This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
- 1 OWASP London
- 2 Participation
- 3 Sponsorship/Membership
- 4 Next Meeting
- 5 Future Events
- 6 Past Events
- 7 Archived Events
- 8 Other Activities
Welcome to the London chapter homepage. The chapter leader is Justin Clarke (justin.clarke [at] owasp.org) since January 2009
OWASP Foundation (Overview Slides) is a professional association of global members and is open to anyone interested in learning more about software security. Local chapters are run independently and guided by the Chapter_Leader_Handbook. As a 501(c)(3) non-profit professional association your support and sponsorship of any meeting venue and/or refreshments is tax-deductible. Financial contributions should only be made online using the authorized online chapter donation button. To be a SPEAKER at ANY OWASP Chapter in the world simply review the speaker agreement and then contact the local chapter leader with details of what OWASP PROJECT, independent research or related software security topic you would like to present on.
to this chapter or become a local chapter supporter. Or consider the value of Individual, Corporate, or Academic Supporter membership. Ready to become a member?
Thursday, January 14th 2010
Location: Nomura, Nomura House, 1 St Martins-le-Grand, London EC1A 4NP
- Using Selenium to hold state for web application penetration testing - Yiannis Pavlosoglou
- Selenium is a web application testing framework often used for unit testing and functional testing during the later parts of web application development. This presentation examines how this tool, in particular the Selenium IDE, can be used for creating security unit tests. By emulating a systematic logon, logoff or browse to a particular location, web application penetration tests can be performed using Selenium. Furthermore, fuzzing payloads can be scripted as inputs for security tests. As a result, issues of holding state, or having valid authentication credentials to test a particular input for, say, Cross Site Scripting (XSS) or SQL Injection can be performed in a much shorter time duration. This presentation will take the audience through the process of setting up, scripting and running Selenium against a vulnerable web application. It's aim is to relay back one successful approach that has been used in the field in order to discover vulnerabilities through stateful fuzzing.
- Top Ten Deployment Mistakes That Render SSL Useless - Ivan Ristic
- SSL is the technology that secures the Internet, but it only works when properly configured. Unfortunately, because SSL is assumed to be easy to use (and it genuinely is), there is a lack of information how to use it properly. As a result, too many web sites use insecure deployment practices that render SSL completely useless. In this talk I will present a list of top ten (or thereabout) deployment mistakes, based on my work on the SSL Labs assessment platform.
- There is a world of numbers, hiding behind letters, inside computers that stimulates the brain of Yiannis. Currently, he is focusing on research relating to coding standards, practices and ways of exploiting development code. This focus entails the breaking and making of client-side standalone, as well as server-side web applications. As such things need doing for a living and can take their toll, he is part of Comsec UK, based in London. For OWASP, Yiannis runs the JBroFuzz project, a tool that has had as an objective to provide a stable (cross-platform) functional fuzzing tool for web applications, over HTTP & HTTPS. He has also contributed bits of code to other projects and co-authored a number of articles and publications, including v2 of the testing guide.
- Ivan Ristic is a respected security expert and book author, known especially for his contribution to the web application firewall field and the development of ModSecurity, an open source web application firewall. He is the author of Apache Security, a comprehensive security guide for the Apache web server. A frequent speaker at computer security conferences, Ivan is an active participant in the application security community, member of the Open Web Application Security Project (OWASP) and officer of the Web Application Security Consortium (WASC).
Also, if you are no longer able to attend, please email Justin at [email protected] so your space can be released for someone else.
Thursday, March 11th 2010
Location: To be finalised
Thursday, September 3rd 2009
Location: Lloyds TSB, 5th Floor Seminar Room, Red Lion Court, 46-48 Park Street, London SE1 9EQ.
- OWASP O2 Platform - Open Platform for automating application security knowledge and workflows - Dinis Cruz (PDF)
- In this talk Dinis Cruz will show the open source toolkit O2 (Ounce Open) which is specifically designed for developers and security consultants to be able to perform quick, effective and thorough source code security reviews. The O2 toolkit (http://www.o2-ounceopen.com) uses the scanning engines from Ounce Labs, Microsoft's CAT.NET tool and FindBugs (with more engines to be added soon) and allows advanced filtering, manipulation and visualization of its findings. In the past, there has been a very healthy skepticism on the usability of Source Code analysis engines to find commonly found vulnerablities in real world applications. This presentation will show that with some creative and powerful tools, it IS possible to use O2 to discover those issues.
- Using Surrogates to Protect from Application Data Breach - Dave Marsh (PDF)
- Companies are being challenged to store Personal Identifiable Information (PII) data in increasingly more secure environments, and also to comply with increasing standards of data security, for instance Payment Card Industry’s Data Security Standard (PCI DSS). Because all systems that accept or use PII/CC data are considered “in scope” for compliance, there are very few ways to “cut corners” when seeking compliance, and at the same time maintain your current business model.
