This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "OWASP AppSec Research 2010 - Stockholm, Sweden"

From OWASP
Jump to: navigation, search
m (Program Committee)
(Added Challenge 7)
Line 11: Line 11:
 
If you have any questions, please email the conference chair: john.wilander at owasp.org  
 
If you have any questions, please email the conference chair: john.wilander at owasp.org  
  
[[Image:Stockholm old town small.jpg]]
+
[[Image:Stockholm old town small.jpg]]  
  
=== Sponsors ===
+
=== Sponsors ===
  
Diamond sponsor: Position open
+
Diamond sponsor: Position open  
  
Gold sponsors (2 taken, 2 open): [[Image:Omegapoint_logo.png|link=http://www.omegapoint.se/]] [[Image:Portwise_logo.png|link=http://portwise.com/]]
+
Gold sponsors (2 taken, 2 open): [[Image:Omegapoint logo.png]] [[Image:Portwise logo.png]]  
  
Silver sponsors (1 taken, 7 open): [[Image:Mnemonic_logo.png|link=http://mnemonic.no/FrontPage/view?set_language=en]]
+
Silver sponsors (1 taken, 7 open): [[Image:Mnemonic logo.png]]  
  
Lunch sponsors (1 taken, 1 open): [[Image:IIS_logo.png|link=http://www.iis.se/en/]]  
+
Lunch sponsors (1 taken, 1 open): [[Image:IIS logo.png]]  
  
Coffee break sponsors (1 taken, 3 open): [[Image:MyNethouse_logo.png|link=http://mynethouse.se/]]
+
Coffee break sponsors (1 taken, 3 open): [[Image:MyNethouse logo.png]]  
  
For full sponsoring program see the Sponsoring tab above.
+
For full sponsoring program see the Sponsoring tab above.  
  
 
=== "AppSec Research".equals("AppSec Europe")  ===
 
=== "AppSec Research".equals("AppSec Europe")  ===
Line 47: Line 47:
 
== Call for Papers and Proposals  ==
 
== Call for Papers and Proposals  ==
  
[[Image:AppSec_Research_2010_2nd_cfp.png]]
+
[[Image:AppSec Research 2010 2nd cfp.png]]  
  
<br>
+
<br> 1. '''Publish or Perish'''. Peer-reviewed 12 page papers to be published in formal proceedings by Springer-Verlag ([http://www.springer.com/lncs Lecture Notes in Computer Science, LNCS]). Presentation slides and video takes will be posted on the OWASP wiki after the conference.<br> 2. '''Demo or Die'''. A demo proposal should consist of a pdf with a 1 page abstract summarizing the matter proposed by the speaker(s) ''and'' 1 page containing demo screenshot(s). Demos will have ordinary speaker slots but the speakers are expected to run a demo during the talk (live coding counts as a demo), not just a slideshow. Presentation slides and video takes will be posted on the OWASP wiki after the conference.<br> 3. '''Present or Repent'''. A presentation proposal should consist of a 2 page extended abstract representing the essential matter proposed by the speaker(s). Presentation slides and video takes will be posted on the OWASP wiki after the conference.  
1. '''Publish or Perish'''. Peer-reviewed 12 page papers to be published in formal proceedings by Springer-Verlag ([http://www.springer.com/lncs Lecture Notes in Computer Science, LNCS]). Presentation slides and video takes will be posted on the OWASP wiki after the conference.<br>
 
2. '''Demo or Die'''. A demo proposal should consist of a pdf with a 1 page abstract summarizing the matter proposed by the speaker(s) ''and'' 1 page containing demo screenshot(s). Demos will have ordinary speaker slots but the speakers are expected to run a demo during the talk (live coding counts as a demo), not just a slideshow. Presentation slides and video takes will be posted on the OWASP wiki after the conference.<br>
 
3. '''Present or Repent'''. A presentation proposal should consist of a 2 page extended abstract representing the essential matter proposed by the speaker(s). Presentation slides and video takes will be posted on the OWASP wiki after the conference.
 
  
If you have any questions regarding submissions etc, please email [email protected].
+
If you have any questions regarding submissions etc, please email [email protected].  
  
 
=== Topics of Interest  ===
 
=== Topics of Interest  ===
  
We encourage the publication and presentation of new tools, new methods, empirical data, novel ideas, and lessons learned in the following areas:
+
We encourage the publication and presentation of new tools, new methods, empirical data, novel ideas, and lessons learned in the following areas:  
  
 
•&nbsp; &nbsp; Web application security<br> • &nbsp; &nbsp;Security aspects of new/emerging web technologies/paradigms (mashups, web 2.0,&nbsp; offline support, etc)<br> •&nbsp; &nbsp; Security in web services, REST, and service oriented architectures<br> •&nbsp; &nbsp; Security in cloud-based services<br> •&nbsp; &nbsp; Security of frameworks (Struts, Spring, ASP.Net MVC etc)<br> •&nbsp; &nbsp; New security features in platforms or languages<br> •&nbsp; &nbsp; Next-generation browser security<br> •&nbsp; &nbsp; Security for the mobile web<br> •&nbsp; &nbsp; Secure application development (methods, processes etc)<br> •&nbsp; &nbsp; Threat modeling of applications<br> •&nbsp; &nbsp; Vulnerability analysis (code review, pentest, static analysis etc)<br> •&nbsp; &nbsp; Countermeasures for application vulnerabilities<br> •&nbsp; &nbsp; Metrics for application security<br> • &nbsp; &nbsp;Application security awareness and education  
 
•&nbsp; &nbsp; Web application security<br> • &nbsp; &nbsp;Security aspects of new/emerging web technologies/paradigms (mashups, web 2.0,&nbsp; offline support, etc)<br> •&nbsp; &nbsp; Security in web services, REST, and service oriented architectures<br> •&nbsp; &nbsp; Security in cloud-based services<br> •&nbsp; &nbsp; Security of frameworks (Struts, Spring, ASP.Net MVC etc)<br> •&nbsp; &nbsp; New security features in platforms or languages<br> •&nbsp; &nbsp; Next-generation browser security<br> •&nbsp; &nbsp; Security for the mobile web<br> •&nbsp; &nbsp; Secure application development (methods, processes etc)<br> •&nbsp; &nbsp; Threat modeling of applications<br> •&nbsp; &nbsp; Vulnerability analysis (code review, pentest, static analysis etc)<br> •&nbsp; &nbsp; Countermeasures for application vulnerabilities<br> •&nbsp; &nbsp; Metrics for application security<br> • &nbsp; &nbsp;Application security awareness and education  
  
=== Submission Deadline and Instructions ===
+
=== Submission Deadline and Instructions ===
  
Submission '''deadline is Sunday February 7th 23:59''' (Apia, Samoa time). Create an account and '''submit your paper or proposal to [https://www.easychair.org/login.cgi?a=c01e98d04e4e;iid=20045 AppSec Research 2010 at EasyChair]''' (open for submissions now). The system allows you to update your submission so you don't have to wait until the deadline for your initial submit.
+
Submission '''deadline is Sunday February 7th 23:59''' (Apia, Samoa time). Create an account and '''submit your paper or proposal to [https://www.easychair.org/login.cgi?a=c01e98d04e4e;iid=20045 AppSec Research 2010 at EasyChair]''' (open for submissions now). The system allows you to update your submission so you don't have to wait until the deadline for your initial submit.  
  
