Research
Recon Recon: A tale of reversing the Android-based Snow2 HUD
Abstract: You might be thinking, oh no another Android talk. Well, yes and no.
The way we interact with every day technology is changing. See the Internet of Things (IoT). The time is already now, and this is just a prequel to some of the things we're beginning to see.
For me, it all started this past winter. I managed to convince my employer to buy me a new pair of snowboarding goggles, as the focus of my *cough* research *cough*. But these aren't just any pair of goggles; these are the Smith I/O's outfitted with a Recon Snow2 Heads-Up Display (HUD) that reads data from multiple sensors to display GPS coordinates, altitude, speed, barometric pressure, and more. On top of that, they can pair with your Android or iPhone to receive incoming SMS, voice calls, and sync info about currently playing music. It also has onboard WiFi and Bluetooth capabilities, and developers are encouraged to write 3rd party apps for it!
In researching these goggles, I found multiple vulnerabilities that lead to getting root and compromising application data. The goal of this talk is to walk the audience through my methodology and process in assessing the attack surface and identifying security vulnerabilities in the device. Along the way, I had to reverse various applications, write my own applications, analyze BTLE communications, reverse iOS and Android smartphone applications, and dissect a Google Chrome plugin. By attending this talk, you'll gain a greater understanding of how to assess the security of every day "things".
- 2014-06-06 – SummerC0n 2014
A Breath of Fresh Burp: Extending Burp the Python Way
PDF | ODP | PPT | Video | Paper
Abstract: Many of us rely on Burp Suite as our go-to tool for web application security testing. Burp has made the lives of many pentesters easier as it was developed with web app security testing in mind. However, Burp doesn’t always do what you want out of the box, and so it exposes an Extender API for anyone to willing enough to write plugins in Java.
Having to write Java code aside, developing plugins can be a painstaking process due to having to restart the Java Virtual Machine every time the plugin code is modified.
In this talk we’ll review the various framework APIs available to pentesters looking to get the most out of Burp using Jython. We’ll also discuss a new way of writing plugins for Burp, without having to write a single line of Java and without having to restart Burp every time a plugin is modified.
Code and example use cases will be presented that’ll show how using Jython and Burp can make you a more effective web application pentester.
- 2012-11-14 – iSEC Open Security Forum NYC
Constricting the Web: Offensive Python for Web Hackers
PDF | ODP | PPT | Video | Paper
Abstract: It seems that everything is a web application nowadays. Whether the application is cloud-based, mobile, or even fat client they all seem to be using web protocols to communicate. Adding to the traditional landscape there is rise in the use of application programming interfaces, integration hooks, and next generation web technologies. What this means for someone testing web applications is that flexibility is the key to success. The Python programming language is just as flexible as today’s web application platforms. The language is appealing to security professionals because it is easy to read and write, has a wide variety of modules, and has plenty of resources for help. This additional flexibility affords the tester greater depth than many of the canned tests that come with common tools they use on a daily basis. Greater familiarity plus flexible language equals tester win!
In this presentation we introduce methods with which to create your own clients, tools, and test cases using the Python programming language. We want to put testers closer to the conditions in which they are testing for and arm them with the necessary resources to be successful. We also discuss interfacing with current tools that people commonly use for web application testing. This allows for pinpoint identification of specific vulnerabilities and conditions that are difficult for other tools to identify.
- 2010-11-10 – OWASP AppSec DC
- 2010-07-30 – Black Hat USA
- 2010-07-28 – Defcon 18
Fracking Flex / Pentesting Adobe Flex Applications
PDF | ODP | PPT | Video | Paper
Abstract: Web applications have become increasingly more complex over the years. Users are demanding a rich content experience that is both simple and pleasant to use. In addition to the increased complexity, applications are utilizing a mix of technologies to support this drive. One such technology is Flex, which utilizes the Adobe Flash Platform to deliver Rich Internet Applications to users.
With increased complexity comes a downside. Application security testers often hit roadblocks when assessing Flex applications due to the use of binary protocols and custom objects going across the wire. This talk will provide testers an understanding of the architecture components that make up Flex applications and an assessment methodology for security testing. In addition, several tools will be discussed that will help the tester perform a thorough security review of a Flex application.
- 2010-06-18 – SummerC0n 2010
- 2010-06-03 – iSEC Open Security Forum NYC
- 2010-04-14 – OWASP NYC
Securosis: Building a Web Application Security Program
PDF | ODP | PPT | Video | Paper
Abstract: Web Applications not only have many of the same threats and issues as traditional applications, but by their nature, have a whole additional set of issues to worry about as well. They require a different approach and analysis, and we hope that you will follow the use cases and adapt the technologies and process improvements suggested to meet your organizational needs.
Marcin Wielgoszewski and Andre Gironda are recognized contributors in this report published by Rich Mogull and Adrian Lane of Securosis.
AntiSamy.NET: Fighting XSS the .NET Way
PDF | ODP | PPT | Video | Paper
Abstract: AntiSamy.NET is the direct .NET port of AntiSamy for Java. Originally developed by Arshan Dabirsiaghi and Jason Li of Aspect Security, Jerry Hoff has been porting AntiSamy to .NET in this OWASP Summer of Code 2008 project. This talk presents the community with a project overview and status update on the work completed to date. For more information please visit the OWASP AntiSamy.NET project homepage.
- 2008-11-06 – OWASP EU Summit 2008
Path X: Explosive Security Testing Tools with XPath
PDF | ODP | PPT | Video | Paper
Abstract: This talk will cover what XPath is, how it is used to parse XML in web applications in order to aid security testing tools, and why XPath expressions are good locators in comparison to other methods such as DOM or CSS selectors. The presenters will attempt to demonstrate how XPath can be used for good instead of being targeted with injection or blind XPath injection attacks.
- 2008-02-17 – ShmooCon 2008
Continuous Prevention Testing
Abstract: Continuous testing presents methodologies and tools that developers, quality engineers, and security professionals can all share and use effectively to their own unique approach. The tools presented are cross-discipline, meaning they can be utilized by a developer as a development tool, by a qa-tester as a quality assurance tool, and by a vulnerability assessor as a security assurance tool. Whether you're trying to build better code faster, demonstrate the power of automated testing using a data-driven test framework, or find security-related defects – Continuous testing has something for you.
- 2007-10-19 – ToorCon 9