Difference between revisions of "BeNeLux OWASP Day 2010"

• Apart from OWASP's Top 10, most OWASP Projects are not widely used and understood. In most cases this is not due to lack of quality and usefulness of those Document & Tool projects, but due to a lack of understanding of where they fit in an Enterprise's security ecosystem or in the Web Application Development Life-cycle.

• This course aims to change that by providing a selection of mature and enterprise ready projects together with practical examples of how to use them.

• If you are interested in participating in the hands on portion of the course, please bring a laptop.

How to get here:

Agenda:

• Welcome and OWASP Update (by Eoin Keary, OWASP Board, E&Y and Seba Deleersnyder, OWASP Board, SAIT Zenitel)
• Combined Web and VoIP attacks (by Radu State, University of Luxembourg)
• Privacy of file sharing service (by N Nikiforakis, Katholieke Universiteit Leuven)

File sharing services are used daily by tens of thousands of people as a way of sharing files. Almost all such services, use a security-through-obscurity method of hiding the files of one user from others. For each uploaded file, the user is given a secret URL which supposedly cannot be guessed. The user can then share his uploaded file by sharing this URL with other users of his choice. Unfortunately though, a number of file sharing services are incorrectly implemented allowing an attacker to guess valid URLs of millions of files and thus allowing him to enumerate their file database and access all of the uploaded files. In this paper, we study some of these services and we record their incorrect implementations. We design automatic enumerators for two such services and a privacy-classifying module which characterises an uploaded file as private or public. Using this technique we gain access to thousands of private files ranging from private and company documents to personal photographs. We present a taxonomy of the private files found and ways that the users and services can protect themselves against such attacks.

• Clickjacking: an empirical study with an automated testing/detection system (by Marco Balduzzi, Eurecom)
• How not to design and implement a cash back system (by Thierry Zoller)

Clickjacking recently received new media attentions: Thousands of Facebook users have fallen victims of a worm that uses clickjacking techniques to propagate.

In a clickjacking attack, a malicious page is constructed (or a benign page is hijacked) to trick the user into performing unintended clicks that are advantageous for the attacker, such as propagating a web worm, stealing confidential information or abusing of the user session.

However it is currently unclear to what extent clickjacking is being used by attackers in the wild and how significant the attack is for the security of Internet users.

In this talk, we presents a solution we designed for studying the prevalence of clickjacking on the Internet and for detecting possible malicious pages in an automated fashion. We deployed our system over 10 distinct virtual machines to test more then a million unique web-pages in two months. From the analysis of our experimental results we discuss the clickjacking phenomenon and its future implications.

• Attacking is easy, defending is hard (by Walter Belgers, Madison Gurkha)

An attacker has an easy job. They need only find one security hole, and they've broken the system. The system, application and network administrators :have a much harder task. They have to find not just one, but each and every one of the holes. Preferably before the bad guys do.

And, these holes can be at several different layers. In the presentation, we will look at those layers (system level, application level, but also user :level) and observe what goes wrong and how to fix it. The observations come from the daily work at Madison Gurkha.

Examples of problems are lack of patches, problems during the development phase, susceptibility to social engineering attacks and more.

..

Co-Author, Editor/team lead of the OWASP Code Review guide.

Radu has held positions as Research Engineer and Senior Engineer at INRIA-LORIA and has been working as Senior Researcher at the University of Luxembourg, FSTC-CSC Research Unit from October 2008 to September 2010. Radu's research activity will be on one side investigate interoperability aspects to supply security components in the area of ubiquitous computing and on the other side set up a project specific interoperability research lab in close cooperation with industry.

Nick holds a BSc in Computer Science and a MSc on Distributed Systems from the University of Crete in Greece. He worked for 3 years as a research assistant in the Distributed Computing Systems group at the Foundation of Research and Technology in Crete where he did research in network data visualization, authentication schemes using mobile devices and phishing countermeasures. In the past, Nick has presented his work in academic conferences as well as hacking conventions. His work can be found online at www.securitee.org.

At OWASP, Martin is board member of the OWASP Netherlands Chapter and member of the Global Education Committee.