Full-paper submissions should be at most 12 pages long in the Springer LNCS style for "Proceedings and Other Multiauthor Volumes". Templates for preparing papers in this style for LaTeX, Word, etc can be downloaded from: http://www.springer.com/computer/lncs?SGWID=0-164-7-72376-0. Full papers must be submitted in a form suitable for anonymous review:''' remove author names and affiliations from the title page, and avoid explicit self-referencing in the text'''.  
+
Full-paper submissions should be at most 12 pages long in the Springer LNCS style for "Proceedings and Other Multiauthor Volumes". Templates for preparing papers in this style for LaTeX, Word, etc can be downloaded from: http://www.springer.com/computer/lncs?SGWID=0-164-7-72376-0. Full papers must be submitted in a form suitable for anonymous review:'''remove author names and affiliations from the title page, and avoid explicit self-referencing in the text'''.  
  
Demo and presentation proposals should be 2 page pdfs (demo: 1 page abstract + 1 page screenshot(s), presentation: 2 page extended abstract).
+
Demo and presentation proposals should be 2 page pdfs (demo: 1 page abstract + 1 page screenshot(s), presentation: 2 page extended abstract).  
  
Decision notification: April 7th
+
Decision notification: April 7th  
  
=== Program Committee (for review of full-papers) ===
+
=== Program Committee (for review of full-papers) ===
  
• John Wilander, Omegapoint and Linköping University (chair)<br>
+
• John Wilander, Omegapoint and Linköping University (chair)<br> • Alan Davidson, Stockholm University/Royal Institute of Technology (co-host)<br> • Lieven Desmet, Katholieke Universiteit Leuven<br> • Úlfar Erlingsson, Reykjavík University and Microsoft Research<br> • Martin Johns, University of Passau<br> • Christoph Kern, Google<br> • Engin Kirda, Institute Eurecom<br> • Ulf Lindqvist, SRI International<br> • Benjamin Livshits, Microsoft Research<br> • Sergio Maffeis, Imperial College London<br> • John Mitchell, Stanford University<br> • William Robertson, UC Berkeley<br> • Andrei Sabelfeld, Chalmers UT<br>  
• Alan Davidson, Stockholm University/Royal Institute of Technology (co-host)<br>
 
• Lieven Desmet, Katholieke Universiteit Leuven<br>
 
• Úlfar Erlingsson, Reykjavík University and Microsoft Research<br>
 
• Martin Johns, University of Passau<br>
 
• Christoph Kern, Google<br>
 
• Engin Kirda, Institute Eurecom<br>
 
• Ulf Lindqvist, SRI International<br>
 
• Benjamin Livshits, Microsoft Research<br>
 
• Sergio Maffeis, Imperial College London<br>
 
• John Mitchell, Stanford University<br>
 
• William Robertson, UC Berkeley<br>  
 
• Andrei Sabelfeld, Chalmers UT<br>
 
  
 
==== Training  ====
 
==== Training  ====
  
== Call for Training ==
+
== Call for Training ==
  
OWASP is currently soliciting training proposals for the OWASP AppSec Research 2010 Conference which will take place at Stockholm University in Sweden, on June 21st through June 24th 2010. There will be training courses on June 21st and 22nd followed by plenary sessions on the 23rd and 24th with three tracks per day.
+
OWASP is currently soliciting training proposals for the OWASP AppSec Research 2010 Conference which will take place at Stockholm University in Sweden, on June 21st through June 24th 2010. There will be training courses on June 21st and 22nd followed by plenary sessions on the 23rd and 24th with three tracks per day.  
  
We are seeking training proposals on the following topics (in no particular order):
+
We are seeking training proposals on the following topics (in no particular order):  
  
* Security in Web 2.0, Web Services/XML
+
*Security in Web 2.0, Web Services/XML  
* Advanced penetration testing
+
*Advanced penetration testing  
* Static analysis for security
+
*Static analysis for security  
* Threat modeling of applications
+
*Threat modeling of applications  
* Secure coding practices
+
*Secure coding practices  
* Security in J2EE/.NET patterns and frameworks
+
*Security in J2EE/.NET patterns and frameworks  
* Application security with ESAPI
+
*Application security with ESAPI  
* OWASP tools in practice
+
*OWASP tools in practice
  
We will look favourably on laboration-based/hands-on training.
+
We will look favourably on laboration-based/hands-on training.  
  
=== Submission Deadline and Instructions ===
+
=== Submission Deadline and Instructions ===
  
Submission '''deadline is Sunday February 7th 23:59''' (Apia, Samoa time). To submit your training proposal please fill out the [[File:OWASP_AppSec_Research_2010_Call_for_Training.docx]] and email it to [email protected] with subject "AppSec Research 2010: Training proposal".
+
Submission '''deadline is Sunday February 7th 23:59''' (Apia, Samoa time). To submit your training proposal please fill out the [[Image:OWASP AppSec Research 2010 Call for Training.docx]] and email it to [email protected] with subject "AppSec Research 2010: Training proposal".  
  
Upon acceptance you'll be requested to fill out the ''Training Instructor Agreement'' where you'll find details on revenue split etc. The agreement will be reworked but the previous one is here: [[File:Training_Instructor_Agreement.doc]].
+
Upon acceptance you'll be requested to fill out the ''Training Instructor Agreement'' where you'll find details on revenue split etc. The agreement will be reworked but the previous one is here: [[Image:Training Instructor Agreement.doc]].  
  
