Loading…
Welcome to the full schedule of the OWASP AppSec Research EU 2013 conference days. You’ll find the schedule for the training days at http://trainings2013.appsec.eu
View analytic

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Wednesday, August 21
 

1:00pm

SAMM Workshop
During the AppSec conferences, the SAMM project team organises workshops for you to influence the direction SAMM evolves.This is also an excellent opportunity to exchange experiences with your peers.

The agenda:
  1. Introduction / getting to know each other - 10 mins.
  2. Project status and goals - 10 mins.
  3. OpenSAMM inventory of tools and templates - 20 mins
  4. Case studies / sharing experiences - 40 mins. 
  5. What do we need (thinking about improvements, can be anything ranging from translations over tools to model improvements) - 40 mins
  6. What do we need first (prioritization) - 30 mins.
  7. Call for involvement (responsibilities), identity teams for specific topics - 15 mins
  8. Rough planning for the future - 15 mins
If you plan to come, can you add your name to the online meeting doc here

Speakers
avatar for Seba Deleersnyder

Seba Deleersnyder

managing partner application security, Toreon
Co-founder & managing partner application security at Toreon.com | As application security specialist for more than 10 years, Sebastien has helped various companies improve their ICT-, Web- and Mobile Security, including BNP Paribas Fortis, Atos Worldline, KBC, NationaleNederla... Read More →


Wednesday August 21, 2013 1:00pm - 4:00pm
Alster Scandic

4:00pm

Registration
Wednesday August 21, 2013 4:00pm - 6:00pm
Foyer Emporio

4:00pm

Chapters Workshop
2013 Chapters Workshop to be held at the Hotel Scandic in Hamburg on Wednesday afternoon, August 21th from 4:00 to 7:00 pm.

The chapter workshop will be a great learning opportunity for chapter leaders that have much experience as well as those who are new to their positions, or event looking to become a chapter leader in the future. In a style similar to the workshops held in the US, Latam, and AsiaPac over the past year, the Chapter Workshop at AppSec Research this year will be an interactive opportunity for lively discussion of the  guidelines and recommendations for chapter leaders as contained in the Chapter Leader’s Handbook. Additionally, we will look at what may be missing from the Chapter Leader Handbook and should be included or changed for the next version.

If you are interested in participating in either of these workshops, please register for the Conference and select the optional session “chapter leader’s workshop” as part of the registration process. Remember that conference attendance is free for current chapter and project leaders.

Sponsorship to Attend the Chapters Workshop

If you need financial assistance to attend the Chapter Leader Workshops please submit a request to via the Contact Us Form http://owasp4.owasp.org/contactus.html by the application deadline for each of the events.


  • July 15th – AppSec Research Chapters workshop sponsorship applications due
  • July 17th – Applicants notified of status

Additional Information for Applicants:


  • Priority of sponsorships will be given to those not covered by a sponsorship to attend a previous workshop. Additionally, we are looking for new or struggling chapter leaders who need assistance kick starting their chapter.
  • When you apply for funding, please let us know *why we should sponsor you*. While we prefer that chapter leaders use their own chapter’s funds before requesting a sponsorship, this is not a requirement for application.
  • If your chapter has fund but will not be using them to sponsor your attendance, please include why you will not be using the funds for this purpose (i.e. what are the other plans for those funds?).


 Questions?

If any questions, please contact us at: http://owasp4.owasp.org/contactus.html


Wednesday August 21, 2013 4:00pm - 7:00pm
Alster Scandic
 
Thursday, August 22
 

8:00am

Registration
Thursday August 22, 2013 8:00am - 10:00am
Foyer Emporio

9:00am

Welcome note and a manual for the conference and everything else
This is just a short introduction for giving you all the necessary input for making the most out of our OWASP conference: technical sessions, "hallway tracks", evening events, local stuff.

Speakers

Thursday August 22, 2013 9:00am - 9:15am
Großer Saal

9:15am

Keynote: Busting The Myth of Dancing Pigs: Angela's Top 10 list of reasons why users bypass security measures
In this talk, I will examine the most common reasons why users shortcut security measures, using examples from Web and mobile security software. It reveals that users are not 'stupid' and easily distracted - as the Dancing Pigs statement implies - but make rational choices about the cost and benefit of security measures. The lesson for designers is that they need to take more responsibility (rather than just passing the buck to users), improve accuracy of detecting threats and communicate risks and consequences more precisely.

Speakers
avatar for Angela Sasse

Angela Sasse

M. Angela Sasse is the Professor of Human-Centred Technology and Head of Information Security Research in the Department of Computer Science at University College London (UCL), UK. A usability researcher by training, she started investigating the causes and effects of usability issues with security mechanisms in 1996. In addition to studying specific mechanisms such as passwords, biometrics, and access control, her research group has developed human-centred frameworks that explain the role of security, privacy, identity and trust in human interactions with technology. A list of projects and publications can be found at... Read More →


Thursday August 22, 2013 9:15am - 10:00am
Großer Saal

9:30am

Automated and unified opensource web application testing
GoLismero is an opensource frameworks for security testing.

 

The most interesting features of the framework:

- Real indepent platform. Tested in Windows, Linux, *BSD and OS X.

- No libraries dependences. All of the framework has been written in pure python.

- Good performance, compared with other frameworks written in python and another scripting languages.

- Designed for the clusted mode in mind (not available yet).

- Their use is very easy.

- The framework collects and unify the results of well known tools: sqlmap, xsser, openvas, dnsrecon, thehardvester...

- Integration with stantards: CWE, CVE and OWASP.

