This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Leeds UK"

From OWASP
Jump to: navigation, search
(Past Events)
(Next Meeting)
Line 21: Line 21:
  
 
== Next Meeting ==
 
== Next Meeting ==
'''Date:''' Wednesday 16th June  
+
'''Date:''' Wednesday 15th September  
  
RSVP your ticket for this event here http://www.eventbrite.com/event/708377777
+
RSVP your ticket for this event http://www.eventbrite.com/event/842723609
  
'''Location:''' Lecture Room EBA102A, Ellison Building, School of Applied Sciences, Northumbria University, Newcastle upon Tyne, NE1 8ST
+
'''Location:''' Novotel Leeds, 4 Whitehall Quay, Leeds, LS1 4HR
  
The venue is being kindly provided by Northumbria University, an OWASP education sponsor. http://www.northumbria.ac.uk
 
  
'''Schedule: 18:00 for 18:20 start'''
+
'''Schedule: 18:00 for 18:15 start'''
  
 
'''18:20 - 18:30'''
 
'''18:20 - 18:30'''
Line 37: Line 36:
 
''Jason Alexander - OWASP Leeds/Northern Chapter Board Member''
 
''Jason Alexander - OWASP Leeds/Northern Chapter Board Member''
  
'''18:30 - 18:50'''  
+
'''18:30 - 19:15'''  
  
ENISA Common Assurance Maturity Model
+
Context Application Tool CAT
  
OWASP is contributing to the development of an international
+
Context Application Tool (CAT) is a tool for performing manual web application penetration testing.  The presentation will show the main features of CAT with demonstrations of where CAT can perform tests that other tools currently available cannot and how CAT empowers the user to create more complex test cases to further explore the boundaries of the application. The focus of CAT is on manual penetration testing and not on automated web VA scanningAlso a sneak preview of the current features that are currently in development an due to be release late this year.
information assurance framework, principally aimed at identifying a
 
set of security controls mapped to maturity levels for cloud computing
 
services. The framework has been split into a number of domains and
 
OWASP's contributors are working on the o "software development"
 
domainThe presentation will discuss the project, work to-date on
 
the maturity model and how this relates to OWASP SAMM.
 
  
''Colin Watson - Technical Director at Watson Hall Ltd and Global Industry Committee Member at OWASP Foundation''
+
The presentation will start with an overview of the new CAT application and demonstrating how the tool can be used in all aspects of manual web application testing. The aim to provide delegates with a high level understand of the capability of CAT, covering the following core areas:
  
'''18:50 - 19:20'''
+
-Request Repeater – Used for repeating a single request
 +
-Proxy – Classic Inline proxy including
 +
-Fuzzer – Allows for batch of tests to be sent to a server for brute forcing, parameter fuzzing, forced browsing etc.
 +
-Log – View a list of requests to sort, search repeat etc.  Allows for a sequence of requests to be repeated and modified.
 +
-Authentication Checker – Two synchronised proxies which can be used to check authentication and authorisation controls.
 +
-SSL Checker  – Request a specific page with various SSL ciphers and versions.
 +
-Notepad – A text/RTF editor which can be used as a scratch pad for conversions etc.
 +
-Web Browser – An integrated web browser with proxy pre-configured based on the Internet Explorer’s rendering engine.
 +
 +
Covering the following features:
  
Open Source Security Myths
+
-Uses Internet Explorer’s rendering engine for accurate HTML representation
 +
-Supports many different types of text conversations including: URL, Base64, Hex, Unicode, HTML/XML, SQL and JavaScript no Quotes
 +
-Integrated SQL Injection and XSS Detection
 +
-Synchronised Proxies for Authentication and Authorisation checking
 +
-Faster due to HTTP connection caching
 +
-SSL Version and Cipher checker using OpenSSL including HTTP response not only SSL handshake
 +
-Greater flexibility for importing/exporting logs and saving projects
 +
-Tabbed Interface allowing for multiple tools at once e.g. multiple repeaters and different logs
 +
-The ability to repeat and modify a sequence of requests (particular useful in SSO testing
 +
 +
Then the presentation will focus on a few examples where CAT allows for testing which was previously particularly difficult, these include:
  
(details to follow)
+
1. Using project based tabbed interface which allows for great control and organisation for larger projects
 +
2. Assisted authorisation and authenticated checking use synchronised proxies and cookie fixation
 +
3. Testing of multi-stage and multi-host Single Sign On solutions
 +
4. LDAP timing attacks using HTTP/HTTPS connection caching
 +
5. How CAT encodings can be used to bypass Web Application Firewalls
 +
6. Clickjacking Testing
 +
 +
Finally a sneak preview of the new features that are being developed including the new DB exploitation panel.
  