=== Upcoming List of Trainers on OWASP Wiki ===
+
=== Upcoming List of Trainers on OWASP Wiki ===
  
As part of the [http://www.owasp.org/index.php/Category:OWASP_Education_Project OWASP Education Project], OWASP is starting an official list of trainers on the OWASP web site. This list (mentioning the trainer - course and contact details) will cover all trainers that performed training at OWASP conferences, together with their aggregated scores on the course feedback forms. Of course, this is opt-in. Please let us know if you are interested to participate in this program (tick the check-box on the application form).
+
As part of the [http://www.owasp.org/index.php/Category:OWASP_Education_Project OWASP Education Project], OWASP is starting an official list of trainers on the OWASP web site. This list (mentioning the trainer - course and contact details) will cover all trainers that performed training at OWASP conferences, together with their aggregated scores on the course feedback forms. Of course, this is opt-in. Please let us know if you are interested to participate in this program (tick the check-box on the application form).  
  
 
==== Venue  ====
 
==== Venue  ====
  
[[Image:AppSec_Research_2010_Aula_Magna.jpg]]
+
[[Image:AppSec Research 2010 Aula Magna.jpg]]  
  
 
==== Sponsoring  ====
 
==== Sponsoring  ====
Line 129: Line 114:
 
Sponsoring program in Swedish:&nbsp;[[Image:OWASP Sponsorship AppSec Research 2010 (swe).pdf]]  
 
Sponsoring program in Swedish:&nbsp;[[Image:OWASP Sponsorship AppSec Research 2010 (swe).pdf]]  
  
[[Image:Owasp appsec research 2010 diamond gold silver sponsoring.png|left|Part of the sponsoring program]]
+
[[Image:Owasp appsec research 2010 diamond gold silver sponsoring.png|left|Part of the sponsoring program]] [[Image:Owasp appsec research 2010 sponsoring 2.png|left|Part of the sponsoring program]]  
[[Image:Owasp_appsec_research_2010_sponsoring_2.png|left|Part of the sponsoring program]]
 
  
 
==== Challenges  ====
 
==== Challenges  ====
Line 136: Line 120:
 
=== Countdown Challenges -- Free Tickets to Win!  ===
 
=== Countdown Challenges -- Free Tickets to Win!  ===
  
There will be a challenge posted on the conference wiki page the 21st every month up until the event. The winner will get free entrance to the conference. Be sure to sign up for [https://lists.owasp.org/mailman/listinfo/appsec_eu_2010 the conference mailing list] to get a monthly reminder.
+
There will be a challenge posted on the conference wiki page the 21st every month up until the event. The winner will get free entrance to the conference. Be sure to sign up for [https://lists.owasp.org/mailman/listinfo/appsec_eu_2010 the conference mailing list] to get a monthly reminder.  
 +
 
 +
== AppSec Research Challenge 7: X-Mas Capture the Flag  ==
 +
 
 +
[[File:AppSec_Research_2010_Stocking.gif]] '''Merry Christmas everyone!'''[[File:AppSec_Research_2010_Stocking.gif]]
 +
 
 +
It's the 21st and a new AppSec Research Challenge is posted.
 +
 
 +
Setting up the AppSec Research 2010 X-mas Challenge was a cooperative effort by the winner of AppSec Research Challenge 3, Mario Heiderich, and Martin Holst Swende. It is a multi-step challenge which involves finding a vulnerability in a web application and locating a hidden message. Start by subscribing to [https://lists.owasp.org/mailman/listinfo/appsec_eu_2010 the conference mailing list]. Then check the simple rules below and get going.
 +
 
 +
'''Rules''':
 +
 
 +
*Please do not perform any resource-intensive tests, as the machine is pretty low-end and can be DoS:ed without much effort.
 +
*The computer at the given IP address is the only system involved in this challenge, so please do not perform any tests of neighboring systems.
 +
*Otherwise, you are free to hack away!
 +
 
 +
'''Challenge-page''': [http://66.249.7.26 66.249.7.26]
 +
 
 +
Discussions, QnA and reports about how far you have made it is welcome at [http://sla.ckers.org/forum/read.php?11,32779 the official sla.ckers thread].
 +
 
 +
Good luck and happy holidays! (And don't forget the submission deadline for the conference -- February 7 [[#cfp]])
 +
 
  
 
== AppSec Research Challenge 6: Design the Conference Logo  ==
 
== AppSec Research Challenge 6: Design the Conference Logo  ==
November's AppSec Research 2010 Challenge asks you to design the conference logotype. So far we have used this:
 
  
[[Image:Appsec_research_2010_logo_prototype_(small).png‎]]
+
November's AppSec Research 2010 Challenge asks you to design the conference logotype. So far we have used this:
 +
 
 +
[[Image:Appsec research 2010 logo prototype (small).png]]  
 +
 
 +
... but would like something less "word processor-like".
  
... but would like something less "word processor-like".
+
'''How to win'''
  
'''How to win'''
+
*The logo should be suitable for both large printing and small web banners  
* The logo should be suitable for both large printing and small web banners
+
*If you make a color logo, please submit a b/w version too  
* If you make a color logo, please submit a b/w version too
+
*"OWASP AppSec Research 2010" should in some way be part of the logo&nbsp;:)
* "OWASP AppSec Research 2010" should in some way be part of the logo :)
 
  
'''Copyright?'''<br>
+
'''Copyright?'''<br> By submitting your logo you agree to share it according to [http://creativecommons.org/licenses/by/3.0/legalcode Creative Commons Attributions] and that we credit you in the conference brochure and on the conference wiki but not in all places where we use the logo (i e we will not credit you on banners, sponsoring program, powerpoint presentations etc).  
By submitting your logo you agree to share it according to [http://creativecommons.org/licenses/by/3.0/legalcode Creative Commons Attributions] and that we credit you in the conference brochure and on the conference wiki but not in all places where we use the logo (i e we will not credit you on banners, sponsoring program, powerpoint presentations etc).
 
  
'''How to submit'''<br>
+
'''How to submit'''<br> Email jpg + svg to john.wilander [at] owasp.org before Monday December 14th 23:59 [http://www.worldtimeserver.com/current_time_in_UTC.aspx UTC]. The creator of the best logo wins a free ticket to the AppSec Research 2010 conference!  
Email jpg + svg to john.wilander [at] owasp.org before Monday December 14th 23:59 [http://www.worldtimeserver.com/current_time_in_UTC.aspx UTC]. The creator of the best logo wins a free ticket to the AppSec Research 2010 conference!
 