- The plugin development is extremely simple.



http://golismero-project.com

Speakers
avatar for Daniel García García

Daniel García García

Daniel García García (a.k.a. cr0hn in security world) is a security researcher and pentester with more than 6 years of experience in security I.T. world. He has worked for a many of top level companies as a security consultant | | Currently performs his professional tasks in Bug... Read More →
avatar for Mario Vilas

Mario Vilas

Mario Vilas is a security researcher living in Madrid, whose interests go from the low-level (exploiting, shellcoding) to the high-level (web application security, Python programming). He's the author of WinAppDbg (http://winappdbg.sourceforge.net) and coauthored GoLismero with D... Read More →


Thursday August 22, 2013 9:30am - 1:30pm
Alsterpanorama I Emporio

9:30am

OWTF Summer Storm
OWASP OWTF, the Offensive (Web) Testing Framework, is an OWASP+PTES-focused try to unite great tools and make pen testing more efficient, written mostly in Python @owtfp http://owtf.org.

OWTF aims to cover as much as possible from both:
1) The OWASP Testing Guide
and
2) The Penetration Testing Execution Standard

This coverage is achieved through a combination of automated tests, interactive reports and assistance to human exploitation through relevant third-party links or tools. All this happens using an interactive interface that allows the human to rank information based on the context of their pentest.

In this presentation there will be special focus on the Summer Storm releases, which result from the outstanding work of 4 GSoC students working on OWTF fulltime for 3 months.

http://owtf.org

Speakers
AA

Abraham Aranguren

After an infosec honour mark at university, from 2000 until 2007 Abraham's contact with security was mostly from a defensive point of view: fixing vulnerabilities, source code reviews and vulnerability prevention at the design level as an application and framework architect... Read More →


Thursday August 22, 2013 9:30am - 1:30pm
Alsterpanorama II Emporio

9:30am

WebSensor - Sensing the Web with Community Collectors
A huge barrier in web security research is the availability of research data. Web traffic data is too sensitive to be shared among the community to allow researchers for developing new methodologies, testing existing approaches or comparing to each other.


The WebSensor project aims at providing a web honeypot that collects data in the format of the ModSecurity audit log. This allows the use of tools like the jwall-tools to replay the recorded HTTP traffic and extract statistics that are valuable for other OWASP projects, like the OWASP ModSecurity Core Rules project.


Community Oriented
------------------------------
The main idea of the WebSensor project to spawn a community for data collection and data sharing. That is, each participant can run one or more sensors and the data will be collected in a central system. The collected data is then accessible to any participant of the project.

http://www.jwall.org/websensor/

Speakers
avatar for Christian Bockermann

Christian Bockermann

Starting with Linux/network security in 1996, Christian Bockermann has been working in computer security for over 10 years. While working as a Java web-application developer for several years he started concentrating on web-security as major subject. | Alongside to working as a research assistant he is working as a free-lancer in web-security consulting, mostly focused on Apache and ModSecurity. He is also author of several Java free tools supplementary to ModSecurity, most popuplar being the AuditConsole... Read More →


Thursday August 22, 2013 9:30am - 1:30pm
Hafenpanorama I Emporio

10:00am

OWASP Introduction
Speakers

Thursday August 22, 2013 10:00am - 10:30am
Großer Saal

10:30am

Coffee Break
Thursday August 22, 2013 10:30am - 11:00am
No specific Room

10:45am

11:00am

Experience made in Technical Due Diligence
Acquisitions are a possibility for companies to grew and enlarge their possibilities and portfolio. As part of the acquisition process companies have to perform due diligence (DD) analysis. Architecture and technology assessments are often conducted as a retrospective. During the DD and Acquisitions Processes it is often forgotten that systems, platforms and software solutions creating a complex „ECO-System“ that are key for the most business-processes. Also mobile- and Web applications as well as software services are an integral element in the offered products or services.
The evaluation of Software and Information Security as part of due diligences is relative unexplored and maybe not so much in focus of due diligences in the past.
Such as technology and architecture reviews can be carried out properly and efficiently, will be described by way of a process model. Here, based on the experience of the speaker touched the aspects which technical tools are available for analysis, such as a relatively objective assessment can be achieved and how the results can be communicated to all stakeholders.

Speakers
avatar for Amir Alsbih

Amir Alsbih

Dr. Amir Alsbih is the Chief Information Security Officer at the Haufe Group and directs the Internal Audit department. He is CISSP-ISSMP, CISSP and GCFA. His responsibilities include both technical and organizational aspects of information security. This is about risk and safety... Read More →


Thursday August 22, 2013 11:00am - 11:45am
Großer Saal

11:00am

Qualitative Comparison of SSL Validation Alternatives
Although SSL/TLS is in widespread use today, certificate validation currently suffers from the weakest link property created by the fact that any trusted CA can sign a certificate for any domain. Thus, if a single CA is compromised or coerced, any and all hosts using CA- signed certificates can be endangered. Several recent high profile hacking cases have brought attention to this problem and a number of promising new approaches to strengthen SSL security are being discussed. In this paper we propose an evaluation framework based on a catalog of desirable benefits of SSL validation systems. We evaluate the current CA-based PKI and the the following alternative approaches: Perspectives, Conver- gence, Certificate Transparency, Sovereign Keys, TACK and DANE. We identify the different strengths and weaknesses of the systems, try to shed light on the trade-offs all systems have to make and show which disadvantages they incur that currently hinder adoption.

Speakers
SF

Sascha Fahl

Sascha Fahl is a PhD student and research assistant at the Distributed Computing & Security Group at Leibniz University Hannover, Germany. He studied Computer Science at Philipps University Marburg where he received his Diplom in 2011. His current research is focused on usability... Read More →
avatar for Henning Perl

Henning Perl

Henning Perl received his Master's degree in computer science in December 2011 from the Leibniz University Hanover, Germany and joined the university's Distributed Computing & Security Group in January 2012 as a doctorate student. While he was still a graduate student he develope... Read More →
avatar for Matthew Smith

Matthew Smith

Prof. Smith is a Professor of Computer Science at Leibniz University Hannover, Germany where he leads the Distributed Computing & Security Group. He studied Computer Science at the University of Siegen and received a PhD from Philipps University Marburg in 2008. His current resea... Read More →


Thursday August 22, 2013 11:00am - 11:45am
Freiraum

11:00am

Rooting your internals: Inter-Protocol Exploitation, custom shellcode and BeEF
Inter-protocol Exploitation removes browser-based attacks from being dependent upon browser vulnerabilities. It increases the number of potential exploits to include many service vulnerabilities throughout the internal corporate network. This includes whatever service can be contacted via a browser request.