''David Anumudu - Software Security Consultant for Fortify Software EMEA''  
+
''Michael Jordon - Principal Security consultant, Context Information Security ''  
  
'''19:20 - 20:05'''
+
'''19:15 - 20:00'''
  
SSL/TLS - Just when you thought it was safe to return
+
OWASP O2 Platform - Automating Security Knowledge
  
2009 was a serious year in breaking secure protocols. SSL/TLS was no different.  Hacking SSL/TLS has a big return as a blackhat hacker, once
+
The O2 Platform is focused on automating application security knowledge and workflows. It is specifically designed for developers and security consultants to be able to perform quick, effective and thorough source code-driven application security reviews (blackbox + whitebox). In addition to the manual findings created/discovered by security consultants, the OWASP O2 Platform allows the easy consumption of results from multiple OWASP  projects and commercial scanning tools. This allows security consultants to find, exploit and automate (via Unit Tests) security vulnerabilities usually dismissed by the community as impossible to find/recreate. More importantly, it provides security consultants a mechanism to:
you penetrate a corporate network, stealing login details and passwords are just the beginning. SSL VPN's can also be vulnerable to a number of attacks.  There are a number of tools and techniques that are readily available that can make defeating SSL/TLS both simple and well within the reach of the unauthorized attackers.The talk focuses on the research and tools of Moxie Marlinspike, who has gained an excellent reputation as an independent security research. With some interesting attack vectors, you'll be surprised at the results one can achieve.
 
  
''Arron Finnon - www.finux.co.uk''
+
(a) "talk" with developers (via UnitTest)
 +
(b) give developers a way to replicate + "check if it's fixed" the vulnerabilities reported
 +
(c) engage in a two-way conversion on the best way to fix/remediate those vulnerabilities.
  
'''20:05 - 20:30'''
+
''Dinis Cruz - OWASP O2 Project lead and member of the OWASP Global Projects Committee ''  
  
OWASP AppSensor - The Self-Aware Web Application
+
'''20:00 - Finish'''
  
An overview of the AppSensor project which defines a conceptual framework and methodology on the implementation of an application layer intrusion detection and automated response system within a web application.
+
How I met your girlfriend
  
''Colin Watson - Technical Director at Watson Hall Ltd  and Global Industry Committee Member at OWASP Foundation''
+
The discovery and execution of entirely new classes of attacks executed from the Web in order to meet your girlfriend. This includes newly discovered attacks including HTML5 client-side XSS (without XSS hitting the server!), PHP session hijacking and weak random numbers (accurately guessing PHP session cookies), browser protocol confusion (turning a browser into an SMTP server), firewall and NAT penetration via Javascript (turning your router against you), remote iPhone Google Maps hijacking (iPhone penetration combined with HTTP man-in-the-middle), extracting extremely accurate geolocation information from a Web browser (not using IP geolocation), and more
 +
 
 +
'''Speaker Bio's'''
 +
 
 +
''Michael Jordon'' - Michael Jordon is a principal security consultant for Context Information Security.  He has over 10 years experience as a software developer and security consultant.  His speciality is within application security and secure software development.
 +
He is the principal developer of Context App Tool (CAT) the web application penetration testing tool.  He is CREST application certified, a member of the SSDP committee and has a degree in Software Engineering.  He has release advisories include vulnerabilities in Outlook Web Access, Citrix, Squirrel Mail and Sophos Anti-Virus.  He has previously talked at conferences include CREST Conference, ISSD and InfoSecurity Europe
 +
 
 +
''Dinis Cruz'' - Dinis is a Security Consultant based in London (UK) and specialized in: ASP.NET/J2EE Application Security, Application Security audits and .NET Security Curriculum Development. For the past years Dinis has focused on the field of Static Source Code analysis, from May 2007 to Dec 2009 he worked as a independent consultant for Ounce Labs (bought by IBM in July 2009) where during active security engagements using Ounce's technology he developed the Open Source codebase which now is the foundation of the OWASP O2 Platform. Dinis is currently focused on making the O2 Platform the industry standard for consuming, instrumenting and data-sharing between the multiple WebAppSec tools, the Security consultants and the final developers.
 +
Dinis is a also active trainer on .Net security having written and delivered courses for IOActive, Foundstone, Intense School and KPMG (at multiple locations including BlackHat), and has delivered a number of presentations and keynote speeches at multiple OWASP and Security related conferences
 +
At OWASP, Dinis is the leader of the OWASP O2 Platform project, member of the OWASP Global Projects Committee, chair of the OWASP Connections Committee and member of the OWASP Board.
 +
 