  
 
== AppSec Research Challenge 5: Graphical Effects  ==
 
== AppSec Research Challenge 5: Graphical Effects  ==
  
The October OWASP AppSec Research 2010 challenge is over. The winner of a free entrance ticket to next year's AppSec conference in Stockholm is "sirdarckcat" with FireworksIsNotABrowser_v4 (although we like the slightly oversized v6 better).
+
The October OWASP AppSec Research 2010 challenge is over. The winner of a free entrance ticket to next year's AppSec conference in Stockholm is "sirdarckcat" with FireworksIsNotABrowser_v4 (although we like the slightly oversized v6 better).
 +
 
 +
The challenge was about '''writing the coolest graphical effect in a 2010 character script'''.
 +
 
 +
=== An Example  ===
 +
 
 +
As an example, copy the script below and paste the script over the URL in the URL bar.  
  
The challenge was about '''writing the coolest graphical effect in a 2010 character script'''.
+
<nowiki>javascript:R=0; x1=.1; y1=.05; x2=.25; y2=.24; x3=1.6; y3=.24; x4=300; y4=200; x5=300; y5=200; DI=document.getElementsByTagName("img"); DIL=DI.length; function A(){for(i=0; i-DIL; i++){DIS=DI[ i ].style; DIS.position='absolute'; DIS.left=(Math.sin(R*x1+i*x2+x3)*x4+x5)+"px"; DIS.top=(Math.cos(R*y1+i*y2+y3)*y4+y5)+"px"}R++}setInterval('A()',5); void(0)</nowiki>
  
=== An Example ===
+
As a simple teaser we give these png letters for the script to play with.  
As an example, copy the script below and paste the script over the URL in the URL bar.
 
  
<nowiki>javascript:R=0; x1=.1; y1=.05; x2=.25; y2=.24; x3=1.6; y3=.24; x4=300; y4=200; x5=300; y5=200; DI=document.getElementsByTagName("img"); DIL=DI.length; function A(){for(i=0; i-DIL; i++){DIS=DI[ i ].style; DIS.position='absolute'; DIS.left=(Math.sin(R*x1+i*x2+x3)*x4+x5)+"px"; DIS.top=(Math.cos(R*y1+i*y2+y3)*y4+y5)+"px"}R++}setInterval('A()',5); void(0)</nowiki>
+
[[Image:AppSec Research 2010 O.png]][[Image:AppSec Research 2010 W.png]][[Image:AppSec Research 2010 A.png]][[Image:AppSec Research 2010 S.png]][[Image:AppSec Research 2010 P.png]]  
  
As a simple teaser we give these png letters for the script to play with.
+
=== Rules  ===
  
[[Image:AppSec_Research_2010_O.png]][[Image:AppSec_Research_2010_W.png]][[Image:AppSec_Research_2010_A.png]][[Image:AppSec_Research_2010_S.png]][[Image:AppSec_Research_2010_P.png]]
+
*The script should work in Firefox 3.5 (yeah, that means HTML5 and CSS3&nbsp;:)
 +
*Any resource, linked document, script, or image defined on the AppSec Research 2010 wiki page may be loaded/accessed/used
 +
*No requests to any other location is allowed
 +
*No obfuscation is allowed
 +
*The script may only use ASCII
 +
*Max length of the script is 2010 characters
 +
*You have to give your effect an id and a version number (further explanation below)
 +
*Any form of malicious code is of course banned&nbsp;;)
  
=== Rules ===
+
=== How to Compete  ===
* The script should work in Firefox 3.5 (yeah, that means HTML5 and CSS3 :)
 
* Any resource, linked document, script, or image defined on the AppSec Research 2010 wiki page may be loaded/accessed/used
 
* No requests to any other location is allowed
 
* No obfuscation is allowed
 
* The script may only use ASCII
 
* Max length of the script is 2010 characters
 
* You have to give your effect an id and a version number (further explanation below)
 
* Any form of malicious code is of course banned ;)
 
  
=== How to Compete ===
+
There's an [http://sla.ckers.org/forum/read.php?11,31944 official thread on sla.ckers] were you share your code and thoughts (Worried someone will steal you code? Check the originality bullet below). You can enter as many effects as you like but '''each effect has to have an id and a version number''', e.g. JohnWobbler_v1.3 for version 1.3 of John's Wobbler effect. Deadline is November 14th, 23:59 [http://www.worldtimeserver.com/current_time_in_UTC.aspx UTC].  
There's an [http://sla.ckers.org/forum/read.php?11,31944 official thread on sla.ckers] were you share your code and thoughts (Worried someone will steal you code? Check the originality bullet below). You can enter as many effects as you like but '''each effect has to have an id and a version number''', e.g. JohnWobbler_v1.3 for version 1.3 of John's Wobbler effect. Deadline is November 14th, 23:59 [http://www.worldtimeserver.com/current_time_in_UTC.aspx UTC].
 
  
=== Choosing the Winner ===
+
=== Choosing the Winner ===
Since this is a creative challenge the OC will choose the winner based on the following:
+
 
* '''Originality''' (tweaking someone's code is cool and encouraged but changing a few magic numbers or inverting a function won't make you the winner)
+
Since this is a creative challenge the OC will choose the winner based on the following:  
* '''Coolness''' (yeah, you need to convince a few Scandinavian people + Seba and Kate that your script is the coolest)
+
 
Either the OC will choose a winner by ourselves or we choose the top effects and let you guys vote for the winner.
+
*'''Originality''' (tweaking someone's code is cool and encouraged but changing a few magic numbers or inverting a function won't make you the winner)  
 +
*'''Coolness''' (yeah, you need to convince a few Scandinavian people + Seba and Kate that your script is the coolest)
 +
 
 +
Either the OC will choose a winner by ourselves or we choose the top effects and let you guys vote for the winner.  
  
 
== AppSec Research Challenge 4: Who's Who in Security?  ==
 
== AppSec Research Challenge 4: Who's Who in Security?  ==
September's AppSec Research 2010 Challenge was to identify a number of people that are, in one way or another, known in the security business, by their picture. There were thirteen photos in total, portraiting thirteen different individuals.
 