- This session will present a concept and use of a new data security model, tokenization, which substitutes “data surrogates” for PII/CC numbers in systems throughout the enterprise, thus reducing scope for compliance and annual audits, as well as lowering the risk of a data breach. This session will cover:
- The value of a centralized data vault for PII/CC data
- How tokens act as data surrogates
- Using surrogates for masked data
- The importance of a one-to-one token/data relationship
- How tokens are generated, and
- The security benefits of centralized key management
Thursday, July 9th 2009
Location: Barclays, Rooms 42/43, One Churchill Place, London E14 5HP
- Auditing C# Code - Ilja van Sprundel (PDF)
- In this presentation, Ilja van Sprundel, Principal Consultant at IOActive, will discuss reviewing C# code, specifically C# code used for ASP.NET. He will cover entrypoints, exit points, .NET input validators, corner cases of API's, integer rules, managed vs unmanaged code, the garbage collector, exception handling issues, XSS cases, SQL Injection bugs, XML handling issues and usage of Anti-XSS.
- The Ultimate IDS Smackdown - How red vs. blue situations can influence more than one might assume - Mario Heiderich and Gareth Heyes (PDF)
- The talk is a vector and coding showdown between the lead dev of the PHPIDS and one of its most determined challengers trying and managing to break it wherever possible. Expect a bloody battle between security researchers and developers without limits, regular expression magic against code obfuscation excellence leading to an interesting result about vs-situations in software development and IT security.
Thursday, May 21st 2009
Location: Barclays, Presentation Suite 2, One Churchill Place, London E14 5HP
- Hash Cookies - A simple recipe - John Fitzpatrick (PDF)
- Hash cookies is a concept devised in concert with a couple of other guys whilst discussing an application test we were working on. The goal of hash cookies being to make session hijacking attempts infeasible through re-hashing the session cookie on future requests to the server.
- The aim of this talk is to put across the concept of hash cookies and then have the audience don their ninja suits and break it. That way we can work towards a robust secure mechanism for securing sessions which, hopefully, hash cookies is a good solid step towards.
- OWASP Google Hacking Project - Christian Heinrich (PDF (zipped))
- Two Proof of Concepts (PoC) used during the reconnaissance phase of a penetration test will be demonstrated:
- "TCP Input Text" extracts TCP Ports and Fully Qualified Domain Names (FQDN) from Google Search Results into a .csv file and individual shell scripts for nmap and netcat to provide assurance of a listening TCP service since the last crawl performed by the "GoogleBot".
- "Download Indexed Cache" retrieves content indexed within the Google Cache and supports the "Search Engine Reconnaissance" section of the recently released OWASP Testing Guide v3. During the demonstration of "Download Indexed Cache", the superiority of this approach will be proven over lesser methodologies, such as "Google Hacking" and the associated Google Hacking Database (GHDB).
- The impact of mitigating controls, such as <META> Tags and robots.txt, based on the recommendations within the "Spiders/Robots/Crawlers" section of the recently released OWASP Testing Guide v3, will be explained.
- Two Proof of Concepts (PoC) used during the reconnaissance phase of a penetration test will be demonstrated:
Thursday, March 12th 2009
Location: KPMG, 39th Floor, One Canada Sq, E14 5AG
- OWASP Global Industry Committee - Colin Watson (PDF)
- The Global Industry Committee was one of six new OWASP committees created during the EU Summit in Portugal last year. Colin Watson will talk about the committee's aims, plan, how to get involved, who it has been engaging with and what else it has been doing in the first few months.
- The Software Assurance Maturity Model - Introduction and a Use Case - Matt Bartoldus (PDF)
- The OWASP CLASP Project has been going through modification to move more towards a maturity model. As a result, the Software Assurance Maturity Model (SAMM) project has been released in a beta version. The goal is to "define a usable security framework with sequential, measurable goals that can be used by small, medium, and large organisations in any line of business that involves software development". This talk will introduce SAMM and give a brief overview of its contents. We will then discuss how SAMM is currently being used to measure the level of information security activities within an EU based financial organisation's development methodology and providing the framework for implementing such activities into their everyday development activities (SDLC).
- SQL injection: Not only AND 1=1 - Bernardo Damele A. G. (PDF)
- The presentation will cover a quick preamble on SQL injection definition, sqlmap and its key features. It will then illustrate the details of common and uncommon problems and respective solutions with examples that a penetration tester or a SQL injection tool developer faces when he wants to take advantage of any kind of web application SQL injection flaw on real world web applications, for instance SQL injection in ORDER BY and LIMIT clauses, single entry UNION query SQL injection, blind SQL injection algorithm speed enhancements, specific web application technologies IDS bypasses and more.
For events before 2009, see Archived OWASP London Events
- March 2009 - Entry for Nominet Best Practice Challenge 2009
Open Web Application Security Project was nominated by OWASP London for the Best Security Initiative Award (File:Nominet best practice challenge 2009 owasp entry.pdf) in the Nominet Best Practice Challenge 2009. Short-listed June 2009. Announcement due 2 July 2009.
- 16th October 2008 - COI Browser Standards for Public Websites
The London and Scotland Chapters joint response to the Central Office of Information draft document on browser standards for public websites (version 0.13) (File:OWASP-COI-Browser-Standards.pdf).