 +
''Samy Kamkar'' - Samy Kamkar is best known for the Samy worm, the first XSS worm, infecting over one million users on MySpace in less than 24 hours. A co-founder of Fonality, Inc., an IP PBX company, Samy previously led the development of all top-level domain name server software and systems for Global Domains International (.ws).
 +
In the past 10 years, Samy has focused on evolutionary and genetic algorithmic software development, Voice over IP software development, automated security and vulnerability research in network security, reverse engineering, and network gaming. When not strapped behind the Matrix, Samy can be found stunt driving, getting involved in local community service projects, and continuing his focus on staying out of jail.
  
 
== Past Events ==
 
== Past Events ==

Revision as of 17:39, 6 September 2010

OWASP Leeds UK

Welcome to the Leeds UK chapter homepage. This is a new chapter and we are looking for enthusiatic new members to make this one of the best OWASP chapters. We are hoping to accumalate a good proportion of subject matter experts who will in turn be able to provide guidance and presentations for the benefit of all chapter members. So please join the mailing list and contribute.

Details of your chapter Board members can be found here Leeds_UK_chapter_leaders

The chapter email address is [email protected]


Participation

OWASP Foundation (Overview Slides) is a professional association of global members and is open to anyone interested in learning more about software security. Local chapters are run independently and guided by the Chapter_Leader_Handbook. As a 501(c)(3) non-profit professional association your support and sponsorship of any meeting venue and/or refreshments is tax-deductible. Financial contributions should only be made online using the authorized online chapter donation button. To be a SPEAKER at ANY OWASP Chapter in the world simply review the speaker agreement and then contact the local chapter leader with details of what OWASP PROJECT, independent research or related software security topic you would like to present on.

Sponsorship/Membership

Btn donate SM.gif to this chapter or become a local chapter supporter. Or consider the value of Individual, Corporate, or Academic Supporter membership. Ready to become a member? Join Now BlueIcon.JPG


<paypal>Leeds_UK</paypal>


2010 Planned Meetings

September 15th

December 8th

Next Meeting

Date: Wednesday 15th September

RSVP your ticket for this event http://www.eventbrite.com/event/842723609

Location: Novotel Leeds, 4 Whitehall Quay, Leeds, LS1 4HR


Schedule: 18:00 for 18:15 start

18:20 - 18:30

OWASP Chapter introduction. OWASP values. Chapter information.

Jason Alexander - OWASP Leeds/Northern Chapter Board Member

18:30 - 19:15

Context Application Tool CAT

Context Application Tool (CAT) is a tool for performing manual web application penetration testing. The presentation will show the main features of CAT with demonstrations of where CAT can perform tests that other tools currently available cannot and how CAT empowers the user to create more complex test cases to further explore the boundaries of the application. The focus of CAT is on manual penetration testing and not on automated web VA scanning. Also a sneak preview of the current features that are currently in development an due to be release late this year.

The presentation will start with an overview of the new CAT application and demonstrating how the tool can be used in all aspects of manual web application testing. The aim to provide delegates with a high level understand of the capability of CAT, covering the following core areas:

-Request Repeater – Used for repeating a single request -Proxy – Classic Inline proxy including -Fuzzer – Allows for batch of tests to be sent to a server for brute forcing, parameter fuzzing, forced browsing etc. -Log – View a list of requests to sort, search repeat etc. Allows for a sequence of requests to be repeated and modified. -Authentication Checker – Two synchronised proxies which can be used to check authentication and authorisation controls. -SSL Checker – Request a specific page with various SSL ciphers and versions. -Notepad – A text/RTF editor which can be used as a scratch pad for conversions etc. -Web Browser – An integrated web browser with proxy pre-configured based on the Internet Explorer’s rendering engine.