  
'''The winner of a free ticket to the OWASP AppSec Research conference in 2010 was Thomas Vollstädt''' who submitted the correct solution just one day after the challenge was posted.
+
September's AppSec Research 2010 Challenge was to identify a number of people that are, in one way or another, known in the security business, by their picture. There were thirteen photos in total, portraiting thirteen different individuals.
 +
 
 +
'''The winner of a free ticket to the OWASP AppSec Research conference in 2010 was Thomas Vollstädt''' who submitted the correct solution just one day after the challenge was posted.  
 +
 
 +
=== The Solution ===
 +
 
 +
[[Image:Owasp appsec research 2010 challenge 4 solution.png]]
 +
 
 +
=== The Names ===
  
===The Solution===
+
Dinis Cruz, Gordon "Fyodor" Lyon, David Litchfield, Dave Aitel, Bruce Schneier, Dave Wichers, Gene Spafford, MafiaBoy, MySpace Samy, Tom Brennan, Halvar Flake, Alex Sotirov, Jeff Williams, Jennifer Granick, Kate Hartmann, Mudge, Lance Spitzner, Dan Kaminsky, Brian Chess, Joanna Rutkowska, Crispin Cowan, Michael Howard, Jay Beale, Ross Anderson, Dawn Song, Robert "rsnake" Hansen, and Solar Designer.  
[[Image:Owasp_appsec_research_2010_challenge_4_solution.png]]
 
  
===The Names===
+
=== The Pictures ===
Dinis Cruz, Gordon "Fyodor" Lyon, David Litchfield, Dave Aitel, Bruce Schneier, Dave Wichers, Gene Spafford, MafiaBoy, MySpace Samy, Tom Brennan, Halvar Flake, Alex Sotirov, Jeff Williams, Jennifer Granick, Kate Hartmann, Mudge, Lance Spitzner, Dan Kaminsky, Brian Chess, Joanna Rutkowska, Crispin Cowan, Michael Howard, Jay Beale, Ross Anderson, Dawn Song, Robert "rsnake" Hansen, and Solar Designer.
 
  
===The Pictures===
+
If you'd like to see the original pictures without the names, here's the link: [[http://www.owasp.org/index.php/File:Owasp_appsec_research_2010_challenge_4.png]]  
If you'd like to see the original pictures without the names, here's the link:
 
[[http://www.owasp.org/index.php/File:Owasp_appsec_research_2010_challenge_4.png]]
 
  
 
== AppSec Research Challenge 3: Non-Alphanumeric JavaScript  ==
 
== AppSec Research Challenge 3: Non-Alphanumeric JavaScript  ==
  
The August AppSec Research 2010 Challenge was to create a JavaScript alert("owasp") that pops up the word 'owasp', case-insensitive, without using any alphanumeric characters (0-9a-zA-Z).&nbsp;There was a tremendous activity and we want to thank everyone who participated. The size of the final result was almost a third of the first entry (see chart below). '''Want to check out the winning snippet by .mario? Enter the following in the Firebug console''':&nbsp;<nowiki>ω=[[Ṫ,Ŕ,,É,,Á,Ĺ,Ś,,,Ó,Ḃ]=!''+[!{}]+{}][Ś+Ó+Ŕ+Ṫ],ω()[Á+Ĺ+É+Ŕ+Ṫ](Ó+ω()[Ḃ+Ṫ+Ó+Á]('Á«)'))</nowiki>
+
The August AppSec Research 2010 Challenge was to create a JavaScript alert("owasp") that pops up the word 'owasp', case-insensitive, without using any alphanumeric characters (0-9a-zA-Z).&nbsp;There was a tremendous activity and we want to thank everyone who participated. The size of the final result was almost a third of the first entry (see chart below). '''Want to check out the winning snippet by .mario? Enter the following in the Firebug console''':&nbsp;<nowiki>ω=[[Ṫ,Ŕ,,É,,Á,Ĺ,Ś,,,Ó,Ḃ]=!''+[!{}]+{}][Ś+Ó+Ŕ+Ṫ],ω()[Á+Ĺ+É+Ŕ+Ṫ](Ó+ω()[Ḃ+Ṫ+Ó+Á]('Á«)'))</nowiki>  
  
It is based on a few different ideas. First of all, a variable assignment on the form
+
It is based on a few different ideas. First of all, a variable assignment on the form  
  
<nowiki>[a,b,c,,e]="abcde" // a="a", c="c",e="e"</nowiki>
+
<nowiki>[a,b,c,,e]="abcde" // a="a", c="c",e="e"</nowiki>  
  
Which is performed on the string "truefalse[object Object]"
+
Which is performed on the string "truefalse[object Object]"  
  
<nowiki>[Ṫ,Ŕ,,É,,Á,Ĺ,Ś,,,Ó,Ḃ]=!''+[!{}]+{}]</nowiki> // right-hand side is "truefalse[object Object]"
+
<nowiki>[Ṫ,Ŕ,,É,,Á,Ĺ,Ś,,,Ó,Ḃ]=!''+[!{}]+{}]</nowiki> // right-hand side is "truefalse[object Object]"  
  
Also, the following construction obtains the window.sort-function, which leaks the window-object when called without arguments :
+
Also, the following construction obtains the window.sort-function, which leaks the window-object when called without arguments&nbsp;:  
  
ω=[]["sort"] //ω is now window.sort
+
ω=[]["sort"] //ω is now window.sort  
  
Therefore, calling ω()["alert"] invokes window.alert. To generate the string "owasp", the string "wasp" can be obtained by calling btoa on the characters <nowiki>"Á«)"</nowiki>.
+
Therefore, calling ω()["alert"] invokes window.alert. To generate the string "owasp", the string "wasp" can be obtained by calling btoa on the characters <nowiki>"Á«)"</nowiki>.  
  
This was really a great team effort, and I think a lot of us learned some new tricks. The final winner was .mario. Congratulations!
+
This was really a great team effort, and I think a lot of us learned some new tricks. The final winner was .mario. Congratulations!  
  
 
[[Image:Appsec research 2010 challenge 3 chart.jpg]]  
 
[[Image:Appsec research 2010 challenge 3 chart.jpg]]  
Line 253: Line 267:
 
August's challenge was to, in a similar fashion, create an alert("owasp"), case-insensitive, not using any alphanumeric characters. The shortest working code snippet submitted by September 18th 23:59:59 [http://www.worldtimeserver.com/current_time_in_UTC.aspx UTC] won a free ticket. By "working" we meant JavaScript that executes in Firefox/Firebug, not depending on any Firebug DOM variables for execution.  
 
August's challenge was to, in a similar fashion, create an alert("owasp"), case-insensitive, not using any alphanumeric characters. The shortest working code snippet submitted by September 18th 23:59:59 [http://www.worldtimeserver.com/current_time_in_UTC.aspx UTC] won a free ticket. By "working" we meant JavaScript that executes in Firefox/Firebug, not depending on any Firebug DOM variables for execution.  
  
'''Submissions were made as comments to the [http://owaspsweden.blogspot.com/2009/08/appsec-research-2010-challenge-3.html challenge 3 blogpost on Owasp Sweden].''' Check it out.
+
'''Submissions were made as comments to the [http://owaspsweden.blogspot.com/2009/08/appsec-research-2010-challenge-3.html challenge 3 blogpost on Owasp Sweden].''' Check it out.  
  