Multiple protocols like IMAP, SMTP, POP, SIP, IRC and others are "tolerant" to errors, and they don't reset the connection with the client if they receive data that is not compliant with the protocol grammar. This leads to the possibility of interacting with such protocols with HTTP requests, even without the need of a SOP bypass.

During the talk, we will see a demonstration on how to compromise an IMAP server that sits in the victim's internal network through its browser hooked in BeEF.

This will include disabling the browser's PortBanning, identifying the victim's internal network IP and the live hosts in the subnet, followed by a port scan and finally sending the custom BeEF Bind shellcode after the IMAP service has been localized.

Speakers
MO

Michele Orrú

Michele Orrù (@antisnatch0r) from Sardinia, co-maintainer of the BeEF project, will demonstrate how web-attacks can cross protocol and network boundaries and get access to the most precious data behind them Intranet fences. Prepare for scare.


Thursday August 22, 2013 11:00am - 11:45am
Aussichtsreich Emporio

11:50am

OWASP - CISO Guide and CISO report 2013 for managers
This talk will present two new OWASP projects, the CISO guide and the first results of the CISO Survey report 2013. Its main goal is to provide guidance on application and web security for senior managers and to introduce Chief Information Security Officers (CISO) to the OWASP Application Security Guide.
With a constantly evolving threat landscape where hackers are seeking to attack web applications to compromise customer’s sensitive data and company proprietary information, CISOs are challenged by their businesses to make decisions on how to mitigate the risks. Often risk decisions include the trade-off between current and new web application security measures and to decide where to invest. An investment in application security program is critical for reducing the application security risks besides meeting the goals of governance and compliance with the information security policies.

OWASP has developed a guidance , the OWASP CISO Guide, to specifically to address the needs of CISOs to help them in prioritising the risk mitigation of web application vulnerabilities might severely and negatively impact the organisation and jeopardising the business.

From the strategic point of view, risk mitigation is an ongoing activity that requires CISOs to pay close attention to new threats and plan for new application security activities in different security domains that include application security governance, risk management, compliance and security in the SDLC processes. Among the CISO goals for application security, meeting compliance with information security policies is often the one that has the most focus. This guide aims also to help CISOs in using compliance of web applications with security standards and regulations as justification for investing in application security activities.

For several organizations today the costs to the business due to the impacts of security incidents is much higher than the cost of non-compliance and failing audits. Since investment in compliance as well as operations risk management are among CISO responsibilities, the focus of investment in risk management is articulated as “what are the most cost effective measures to manage security risks”.

Finally, after application security investments are made, it is important for the CISO to measure and report on the status of governance, risk and compliance of the application security program. Some guidance on metrics suitable for measuring governance, risk and compliance of application security processes is also included in this guide.

Agenda
1. Business cases & Risk-cost decision criteria for application security investment
2. Prioritization and Criteria for Mitigating Application Security Risks
3. Application Security Processes
4. Selection of Metrics For Managing Risks & Application Security

Speakers
avatar for Tobias Gondrom

Tobias Gondrom

Managing Director, Thames Stanley: Information Security and Risk Management Advisory
Tobias Gondrom is Managing Director of Thames Stanley, a CISO and Information Security & Risk Management Advisory based in Hong Kong, United Kingdom and Germany. He has fifteen years of experience in software development, application security, cryptography, electronic signatures and global standardisation organisations working for independent software vendors and large global corporations in the financial, technology and government sector, in America, EMEA and APAC. As the Global Head of the Security Team at Open Text (2005-2007) and from 2000-2004 as the lead of the Security Task Force at IXOS Software AG, he was responsible for security, risk and incident management and introduced and implemented a secure SDLC used globally by development departments in the US, Canada, UK and... Read More →


Thursday August 22, 2013 11:50am - 12:35pm
Großer Saal

11:50am

Recipes for enabling HTTPS
Securely enabling HTTPS turns out to be tricky and time consuming. There is the considerable accidental complexity of web application and server configuration. Then there is lots of advice on what versions of SSL, TLS, which ciphers and modes to avoid, but precious little on how to do it right. No week seems to pass without something being added to the list of DON’Ts, as attacks continue to grow more sophisticated.
In this demo-packed presentation, we do give advice. Even better, we give it in the form of Puppet scripts, ideal for capturing and enforcing best practices across servers. This is the DevOps approach to enabling HTTPS. Participants learn how to set up HTTPS-enabled web servers with Puppet, how to review and adapt existing manifests according to specific needs and prevailing cryptographic advice, and how to incorporate third-party modules.
We discuss pain points in the configuration, show how Puppet helps with change management and demonstrate how to migrate an existing user base via HSTS.

Speakers
NB

Nelis Boucké

Nelis Boucké is a software engineer, consultant and entrepreneur. Nelis obtained a Ph.D. in Computer Science from the K.U.Leuven in 2009 and is Certified TOGAF 9 Professional. He has experience in both industry and research projects on software architecture for complex distribute... Read More →
TH

Thomas Herlea

Thomas Herlea is an IT security consultant specialized in application security. He performs vulnerability assessments and consults on secure development with the Trasys Group. Previously, he was employed by Verizon Business.  | Thomas is an alumnus of the COSIC research group and an active member of OWASP and... Read More →
avatar for Johan Peeters

Johan Peeters

independent
Johan Peeters is an independent software architect. He serves both large companies and SMEs and has addressed software development issues ranging from product definition to acceptance testing. He is the founder of secappdev.org... Read More →


Thursday August 22, 2013 11:50am - 12:35pm
Freiraum

11:50am

Precision Timing - Attacking browser privacy with SVG and CSS
Maybe you’ve heard it before - HTML 5 brings a whole slew of new features to web browsers, some of which can be a threat to security and privacy. But subtle interactions between the less explored corners of new browser features can have some unexpected and interesting side effects.

