user into performing unintended clicks that are advantageous for the attacker, such as propagating a web worm, stealing confidential information or abusing of the user session. |
Revision as of 09:25, 13 November 2010
Welcome
Confirmed Speakers:
Eoin Keary (OWASP Board, E&Y)
Sebastien Deleersnyder (OWASP Board, SAIT Zenitel)
Radu State (University of Luxembourg)
N Nikiforakis (Katholieke Universiteit Leuven)
Marco Balduzzi (Eurecom)
Walter Belgers (Madison Gurkha)
Thierry Zoller (Verizon Business, G-SEC)
...
Download the conference flyer here.
All the presentations will be available for download in the agenda tab.
Training, December 1st
COURSE | |||
OWASP Projects and Resources you can use TODAY! | |||
Overview & Goal | |||
| |||
Date | Venue & Directions | ||
December 1, 2010 | Fontys Hogescholen, Den Dolech 2, Traverse 3.43, Eindhoven, The Netherlands
How to get here: | ||
Price & Registration | |||
|
COURSE'S MODULES DETAILS | |||||
Time | Module | Trainer | Presentation | Overview & Goal | |
11h00 (30m) | Guided tour of OWASP Projects | Tour of OWASP’s projects | See details and Trainer's notes
| ||
11h30 (45m) | Threat Risk Modeling | Martin Knobloch | Threat Modeling – how to do it | See details and Trainer's notes
| |
12h15 (15m) | Coffee Break |
| |||
12h30 (45m) | OWASP Testing Guide | Martin Knobloch | Application Security Using the Testing Guide | See details and Trainer's notes
| |
13h30 (60m) | Lunch |
| |||
14h30 (45m) | [ ] | Sebastien Deleersnyder | [ OT10 Issues & Remedies] | See details and Trainer's notes
| |
15h15 (45m) | [ ] | [ ] | See details and Trainer's notes
| ||
16h00 (15m) | Coffee Break |
| |||
16h15 (30m) | OWASP Software Assurance Maturity Model | Sebastien Deleersnyder | SAMM - PPT File | See details and Trainer's notes
| |
17h00 (30m) | [ ] | Sebastien Deleersnyder | [ Software Development Life Cycle] | See details and Trainer's notes |
Conference, December 2nd
Location - December 2nd, 2010 | ||
---|---|---|
from - to | Registration | |
from - to |
Agenda:
.. |
Speakers
Eoin Keary (OWASP Board, E&Y) |
Chapter Lead and founder of OWASP Ireland chapter. Co-Author,Co - Editor and team lead of the OWASP Testing Guide.
Co-Author, Editor/team lead of the OWASP Code Review guide. |
Sebastien Deleersnyder (OWASP Board, SAIT Zenitel) |
bios |
Radu State (University of Luxembourg) |
bios |
Nick Nikiforakis (Katholieke Universiteit Leuven) |
Nick Nikiforakis is a PhD student at the Katholieke Universiteit Leuven, in Belgium. He belongs to the DistriNet research group and specifically in the “Security & Languages” task-force. His current research interests are: low-level security for unsafe languages and web application security. Nick holds a BSc in Computer Science and a MSc on Distributed Systems from the University of Crete in Greece. He worked for 3 years as a research assistant in the Distributed Computing Systems group at the Foundation of Research and Technology in Crete where he did research in network data visualization, authentication schemes using mobile devices and phishing countermeasures. In the past, Nick has presented his work in academic conferences as well as hacking conventions. His work can be found online at www.securitee.org. |
Marco Balduzzi (Eurecom) |
bios |
Walter Belgers (Madison Gurkha) |
Walter Belgers heeft Technische Informatica gestudeerd aan de Technische Universiteit Eindhoven met als extra vak o.a. Computercriminaliteit (Universiteit van Tilburg). Walter is in 1994 begonnen bij Philips C&P (tegenwoordig Atos Origin) als ontwikkelaar van wereldwijde firewall-diensten en de uitrol daarvan. Daarna heeft hij enkele jaren lesgegeven op het gebied van UNIX en Internet beveiliging bij AT Computing. In 2002 is hij toegetreden tot Madison Gurkha als partner. Naast zijn technische consultancy-activiteiten, houdt Walter zich bezig met het schrijven van artikelen en columns, het geven van lezingen en voorlichten van de pers. Walter is gecertificeerd security professional (CISSP) en security auditor (CISA). |
Martin Knobloch (Sogeti Nederland B.V.) |
Martin Knobloch is employed at Sogeti Netherlands as Senior Security Consultant. He is founder and thought leader of the Sogeti task force PaSS, Proactive Security Strategy, with an integral solution of information security within organisation, infrastructure and software. At OWASP, Martin is board member of the OWASP Netherlands Chapter and member of the Global Education Committee. |
CTF
During both days, a Capture The Flag challenge will be online and available!
Registration
The training day and the conference are free!
To support the OWASP organisation, consider to become a member, it's only US$50!
Check out the Membership page to find out more.
Venue
Eindhoven, The Netherlands (Den Dolech 2, Traverse 3.43)
Hotels nearby:
Organisation
The BeNeLux Day 2010 Program Committee:
- Martin Knobloch / Ferdinand Vroom (OWASP Netherlands)
- Bart De Win / Sebastien Deleersnyder (OWASP Belgium)
- Jocelyn Aubert / Andre Adelsbach (OWASP Luxembourg)
Sponsorship
Contact netherlands <at> owasp.org for sponsorship
<paypal>BeNeLux OWASP Day 2010</paypal>
Social Event
There will be a social conference evening at the eve of the first day, December 1stDetails to be posted soon!