 
== AppSec Research Challenge 2: OWASP Crossword Puzzle  ==
 
== AppSec Research Challenge 2: OWASP Crossword Puzzle  ==
Line 283: Line 297:
 
Your task is to formulate a snippet of HTML that goes correctly through the filter and the whitelist, but loads the script "http://insecure.com/evil.js" instead. Also, rework the regular expression to defend against your "attack".  
 
Your task is to formulate a snippet of HTML that goes correctly through the filter and the whitelist, but loads the script "http://insecure.com/evil.js" instead. Also, rework the regular expression to defend against your "attack".  
  
'''Email your solution to Martin Holst Swende &lt;[email protected]&gt;'''. The first correct answer wins a free ticket to the conference. The free ticket is personal and the judgement of the organizing committee can not be overruled&nbsp;:).
+
'''Email your solution to Martin Holst Swende &lt;[email protected]&gt;'''. The first correct answer wins a free ticket to the conference. The free ticket is personal and the judgement of the organizing committee can not be overruled&nbsp;:).  
  
 
<headertabs />
 
<headertabs />

Revision as of 16:16, 21 December 2009


Welcome

Invitation

Ladies and Gentlemen,

In June 21-24, 2010 let's all meet in beautiful Stockholm, Sweden. The OWASP chapters in Sweden, Norway, and Denmark hereby invite you to OWASP AppSec Research 2010.

If you have any questions, please email the conference chair: john.wilander at owasp.org

Stockholm old town small.jpg

Sponsors

Diamond sponsor: Position open

Gold sponsors (2 taken, 2 open): Omegapoint logo.png Portwise logo.png

Silver sponsors (1 taken, 7 open): Mnemonic logo.png

Lunch sponsors (1 taken, 1 open): IIS logo.png

Coffee break sponsors (1 taken, 3 open): MyNethouse logo.png

For full sponsoring program see the Sponsoring tab above.

"AppSec Research".equals("AppSec Europe")

This conference was formerly known as OWASP AppSec Europe. We have added 'Research' to highlight that we invite both industry and academia. All the regular AppSec Europe visitors and topics are welcome along with contributions from universities and research institutes.

This will be the European conference for anyone interested in or working with application security. Co-host is the Department of Computer and Systems Science at Stockholm University, offering a great venue in the fabulous Aula Magna.

Countdown Challenges -- Free Tickets to Win!

There will be a challenge posted on the conference wiki page the 21st every month up until the event. The winner will get free entrance to the conference. What are you waiting for? Go to the Challenges tab and have fun!

Organizing Committee

• John Wilander, chapter leader Sweden (chair)
• Mattias Bergling (vice chair)
• Alan Davidson, Stockholm University/Royal Institute of Technology (co-host)
• Ulf Munkedal, chapter leader Denmark
• Kåre Presttun, chapter leader Norway
• Stefan Pettersson (sponsoring coordinator)
• Carl-Johan Bostorp (schedule and event coordinator)
• Martin Holst Swende (coffee/lunch/dinner)
• Predrag Mitrovic, OWASP Sweden Board
• Kate Hartmann, OWASP
• Sebastien Deleersnyder, OWASP Board

Welcome to Stockholm next year!
Regards, John Wilander

CFP

Call for Papers and Proposals

AppSec Research 2010 2nd cfp.png


1. Publish or Perish. Peer-reviewed 12 page papers to be published in formal proceedings by Springer-Verlag (Lecture Notes in Computer Science, LNCS). Presentation slides and video takes will be posted on the OWASP wiki after the conference.
2. Demo or Die. A demo proposal should consist of a pdf with a 1 page abstract summarizing the matter proposed by the speaker(s) and 1 page containing demo screenshot(s). Demos will have ordinary speaker slots but the speakers are expected to run a demo during the talk (live coding counts as a demo), not just a slideshow. Presentation slides and video takes will be posted on the OWASP wiki after the conference.
3. Present or Repent. A presentation proposal should consist of a 2 page extended abstract representing the essential matter proposed by the speaker(s). Presentation slides and video takes will be posted on the OWASP wiki after the conference.

If you have any questions regarding submissions etc, please email [email protected].

Topics of Interest

We encourage the publication and presentation of new tools, new methods, empirical data, novel ideas, and lessons learned in the following areas:

•    Web application security
•    Security aspects of new/emerging web technologies/paradigms (mashups, web 2.0,  offline support, etc)
•    Security in web services, REST, and service oriented architectures
•    Security in cloud-based services
•    Security of frameworks (Struts, Spring, ASP.Net MVC etc)
•    New security features in platforms or languages
•    Next-generation browser security
•    Security for the mobile web
•    Secure application development (methods, processes etc)
•    Threat modeling of applications
•    Vulnerability analysis (code review, pentest, static analysis etc)
•    Countermeasures for application vulnerabilities
•    Metrics for application security
•    Application security awareness and education

Submission Deadline and Instructions

Submission deadline is Sunday February 7th 23:59 (Apia, Samoa time). Create an account and submit your paper or proposal to AppSec Research 2010 at EasyChair (open for submissions now). The system allows you to update your submission so you don't have to wait until the deadline for your initial submit.

Full-paper submissions should be at most 12 pages long in the Springer LNCS style for "Proceedings and Other Multiauthor Volumes". Templates for preparing papers in this style for LaTeX, Word, etc can be downloaded from: http://www.springer.com/computer/lncs?SGWID=0-164-7-72376-0. Full papers must be submitted in a form suitable for anonymous review:remove author names and affiliations from the title page, and avoid explicit self-referencing in the text.

Demo and presentation proposals should be 2 page pdfs (demo: 1 page abstract + 1 page screenshot(s), presentation: 2 page extended abstract).

Decision notification: April 7th

Program Committee (for review of full-papers)

• John Wilander, Omegapoint and Linköping University (chair)
• Alan Davidson, Stockholm University/Royal Institute of Technology (co-host)
• Lieven Desmet, Katholieke Universiteit Leuven
• Úlfar Erlingsson, Reykjavík University and Microsoft Research
• Martin Johns, University of Passau
• Christoph Kern, Google
• Engin Kirda, Institute Eurecom
• Ulf Lindqvist, SRI International
• Benjamin Livshits, Microsoft Research
• Sergio Maffeis, Imperial College London
• John Mitchell, Stanford University
• William Robertson, UC Berkeley
• Andrei Sabelfeld, Chalmers UT

Training

Call for Training

OWASP is currently soliciting training proposals for the OWASP AppSec Research 2010 Conference which will take place at Stockholm University in Sweden, on June 21st through June 24th 2010. There will be training courses on June 21st and 22nd followed by plenary sessions on the 23rd and 24th with three tracks per day.