Traditionally, browser timing attacks involve cache or network timing. In this presentation, I’ll introduce a number of new techniques that perform timing attacks on graphics operations involving CSS and SVG to extract sensitive data from your browser. In my talk I will demonstrate cross-browser vulnerabilities against Chrome, Internet Explorer and Firefox that can be used to access your browsing history and read data from websites you’re logged into. I’ll also take a look at the difficulties involved in fixing these types of vulnerabilities.

Speakers
PS

Paul Stone

Paul (@pdjstone) Stone's talk shows novel ways of extracting data across origin-borders using timing attacks - with SVG and other technologies. One might want to deploy additional HTTP headers after watching this outstanding presentation.


Thursday August 22, 2013 11:50am - 12:35pm
Aussichtsreich Emporio

12:35pm

Lunch Break
Thursday August 22, 2013 12:35pm - 1:50pm
No specific Room

1:50pm

A Perfect CRIME? Only time will tell
In 2012, security researchers shook the world of security with their CRIME attack against the SSL encryption protocol. CRIME (Compression Ratio Info-leak Made Easy) attack used an inherent information leakage vulnerability resulting from the HTTP compression usage to defeat SSL’s encryption. 
However, the CRIME attack had two major practical drawbacks. The first is the attack threat model: CRIME attacker is required to control the plaintext AND to be able to intercept the encrypted message. This attack model limits the attack to mostly MITM (Man In The Middle) situation. 
The second issue is the CRIME attack was solely aimed at HTTP requests. However, most of the current web does not compress HTTP requests. The few protocols that did support HTTP requests compression (SSL compression and SPDY) had dropped their support following the attack details disclosure, by thus rendering the CRIME attack irrelevant. 
In our work we address these two limitations by introducing the TIME (Timing Info-leak Made Easy) attack for HTTP responses. 
By using timing information differential analysis to infer on the compressed payload’s size, the CRIME attack’s attack model can be simplified and its requirements can be loosened. In TIME’s attack model the attacker only needs to control the plaintext, theoretically allowing any malicious site to launch a TIME attack against its innocent visitors, to break SSL encryption and/or Same Origin Policy (SOP). 
Changing the target of the attack from HTTP requests to HTTP responses significantly increases the attack surface, as most of the current web utilizes HTTP response compression to save bandwidth and latency. 

Speakers
avatar for Tal Be'Ery

Tal Be'Ery

Tal Be’ery is the web security research team leader at Imperva’s Application Defense Center (ADC). In this position, he leads the efforts to capture and analyze hacking activities. The insights obtained in this process are incorporated into the design of new security mechanisms by the web research team he leads. Mr... Read More →


Thursday August 22, 2013 1:50pm - 2:35pm
Freiraum

1:50pm

From the Trenches: Real-World Agile SDLC
Ideally, all organizations would incorporate security into their Agile development processes; however, best-practices Agile SDL models typically assume a simplified, idealized model of how software is built. These models also impose impractical requirements without providing the necessary support or expertise. In reality, software development often involves multiple Agile teams working on various components of a larger product, and only the most well-resourced enterprises or ISVs have the bandwidth to execute on the ideal Agile SDL, while smaller organizations are forced to adapt and make tradeoffs.

In this session, we’ll discuss how Veracode has incorporated security into our own Agile development lifecycle for a product that involves anywhere from two to seven Scrum teams working in concert to ship monthly releases. We do this without designating any security experts full-time to the project. We’ll explain how we’ve evolved our practices to optimize the way our security research team interacts with our engineering teams and accommodates their processes. We’ll also talk about some of the lessons we’ve learned along the way, including things that haven’t worked or wouldn’t scale, and how other organizations can use our experience to integrate security practices into their own Agile development programs.

Speakers
avatar for Chris Eng

Chris Eng

VP Research, Veracode
Chris Eng is vice president of research at Veracode, where he leads the team responsible for integrating security expertise into Veracode’s core product offerings. Prior to Veracode, he was technical director at Symantec (formerly @stake) and an engineer at the National Securi... Read More →
RO

Ryan O'Boyle

Veracode
Ryan O’Boyle is a Principal Security Researcher at Veracode, and a certified ScrumMaster. Prior to joining Veracode, he helped create the internal penetration testing team at Fidelity Investments, where he was focused not only on finding vulnerabilities but helping engineers fix... Read More →


Thursday August 22, 2013 1:50pm - 2:35pm
Großer Saal

1:50pm

Burp Pro - Real-life tips and tricks
A lot of services are provided through the Web. Pentesters are spending a lot of time testing Web applications, Web Services, REST and JSON interfaces, mobile applications and thick clients. For all these assessments, an interactive HTTP proxy is mandatory to intercept, analyze, modify and replay the traffic. Burp Pro is the "de facto" tool for this kind of job. This presentation conveys many years of experience in using this tool and will try to address real-life situations. Topics covered: recent features like Burp Extender, testing of mobile applications, automatic scanning despite CSRF tokens (using "Recursive Grep" or Macros) and session logout, interactive parsing and manipulation of items, useful tricks like shortcuts and backups, efficient brute-forcing of BasicAuth forms, ... 

Speakers
NG

Nicolas Grégoire

Nicolas Grégoire (@agarri_fr), electronic-sheep-herder from the beautiful South of France will show how to get the most out of Burp Pro during pen-tests. A must see for serious offensive security folks who like to do more than just clicking buttons.


Thursday August 22, 2013 1:50pm - 2:35pm
Aussichtsreich Emporio

2:00pm

Make cryptography trivial by rearranging the tools.
Eccentric Authentication is an authentication protocol that places end user anonymity, privacy and ease of use above other requirements. The user comes first, the web sites come second. The spies can go home.

