This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

Difference between revisions of "OWASP AppSec Research 2010 - Stockholm, Sweden"

Jump to: navigation, search
(Added picture and challenge 1. Fixed headings.)
Line 69: Line 69:
==AppSec Research Challenge 1: Input Validation and Regular Expressions==
==AppSec Research Challenge 1: Input Validation and Regular Expressions==
''Some people, when confronted with a problem, think “I know, I'll use regular expressions.” Now they have two problems.''
''Some people, when confronted with a problem, think “I know, I'll use regular expressions.” Now they have two problems.''<br />
        --Jamie Zawinski, in comp.emacs.xemacs
        --Jamie Zawinski, in comp.emacs.xemacs

Revision as of 19:01, 21 June 2009


Ladies and Gentlemen,

In exactly one year--June 21-24, 2010--we'll all meet in beautiful Stockholm, Sweden. The OWASP chapters in Sweden, Norway, and Denmark hereby invite you to OWASP AppSec Research 2010.

Stockholm old town small.jpg

AppSec Research is AppSec Europe

This conference was formerly known as OWASP AppSec Europe. We have added 'Research' to highlight that we invite both industry and academia. All the regular AppSec Europe visitors and topics are welcome along with contributions from universities and research institutes.

This will be the European conference for anyone interested in or working with application security. Co-host is the Department of Computer and Systems Science at Stockholm University, offering a great venue in the fabulous Aula Magna.

Countdown Challenges -- Free Tickets to Win!

There will be a challenge posted on the conference wiki page the 21st every month up until the event. The winner will get free entrance to the conference. What are you waiting for? The first challenge is posted below. Go, go, go!

Organizing Committee

• John Wilander, chapter leader Sweden (chair)
• Mattias Bergling (vice chair)
• Alan Davidson, Stockholm University/Royal Institute of Technology (co-host)
• Ulf Munkedal, chapter leader Denmark
• Kåre Presttun, chapter leader Norway
• Stefan Pettersson (sponsoring coordinator)
• Carl-Johan Bostorp (schedule and event coordinator)
• Martin Holst Swende (coffee/lunch/dinner)
• Kate Hartmann, OWASP
• Sebastien Deleersnyder, OWASP Board

Welcome to Stockholm next year!
Regards, John Wilander

Call for Papers and Proposals

We offer two options:
1. Full papers. Peer-reviewed 12 page papers that will be published in formal proceedings by Springer-Verlag Lecture Notes in Computer Science (final approval pending).
2. Presentation proposals. A presentation proposal should consist of a 2-page position paper representing the essential matter proposed by the speaker(s). Proposals must include sufficient material for the reviewers to make an informed decision.

Topics of Interest

We encourage the publication and presentation of new tools, new methods, empirical data, novel ideas, and lessons learned in the following areas: •    Web application security
•    Security aspects of new/emerging web technologies/paradigms (mashups, web 2.0,  offline support, etc)
•    Security in web services, REST, and service oriented architectures
•    Security in cloud-based services
•    Security of frameworks (Struts, Spring, ASP.Net MVC etc)
•    New security features in platforms or languages
•    Next-generation browser security
•    Security for the mobile web
•    Secure application development (methods, processes etc)
•    Threat modeling of applications
•    Vulnerability analysis (code review, pentest, static analysis etc)
•    Countermeasures for application vulnerabilities
•    Metrics for application security
•    Application security awareness and education

Submission Deadline and Instructions

Submission deadline is Sunday February 7th 23:59 (Apia, Samoa time). Submissions should be at most 12 pages long in the Springer LNCS style for "Proceedings and Other Multiauthor Volumes". Templates for preparing papers in this style for LaTeX, Word, etc can be downloaded from: Full papers must be submitted in a form suitable for anonymous review: remove author names and affiliations from the title page, and avoid explicit self-referencing in the text.

Program Committee

•    John Wilander, Omegapoint and Linköping University (chair)
•    Alan Davidson, Stockholm University/Royal Institute of Technology (co-host)
•    Andrei Sabelfeld, Chalmers UT
•    Engin Kirda, Institute Eurecom
•    Lieven Desmet, Katholieke Universiteit Leuven
•    Martin Johns, University of Passau
•    Christoph Kern, Google
•    Sergio Maffeis, Imperial College London

<a name="challenge_1">

AppSec Research Challenge 1: Input Validation and Regular Expressions

Some people, when confronted with a problem, think “I know, I'll use regular expressions.” Now they have two problems.
        --Jamie Zawinski, in comp.emacs.xemacs

The 21st of each month up until the conference in June 2010 we'll have a countdown challenge posted here. The winner each month will get a free entrance ticket worth about €300/$400. Be sure to sign up for the conference mailing list to get a monthly reminder.

The Challenge

A community is hosted on a very large domain, The users of that community all have profiles, where they are allowed to use basic HTML for customization, as well as JavaScript files hosted on the domain.

All the code for the profile pages are filtered on the server side, and whenever a piece of code containing "<script..." is encountered, the following regular expression is used to validate that the script loaded is hosted on a subdomain of


Capture group 3 is then also checked against a whitelist of allowed scripts on that domain. The whitelist consists of "" and "".

Your task is to formulate a snippet of HTML that goes correctly through the filter and the whitelist, but loads the script "" instead. Also, rework the regular expression to defend against your "attack".

Email your solution to Martin Holst_Swende <[email protected]>. The first correct answer wins a free ticket to the conference. The free ticket is personal and the judgement of the organizing committee can not be overruled :).