We are seeking training proposals on the following topics (in no particular order):

  • Security in Web 2.0, Web Services/XML
  • Advanced penetration testing
  • Static analysis for security
  • Threat modeling of applications
  • Secure coding practices
  • Security in J2EE/.NET patterns and frameworks
  • Application security with ESAPI
  • OWASP tools in practice

We will look favourably on laboration-based/hands-on training.

Submission Deadline and Instructions

Submission deadline is Sunday February 7th 23:59 (Apia, Samoa time). To submit your training proposal please fill out the File:OWASP AppSec Research 2010 Call for Training.docx and email it to [email protected] with subject "AppSec Research 2010: Training proposal".

Upon acceptance you'll be requested to fill out the Training Instructor Agreement where you'll find details on revenue split etc. The agreement will be reworked but the previous one is here: File:Training Instructor Agreement.doc.

Upcoming List of Trainers on OWASP Wiki

As part of the OWASP Education Project, OWASP is starting an official list of trainers on the OWASP web site. This list (mentioning the trainer - course and contact details) will cover all trainers that performed training at OWASP conferences, together with their aggregated scores on the course feedback forms. Of course, this is opt-in. Please let us know if you are interested to participate in this program (tick the check-box on the application form).

Venue

AppSec Research 2010 Aula Magna.jpg

Sponsoring

We are now welcoming sponsors for OWASP AppSec Research 2010. Take the opportunity to support next year's major appsec event in Europe! The full sponsoring program is available as pdfs:

Sponsoring program in English: File:OWASP Sponsorship AppSec Research 2010 (eng).pdf

Sponsoring program in Swedish: File:OWASP Sponsorship AppSec Research 2010 (swe).pdf

Part of the sponsoring program
Part of the sponsoring program

Challenges

Countdown Challenges -- Free Tickets to Win!

There will be a challenge posted on the conference wiki page the 21st every month up until the event. The winner will get free entrance to the conference. Be sure to sign up for the conference mailing list to get a monthly reminder.

AppSec Research Challenge 7: X-Mas Capture the Flag

AppSec Research 2010 Stocking.gif Merry Christmas everyone!AppSec Research 2010 Stocking.gif

It's the 21st and a new AppSec Research Challenge is posted.

Setting up the AppSec Research 2010 X-mas Challenge was a cooperative effort by the winner of AppSec Research Challenge 3, Mario Heiderich, and Martin Holst Swende. It is a multi-step challenge which involves finding a vulnerability in a web application and locating a hidden message. Start by subscribing to the conference mailing list. Then check the simple rules below and get going.

Rules:

  • Please do not perform any resource-intensive tests, as the machine is pretty low-end and can be DoS:ed without much effort.
  • The computer at the given IP address is the only system involved in this challenge, so please do not perform any tests of neighboring systems.
  • Otherwise, you are free to hack away!

Challenge-page: 66.249.7.26

Discussions, QnA and reports about how far you have made it is welcome at the official sla.ckers thread.

Good luck and happy holidays! (And don't forget the submission deadline for the conference -- February 7 #cfp)


November's AppSec Research 2010 Challenge asks you to design the conference logotype. So far we have used this:

Appsec research 2010 logo prototype (small).png

... but would like something less "word processor-like".

How to win

  • The logo should be suitable for both large printing and small web banners
  • If you make a color logo, please submit a b/w version too
  • "OWASP AppSec Research 2010" should in some way be part of the logo :)

Copyright?
By submitting your logo you agree to share it according to Creative Commons Attributions and that we credit you in the conference brochure and on the conference wiki but not in all places where we use the logo (i e we will not credit you on banners, sponsoring program, powerpoint presentations etc).

How to submit
Email jpg + svg to john.wilander [at] owasp.org before Monday December 14th 23:59 UTC. The creator of the best logo wins a free ticket to the AppSec Research 2010 conference!

AppSec Research Challenge 5: Graphical Effects

The October OWASP AppSec Research 2010 challenge is over. The winner of a free entrance ticket to next year's AppSec conference in Stockholm is "sirdarckcat" with FireworksIsNotABrowser_v4 (although we like the slightly oversized v6 better).

The challenge was about writing the coolest graphical effect in a 2010 character script.

An Example

As an example, copy the script below and paste the script over the URL in the URL bar.

javascript:R=0; x1=.1; y1=.05; x2=.25; y2=.24; x3=1.6; y3=.24; x4=300; y4=200; x5=300; y5=200; DI=document.getElementsByTagName("img"); DIL=DI.length; function A(){for(i=0; i-DIL; i++){DIS=DI[ i ].style; DIS.position='absolute'; DIS.left=(Math.sin(R*x1+i*x2+x3)*x4+x5)+"px"; DIS.top=(Math.cos(R*y1+i*y2+y3)*y4+y5)+"px"}R++}setInterval('A()',5); void(0)

As a simple teaser we give these png letters for the script to play with.

AppSec Research 2010 O.pngAppSec Research 2010 W.pngAppSec Research 2010 A.pngAppSec Research 2010 S.pngAppSec Research 2010 P.png

Rules

  • The script should work in Firefox 3.5 (yeah, that means HTML5 and CSS3 :)
  • Any resource, linked document, script, or image defined on the AppSec Research 2010 wiki page may be loaded/accessed/used
  • No requests to any other location is allowed
  • No obfuscation is allowed
  • The script may only use ASCII
  • Max length of the script is 2010 characters
  • You have to give your effect an id and a version number (further explanation below)
  • Any form of malicious code is of course banned ;)

How to Compete

There's an official thread on sla.ckers were you share your code and thoughts (Worried someone will steal you code? Check the originality bullet below). You can enter as many effects as you like but each effect has to have an id and a version number, e.g. JohnWobbler_v1.3 for version 1.3 of John's Wobbler effect. Deadline is November 14th, 23:59 UTC.

Choosing the Winner

Since this is a creative challenge the OC will choose the winner based on the following:

  • Originality (tweaking someone's code is cool and encouraged but changing a few magic numbers or inverting a function won't make you the winner)
  • Coolness (yeah, you need to convince a few Scandinavian people + Seba and Kate that your script is the coolest)

Either the OC will choose a winner by ourselves or we choose the top effects and let you guys vote for the winner.