The protocol offers:
- anonymous accounts at web sites;
- an end to the password problems;
- a way to exchange keys (securely) by looking up names;
- an end to phishing;
- a way to make javascript applications safe against untrusted code.

By tapping into the centralised DNSSEC/DANE structure, we can create a decentralised anonymous naming infrastructure. That will provide people with anonymity.

The key insight is to forego the requirement of Trust, to gain security. Instead, we create verifiable security that will allow trust to be given.

http://eccentric-authentication.org

Speakers

Thursday August 22, 2013 2:00pm - 6:00pm
Alsterpanorama II Emporio

2:00pm

sqlmap - Would you like to inject some SQL?
sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.

http://sqlmap.org

Speakers

Thursday August 22, 2013 2:00pm - 6:00pm
Alsterpanorama I Emporio

2:00pm

ThreadFix: The Open Source Software Vulnerability Management Platform
ThreadFix is a software vulnerability aggregation and management system that helps organizations coordinate scanning activities, aggregate vulnerability data, generate virtual patches, and interact with software defect tracking systems.

https://code.google.com/p/threadfix/

Speakers
avatar for Dan Cornell

Dan Cornell

CTO, Denim Group
A globally recognized application security expert, Dan Cornell holds over 15 years of experience architecting, developing and securing web-based software systems. As Chief Technology Officer and Principal at Denim Group, Ltd., he leads the technology team to help Fortune 500 comp... Read More →


Thursday August 22, 2013 2:00pm - 6:00pm
Hafenpanorama I Emporio

2:40pm

MalloDroid, Hunting Down Broken SSL in Android Apps
In a study [1], we investigated the SSL/TLS security of 13,500 free Android apps from Google's Play Market and identified serious security threats for their users. Our analysis revealed that 1,074 (8.0 %) of the examined apps contained SSL/TLS code that was potentially vulnerable to MITM attacks. Various forms of SSL/TLS misuse were discovered during a further manual audit of 100 selected apps that allowed us to successfully launch MITM attacks against 41 apps and gather a large variety of sensitive data. 

From these 41 apps, we captured amongst others credentials for American Express, Diners Club, Paypal, bank accounts, Facebook, Twitter, Google, Yahoo, Microsoft Live ID, Box, WordPress, remote servers, arbitrary email accounts, and IBM Sametime.

During our investigation, we conducted static code analysis to identify apps that applied inappropriate SSL certificate validation strategies. In this work, we present our tool MalloDroid and make it available to the public. MalloDroid is based on the Androguard [2] reverse engineering framework and provides a comfortable and easy-to-use command line interface for developers of apps, security auditors and all other interested parties to identify Android apps that include customized TrustManager and HostnameVerifier implementations. It also discovers if apps overwrite the onReceivedSSLError method in Android's WebViewClient used by many apps. Additionally, MalloDroid includes a signature database of known implementations that apply broken SSL certificate validation and reports a risk-level for customized SSL implementations. With the help of MalloDroid, code that breaks effective SSL certificate validation can be easily identified.

As a second contribution, we present results of interviews we conducted with 15 developers of vulnerable apps with the intention to identify the reasons behind the broken SSL certificate validation in Android apps. We asked developers why they implemented SSL certificate validation the way they did it and if they were aware of security implications of their decisions. Based on the interviews, we were able to identify some common problems Android app developers seem to have with using SSL in a secure way. We even found developers who stated that they apply code security audits that check whether SSL is used, but these audits did not check correct SSL certificate validation.

We hope that both, MalloDroid and the interview results, will help Android developers understand the problems that can occur in SSL code and help them create truly secure SSL connections. We also believe this work can support security auditors and penetration testers in their efforts.

[1] Fahl, S., Harbach, M., Muders, T., Smith, M., Baumgartner, L., and Freisleben, B. "Why Eve and Mallory Love Android: An Analysis of Android SSL (In)security." In Proc. of CCS 2012 pp. 50 - 61.
[2] cf. https://code.google.com/p/androguard/

Speakers
SF

Sascha Fahl

Sascha Fahl is a PhD student and research assistant at the Distributed Computing & Security Group at Leibniz University Hannover, Germany. He studied Computer Science at Philipps University Marburg where he received his Diplom in 2011. His current research is focused on usability... Read More →
MH

Marian Harbach

Marian Harbach is a PhD student and research assistant at the Distributed Computing & Security Group at Leibniz University Hannover, Germany. He studied Computer Science at Philipps University Marburg and Monash University Melbourne until 2011. His current research is focused on usability challenges and the acceptance of novel security and privacy technologies. He also investigates risk communication and... Read More →
avatar for Matthew Smith

Matthew Smith

Prof. Smith is a Professor of Computer Science at Leibniz University Hannover, Germany where he leads the Distributed Computing & Security Group. He studied Computer Science at the University of Siegen and received a PhD from Philipps University Marburg in 2008. His current resea... Read More →


Thursday August 22, 2013 2:40pm - 3:25pm
Freiraum

2:40pm

OWASP Top 10 Proactive Controls
The major cause of web insecurity is poor development practices. We cannot “firewall” or “patch” our way to secure websites. Programmers need to learn to build websites differently. No company or industry is immune.
The OWASP Ten Ten Proactive Controls Project is a Top-Ten like document that focuses directly on informing developers of necessary secure coding techniques. While not complete, this talk does descrive the bare minimum required of a development team if they wish to have even a small chance of producing moderately secure software.