Covering the following features:

-Uses Internet Explorer’s rendering engine for accurate HTML representation -Supports many different types of text conversations including: URL, Base64, Hex, Unicode, HTML/XML, SQL and JavaScript no Quotes -Integrated SQL Injection and XSS Detection -Synchronised Proxies for Authentication and Authorisation checking -Faster due to HTTP connection caching -SSL Version and Cipher checker using OpenSSL including HTTP response not only SSL handshake -Greater flexibility for importing/exporting logs and saving projects -Tabbed Interface allowing for multiple tools at once e.g. multiple repeaters and different logs -The ability to repeat and modify a sequence of requests (particular useful in SSO testing

Then the presentation will focus on a few examples where CAT allows for testing which was previously particularly difficult, these include:

1. Using project based tabbed interface which allows for great control and organisation for larger projects 2. Assisted authorisation and authenticated checking use synchronised proxies and cookie fixation 3. Testing of multi-stage and multi-host Single Sign On solutions 4. LDAP timing attacks using HTTP/HTTPS connection caching 5. How CAT encodings can be used to bypass Web Application Firewalls 6. Clickjacking Testing

Finally a sneak preview of the new features that are being developed including the new DB exploitation panel.

Michael Jordon - Principal Security consultant, Context Information Security

19:15 - 20:00

OWASP O2 Platform - Automating Security Knowledge

The O2 Platform is focused on automating application security knowledge and workflows. It is specifically designed for developers and security consultants to be able to perform quick, effective and thorough source code-driven application security reviews (blackbox + whitebox). In addition to the manual findings created/discovered by security consultants, the OWASP O2 Platform allows the easy consumption of results from multiple OWASP projects and commercial scanning tools. This allows security consultants to find, exploit and automate (via Unit Tests) security vulnerabilities usually dismissed by the community as impossible to find/recreate. More importantly, it provides security consultants a mechanism to:

(a) "talk" with developers (via UnitTest) (b) give developers a way to replicate + "check if it's fixed" the vulnerabilities reported (c) engage in a two-way conversion on the best way to fix/remediate those vulnerabilities.

Dinis Cruz - OWASP O2 Project lead and member of the OWASP Global Projects Committee

20:00 - Finish

How I met your girlfriend

The discovery and execution of entirely new classes of attacks executed from the Web in order to meet your girlfriend. This includes newly discovered attacks including HTML5 client-side XSS (without XSS hitting the server!), PHP session hijacking and weak random numbers (accurately guessing PHP session cookies), browser protocol confusion (turning a browser into an SMTP server), firewall and NAT penetration via Javascript (turning your router against you), remote iPhone Google Maps hijacking (iPhone penetration combined with HTTP man-in-the-middle), extracting extremely accurate geolocation information from a Web browser (not using IP geolocation), and more

Speaker Bio's

Michael Jordon - Michael Jordon is a principal security consultant for Context Information Security. He has over 10 years experience as a software developer and security consultant. His speciality is within application security and secure software development. He is the principal developer of Context App Tool (CAT) the web application penetration testing tool. He is CREST application certified, a member of the SSDP committee and has a degree in Software Engineering. He has release advisories include vulnerabilities in Outlook Web Access, Citrix, Squirrel Mail and Sophos Anti-Virus. He has previously talked at conferences include CREST Conference, ISSD and InfoSecurity Europe

Dinis Cruz - Dinis is a Security Consultant based in London (UK) and specialized in: ASP.NET/J2EE Application Security, Application Security audits and .NET Security Curriculum Development. For the past years Dinis has focused on the field of Static Source Code analysis, from May 2007 to Dec 2009 he worked as a independent consultant for Ounce Labs (bought by IBM in July 2009) where during active security engagements using Ounce's technology he developed the Open Source codebase which now is the foundation of the OWASP O2 Platform. Dinis is currently focused on making the O2 Platform the industry standard for consuming, instrumenting and data-sharing between the multiple WebAppSec tools, the Security consultants and the final developers. Dinis is a also active trainer on .Net security having written and delivered courses for IOActive, Foundstone, Intense School and KPMG (at multiple locations including BlackHat), and has delivered a number of presentations and keynote speeches at multiple OWASP and Security related conferences At OWASP, Dinis is the leader of the OWASP O2 Platform project, member of the OWASP Global Projects Committee, chair of the OWASP Connections Committee and member of the OWASP Board.

Samy Kamkar - Samy Kamkar is best known for the Samy worm, the first XSS worm, infecting over one million users on MySpace in less than 24 hours. A co-founder of Fonality, Inc., an IP PBX company, Samy previously led the development of all top-level domain name server software and systems for Global Domains International (.ws). In the past 10 years, Samy has focused on evolutionary and genetic algorithmic software development, Voice over IP software development, automated security and vulnerability research in network security, reverse engineering, and network gaming. When not strapped behind the Matrix, Samy can be found stunt driving, getting involved in local community service projects, and continuing his focus on staying out of jail.

Past Events

2010 Dates

16th_june_Leeds

17th March - Leeds

2009 Dates

14th October 2009 - Leeds