AppSec Research Challenge 4: Who's Who in Security?

September's AppSec Research 2010 Challenge was to identify a number of people that are, in one way or another, known in the security business, by their picture. There were thirteen photos in total, portraiting thirteen different individuals.

The winner of a free ticket to the OWASP AppSec Research conference in 2010 was Thomas Vollstädt who submitted the correct solution just one day after the challenge was posted.

The Solution

Owasp appsec research 2010 challenge 4 solution.png

The Names

Dinis Cruz, Gordon "Fyodor" Lyon, David Litchfield, Dave Aitel, Bruce Schneier, Dave Wichers, Gene Spafford, MafiaBoy, MySpace Samy, Tom Brennan, Halvar Flake, Alex Sotirov, Jeff Williams, Jennifer Granick, Kate Hartmann, Mudge, Lance Spitzner, Dan Kaminsky, Brian Chess, Joanna Rutkowska, Crispin Cowan, Michael Howard, Jay Beale, Ross Anderson, Dawn Song, Robert "rsnake" Hansen, and Solar Designer.

The Pictures

If you'd like to see the original pictures without the names, here's the link: [[1]]

AppSec Research Challenge 3: Non-Alphanumeric JavaScript

The August AppSec Research 2010 Challenge was to create a JavaScript alert("owasp") that pops up the word 'owasp', case-insensitive, without using any alphanumeric characters (0-9a-zA-Z). There was a tremendous activity and we want to thank everyone who participated. The size of the final result was almost a third of the first entry (see chart below). Want to check out the winning snippet by .mario? Enter the following in the Firebug console: ω=[[Ṫ,Ŕ,,É,,Á,Ĺ,Ś,,,Ó,Ḃ]=!''+[!{}]+{}][Ś+Ó+Ŕ+Ṫ],ω()[Á+Ĺ+É+Ŕ+Ṫ](Ó+ω()[Ḃ+Ṫ+Ó+Á]('Á«)'))

It is based on a few different ideas. First of all, a variable assignment on the form

[a,b,c,,e]="abcde" // a="a", c="c",e="e"

Which is performed on the string "truefalse[object Object]"

[Ṫ,Ŕ,,É,,Á,Ĺ,Ś,,,Ó,Ḃ]=!''+[!{}]+{}] // right-hand side is "truefalse[object Object]"

Also, the following construction obtains the window.sort-function, which leaks the window-object when called without arguments :

ω=[]["sort"] //ω is now window.sort

Therefore, calling ω()["alert"] invokes window.alert. To generate the string "owasp", the string "wasp" can be obtained by calling btoa on the characters "Á«)".

This was really a great team effort, and I think a lot of us learned some new tricks. The final winner was .mario. Congratulations!

Appsec research 2010 challenge 3 chart.jpg

JavaScript Without Alphanumeric Characters?

It is possible to write valid javascript completely without alphannumeric characters (0-9a-zA-Z). To produce a number, you can instead use for example an empty string, '', interpret it as a boolean with a bang: !'' -- which leads to the boolean object true. true, interpreted as a numeric value, equals one. Thus,

$ = +!''; // $ === 1

$++;$++; // $ === 3

In a similar fashion, strings can be created from strings embedded in the language. The boolean object true can be converted to string by concatenation, and then accessed by numeric index to, for example, produce the letter 'e' :

â = (!''+'')[$] // â[$] === "true"[3] === e

Previous Similar Contest

These two techniques are behind a previous contest at the forum "sla.ckers.org", where the contest was to create alert(1) with as few non-alphanumeric characters as possible. Currently, the code actually being executed was:

([],"sort")()["alert"](1) // since ([],"sort")() leaks window object in FF, ==> window["alert"](1) is called, which is another form of window.alert(1)

The winner, or at least current leading entry is 84 bytes long, and looks like this:

(Å='',[Į=!(ĩ=!Å+Å)+{}][Į[Š=ĩ[++Å]+ĩ[Å-Å],Č=Å-~Å]+Į[Č+Č]+Š])()[Į[Å]+Į[Å+Å]+ĩ[Č]+Š](Å)

The Challenge

August's challenge was to, in a similar fashion, create an alert("owasp"), case-insensitive, not using any alphanumeric characters. The shortest working code snippet submitted by September 18th 23:59:59 UTC won a free ticket. By "working" we meant JavaScript that executes in Firefox/Firebug, not depending on any Firebug DOM variables for execution.

Submissions were made as comments to the challenge 3 blogpost on Owasp Sweden. Check it out.

AppSec Research Challenge 2: OWASP Crossword Puzzle

July's crossword challenge is over. Many permutations arrived in our inbox but it was tricky to get it completely right. Congratulations to Johannes Dahse and Johan Nilsson who in the end were allowed to join forces to be able to find the correct solution. They win a 50 % conference ticket discount each.

You find the solution below.

Appsec research 2010 challenge 2 solution.gif

AppSec Research Challenge 1: Input Validation and Regular Expressions

This challenge is over. The winner was Partik Nordlén. To see the solution(s), please visit the appsec_eu_2010 mailing list archive.

Some people, when confronted with a problem, think “I know, I'll use regular expressions.” Now they have two problems.
        --Jamie Zawinski, in comp.emacs.xemacs

The 21st of each month up until the conference in June 2010 we'll have a countdown challenge posted here. The winner each month will get a free entrance ticket worth about €300/$400. Be sure to sign up for the conference mailing list to get a monthly reminder.

The Challenge

A community is hosted on a very large domain, yahoogle.com. The users of that community all have profiles, where they are allowed to use basic HTML for customization, as well as JavaScript files hosted on the domain.

All the code for the profile pages are filtered on the server side, and whenever a piece of code containing "<script..." is encountered, the following regular expression is used to validate that the script loaded is hosted on a subdomain of yahoogle.com:

.*(<script){1}([^>]+)src=('http:\/\/[a-zA-Z]+.yahoogle.com\/scripts\/[0-9A-Za-z]+\.js').*\/>

Capture group 3 is then also checked against a whitelist of allowed scripts on that domain. The whitelist consists of "http://secure.yahoogle.com" and "http://scripts.yahoogle.com".

Your task is to formulate a snippet of HTML that goes correctly through the filter and the whitelist, but loads the script "http://insecure.com/evil.js" instead. Also, rework the regular expression to defend against your "attack".

Email your solution to Martin Holst Swende <[email protected]>. The first correct answer wins a free ticket to the conference. The free ticket is personal and the judgement of the organizing committee can not be overruled :).