- Validation
- Whitelist Validation (struggles with internationalization)
- URL validation (as part of redirect features)
- HTML Validation (as part of untrusted content from features like TinyMCE)

Authentication
- Password storage, HMAC's for scale
- Multi-factor AuthN implementation details
- OAuth
- Forgot password workflow

Access Control
- Limits of access control
- Permission-based access control

Encoding
- Output encoding for XSS
- Query Parameterization
- Other encodings for LDAP, XML construction and OS Command injection resistance

Data Protection
- Secure number generation
- Certificate pinning
- Proper use of AES (CBC/IV Management)

Secure Requirements
- Core requirements for any project (technical)
- Business logic requirements (project specific)

Secure Architecture and Design
- When to use request, session or database for data flow

Speakers
avatar for Jim Manico

Jim Manico

Jim Manico is the VP of Security Architecture for WhiteHat Security, a web security firm. He authors and delivers developer security awareness training for WhiteHat Security and has a background building software as a developer and architect for over 20 years. Jim is also a globa... Read More →


Thursday August 22, 2013 2:40pm - 3:25pm
Großer Saal

2:40pm

Augmented Reality in your Web Proxy
This talk intends to demonstrate how to improve web application security testing by combining browser automation framework and web proxy API.

The goal of this research is to bring a web proxy as close as possible to a browser to achieve a better security testing coverage, especially when dealing with complex client-side technology.

The presentation includes a montage of real case scenarios, showing how this approach can lead to the discovery of vulnerabilities which might otherwise go unnoticed.

Speakers
RS

Roberto Suggi Liverani

Roberto (@malerisch) Suggi Liverani will rise from the shadows and present the perfect follow-up to Nicolas' talk: he will present new techniques to find dangerous bugs in web applications that usually go unnoticed by even the most professional testers.


Thursday August 22, 2013 2:40pm - 3:25pm
Aussichtsreich Emporio

3:25pm

Coffee Break
Thursday August 22, 2013 3:25pm - 3:55pm
No specific Room

3:55pm

Content Security Policy - the panacea for XSS or placebo?
Content Security Policy (CSP) is the mechanism to mitigate one of the most
popular web application issues called Cross-Site Scripting (XSS).
CSP is a declarative policy that allows application to inform the browser
about specific areas where application expects all resources to be loaded,
such as scripts and images.

In this presentation, we will talk about:

1. XSS. Very briefly because in 2013 pretty much everyone knows about this attack.
2. CSP. What risks this mechanism covers and what does not:

- CSP inside
- Browser support status and issues
- Policy definition mistakes and CSP common security considerations
- XSS without JS

3. Experience. How we implemented CSP on a service with an audience
more than 11 million users per week:

- Changes in servce
- Bugs in browser implementations
- Problems with 3rd party libraries
- Way from Report-Only to Block mode

Speakers
avatar for Taras Ivashchenko

Taras Ivashchenko

Yandex
Taras Ivashchenko - Information Security Officer at Yandex | | For a long time he focused on penetration tests (especially by PCI DSS standard),  | but his main focus has always been on web application security  | and web technologies in common. He is well known for his research (http://www.oxdef.info) in... Read More →


Thursday August 22, 2013 3:55pm - 4:40pm
Großer Saal

3:55pm

HTTP(S)-Based Clustering for Assisted Cybercrime Investigations
Over the past several years there has been a noticeable rise in the number of reported targeted attacks, which are also commonly referred to as advanced persistent threats (APTs). This is seen by security experts as a landscape shift from a world dominated by widespread malware that infect indiscriminately, to a more selectively targeted approach with higher gain. One thing that is clear about targeted attacks is that they are difficult to detect, and not much research has been conducted so far in detecting these attacks. In this paper, we propose a novel system called SPuNge that processes threat information collected on the users' side to detect potential targeted attacks for further investigation. We use a combination of clustering and correlation techniques to identify groups of machines that share a similar behavior with respect to the malicious resources they access and the industry in which they operate (e.g., oil & gas). We evaluated our system against real data collected by an antivirus vendor from over 20 million customers installations worldwide. Our results show that our approach works well in practice and is helpful in assisting security analysts in cybercrime investigations.

Speakers
avatar for Marco Balduzzi

Marco Balduzzi

Dr. Marco Balduzzi holds a Ph.D. in applied IT security from Télécom ParisTech and a M.Sc. in computer engineering from the University of Bergamo. | | His interests concern all aspect of computer security, with particular emphasis on real problems that affect systems and net... Read More →


Thursday August 22, 2013 3:55pm - 4:40pm
Freiraum

3:55pm

RESTful security
REST services are quickly gaining in popularity due to their simplified nature compared to SOAP-driven web services. But while SOAP-driven web services have well-defined security controls, what do we do with REST and what can go wrong?

Speakers
avatar for Erlend Oftedal

Erlend Oftedal

CTO, Blank
Erlend is a developer, architect and security tester from Oslo, Norway. These days most of his work is around improving software development lifecycles with regards to security. Erlend is the head of the OWASP Norway chapter, and spends some of his free time on security research... Read More →


Thursday August 22, 2013 3:55pm - 4:40pm
Aussichtsreich Emporio

4:45pm

Improving the Security of Session Management in Web Applications
Session management is a critical component of modern web applications, allowing a server to keep track of user-specific state, such as an authentication status. Unfortunately, many applications deploy session management over an insecure HTTP channel, making them vulnerable to eavesdropping, session hijacking or session fixation attacks. On the contrary, state-of-practice guidelines advocate the deployment of session management on a secure HTTPS channel, using the HttpOnly and Secure cookie attributes, effectively eliminating these well-known session management attacks. The goal of this paper is to provide secure session management to web applications deployed over HTTP. 

We propose a secure and lightweight session management mechanism, effectively improving session management security with HTTP deployments. By establishing a safely contained, shared secret between browser and server, an attacker is prevented from taking over a user’s session, since the secret is never transmitted, nor accessible. We demonstrate the applicability of our solution to a common scenario involving third-party authentication, clearly indicating the gained security properties. 

Our secure and lightweight session management mechanism raises the security bar for HTTP deployments, which will eventually lead to secure session management for all web applications.

Speakers
avatar for Lieven Desmet

Lieven Desmet

Research Manager, imec-DistriNet-KU Leuven
Lieven Desmet is Research Manager on Software Secure at the imec-DistriNet Research Group (KU Leuven, Belgium), where he coaches junior researchers in web application security and participates in dissemination and valorization activities. His interests are in security of middlewa... Read More →
WJ

Wouter Joosen

imec-DistriNet - KU Leuven
avatar for Frank Piessens

Frank Piessens

Professor, imec-DistriNet, KU Leuven
Frank Piessens is a professor at the Department of Computer Science of the KU Leuven, Belgium. His research interests lie in software security, including security in operating systems and middleware, architectures, applications, Java and .NET, and software interfaces to security... Read More →
avatar for Philippe De Ryck

Philippe De Ryck

Web Security Expert, KU Leuven
Philippe De Ryck is a professional speaker and trainer on software security and web security. Since he obtained his PhD at the imec-DistriNet research group (KU Leuven, Belgium), he has been running the group's Web Security Training program, which ensures a sustainable knowledge... Read More →


Thursday August 22, 2013 4:45pm - 5:30pm
Freiraum

4:45pm

Security Testing Guidelines for mobile Apps
Smartphones and Tablets increasingly become part of our everyday life. Apps of all kinds assist us with work and personal activities. Beside the additional benefits of these Apps, the extended use of mobile devices is currently also one of the biggest threats for sensitive business data and user privacy. Due to their mobility smartphones and tablets are exposed to additional risks: they are connected to public and insecure networks, they are easily lost or stolen and location services can be misused to track users. In addition to that IT managers and developers usually do not care too much about security for mobile devices yet and focus on trendy solutions and usability. But this carefreeness is risky because attackers are aware of the lack of security measures for many mobile Apps, too. 
As for most software security and privacy should be considered during all stages of mobile app development. In particular it should be verified and approved before the release or installation. But an adopted approach for the specific requirements of testing the security of mobile Apps was not available a short time ago. This led to the decision to develop such a method and resulted in a “Mobile Security Testing Guide”. This guide incorporates existing models for penetration testing and extends and adopts them to meet the requirements for security evaluation of mobile Apps. It includes platform-independent standard procedures and offers flexible options to adapt it to the needs of the penetration tester or customer. 
This presentation will give an overview of the “Mobile Security Testing Guide”, outline differences and similarities to a conventional penetration test and shows with examples how to apply it in practice. 

Speakers
avatar for Florian Stahl

Florian Stahl

Lead Consultant Information Security, msg systems ag
Florian Stahl is a German security and privacy consultant and evangelist. He is Master in information systems and computer science and has CISSP and CIPT certifications. Currently Florian is Lead Consultant at msg systems in Munich. He is regular speaker at conferences, wri... Read More →
avatar for Johannes Stroeher

Johannes Stroeher

msg systems ag


Thursday August 22, 2013 4:45pm - 5:30pm
Großer Saal

4:45pm

Matryoshka
In recent years some people have taken the task to try and fix web security. Lets say we fixed all our problems. Let’s say we all use contextual-aware auto-escaping templates, and we all use a secure CSP at a site-wide layer.

Let's say everyone was using an up-to-date browser. Let’s say that our databases and backends were enforcing access control for the application.
Let’s say there are no more APIs that permit attacks like LFI or SQL injection.
Let’s say that we don’t need to worry about Java, Flash, Silverlight, Acrobat, and so on. Let's say mixed content wasn't a problem anymore.
Let's say we didn't need CSRF tokens anymore.
Let’s say all servers around the world were using DH key exchange and Channel ID. Let’s say the whole world was using two-factor authentication.
Let’s say that all our frameworks were developed in a way introducing vulnerabilities is the path or most resistance. What’s next?

This talk would be a quick “this old problems are getting fixed!“, immediately followed by “what’s next is even better”.

Speakers
EV

Eduardo Vela

Eduardo Vela Nava, a.k.a @sirdarckcat and living web-security legend will give a preview on how web attacks will look like after we fixed all the problems we are faced with now. Perfect follow-up after Gareth's "XSS Horror Show".


Thursday August 22, 2013 4:45pm - 5:30pm
Aussichtsreich Emporio

5:35pm

A Doorman for Your Home - Control-Flow Integrity Means in Web Frameworks
Modern web applications frequently implement complex control flows, which require the users to perform actions in a given order. Users interact with a web application by sending HTTP requests with parameters and in response receive web pages with hyperlinks that indicate the expected next actions. If a web application takes for granted that the user sends only those expected requests and parameters, malicious users can exploit this assumption by crafting harming requests. We analyze recent attacks on web applications with respect to user-defined requests and identify their root cause in the missing explicit control-flow definition and enforcement. Then, we evaluate the most prevalent web application frameworks in order to assess possibly existing means to explicitly define and enforce intended control flows. While we find that all tested frameworks allow individual retrofit solutions, only one out of ten provides a dedicated control-flow integrity protection feature. Finally, we describe ways to equip web applications with control-flow integrity properties.

Speakers
avatar for Bastian Braun

Bastian Braun

Bastian Braun received a diploma in computer science (with honors) and a bachelor degree in economics from RWTH Aachen in 2006. Afterwards, he joined the research group "Security in Distributed Systems" at the University of Hamburg. In 2008, he moved to the University of Passau w... Read More →


Thursday August 22, 2013 5:35pm - 6:20pm
Freiraum

5:35pm

Eradicating DNS Rebinding with the Extended Same-Origin Policy
The Web's principal security policy is the Same-Origin Policy (SOP), whichenforces origin-based isolation of mutually distrusting Web applications. Sincethe early days, the SOP was repeatedly undermined with variants of the DNSRebinding attack, allowing untrusted script code to gain illegitimate access toprotected network resources.  To counter these attacks, the browser vendorsintroduced countermeasures, such as DNS Pinning, to mitigate the attack. Inthis talk, we present a novel DNS Rebinding attack method leveraging the HTML5Application Cache. Our attack allows reliable DNS Rebinding attacks,circumventing all currently deployed browser-based defense measures.Furthermore, we analyze the fundamental problem which allows DNS Rebinding towork in the first place: The SOP's main purpose is to ensure securityboundaries of Web servers. However, the Web servers themselves are onlyindirectly involved in the corresponding security decision. Instead, the SOPrelies on information obtained from the domain name system, which is notnecessarily controlled by the Web server's owners. This mismatch is exploitedby DNS Rebinding. Based on this insight, we propose a light-weight extension tothe SOP which takes Web server provided information into account. Wesuccessfully implemented our extended SOP for the Chromium Web browser andreport on our implementation's interoperability and security properties.

Speakers
avatar for Ben Stock

Ben Stock

Ben Stock studied for his Bachelor at the University of Mannheim and | advanced to Technische Universität Darmstadt to graduate with a Master's | degree in IT security. His earlier work was mainly in the area of malware | and his Bachelor thesis on the Waledac botnet was awarded... Read More →


Thursday August 22, 2013 5:35pm - 6:20pm
Großer Saal

5:35pm

The innerHTML Apocalypse - How mXSS attacks change everything we believed to know so far
This talk introduces and discusses a novel, mostly unpublished technique to attack websites that are applied with state-of-the-art XSS protection. This attack labeled Mutation-XSS (mXSS) is capable of bypassing high-end filter systems by utilizing the browser and its often unknown capabilities - every single one of them.
We analysed the type and number of websites that are affected by this kind of attack. Several live demos during the presentation will share these impressions and help understanding, what mXSS is, why mXSS is possible and why it is of importance for defenders as well as professional attackers to be understood and researched even further.
The talk wraps up several years of research on this field, shows the abhorrent findings, discusses the consequences and delivers a step-by-step guide on how to protect against this kind of mayhem - with a strong focus on feasibility and scalability.

Speakers
MH

Mario Heiderich

Mario (@0x6D6172696F) Heiderich, heart-breaker, bon vivant and co-organizer of this track will cover them mXSS attacks - HTML injections that break each and every HTML filter and show how hard it is to really effectively protect against XSS exploits if browsers are buggy.


Thursday August 22, 2013 5:35pm - 6:20pm
Aussichtsreich Emporio

7:00pm

Conference Dinner
Thursday August 22, 2013 7:00pm - Friday August 23, 2013 12:15am
Cap San Diego Überseebrücke, 20459 Hamburg
 
Friday, August 23
 

8:30am

Registration
Friday August 23, 2013 8:30am - 9:30am
Foyer Emporio

9:00am

OWASP Projects session
The OWASP Project Session is a 2 hour meeting and workshop that aims to bring together current and potential OWASP project leaders to discuss project related issues and topics. It is a forum that will be used to bring together project leaders from across the globe in an effort to have participants share valuable insights and recommendations with their fellow members. 
The meeting will be chaired by Simon Bennetts - OWASP ZAP Project leader and Abraham Aranguren: OWASP OWTF Project leader.

Speakers
avatar for Simon Bennetts

Simon Bennetts

Security, Mozilla
Simon Bennetts has been developing web applications since 1997, and strongly believes that you cannot build secure web applications without knowing how to attack them. He is the OWASP Zed Attack Proxy Project Leader and works for Mozilla as part of the Cloud Security Team.


Friday August 23, 2013 9:00am - 11:00am
Hafenpanorama I Emporio

9:15am

Keynote: Secure all the things: fiction from the Web's immediate future
While we declare victory or defeat on yesterday's security challenges, the Web is moving on - to objects from cars to centrifuges, to sights and sensors, to glasses and listening gadgets. And yesterday's attacker models seem quaint against today's capabilities. This talk takes a perhaps fictional look at the Web's immediate future, and asks whether today's thinking on security is indispensable, futile, or both.

Speakers
avatar for Thomas Roessler

Thomas Roessler

Thomas Roessler joined the W3C Team in November 2004 to work on security, privacy, and European policy issues. He currently serves as Technology and Society Domain Leader. | Prior to joining W3C, Thomas worked at the University of Bonn on numerics of partial differential equations, and collected programming, systems administration and computer forensics experience. He served as the lead maintainer of the free software mail user... Read More →


Friday August 23, 2013 9:15am - 10:00am
Großer Saal

9:30am

OWASP Hackademic Challenges
The Hackademic Challenges implement realistic scenarios with known vulnerabilities in a safe, controllable environment. Users can attempt to discover and exploit these vulnerabilities in order to learn important concepts of information security through the attacker's perspective.

After almost 1.5 year of intensive development and participation in 2 Google Summer of Code we will be able to demonstrate a stable version with several new features. Visitors of our booth will be able to have a hands-on experience of Hackademic through a Raspberry Pi implementation we will be bringing along. We had a great turnout during AppSec USA in Austin last year and we would like to repeat that in Hamburg.



https://www.owasp.org/index.php/OWASP_Hackademic_Challenges_Project

 

Speakers
avatar for Konstantinos Papapanagiotou, Spryros Gastreratos

Konstantinos Papapanagiotou, Spryros Gastreratos

Information Security Services Team Lead, OTE
Both trainers are Hackademic project leaders, long time OWASP members and application security professionals


Friday August 23, 2013 9:30am - 1:30pm
Alsterpanorama I Emporio

9:30am

OWASP O2 Platform
http://o2platform.com

Speakers
avatar for Dinis Cruz

Dinis Cruz

AppSec, OWASP
Dinis Cruz is a Developer and Application Security Engineer focused on how to develop secure applications. A key drive is on 'Automating Application Security Knowledge and Workflows' which is the main concept behind the OWASP O2 Platform. After many years (and multiple roles) Dinis is still very active at OWASP, currently leading the O2 Platform project and helping out other projects and initiatives. After failing to scale his own security knowledge, learned Git, created security vulnerabilities in code published to production servers, delivered training to developers, and building multiple CI (Continuous Integration) environments; Dinis had the epiphany that the key to application security is "Secure Continuous Delivery... Read More →


Friday August 23, 2013 9:30am - 1:30pm
Alsterpanorama II Emporio

9:30am

WS-Attacker
WS-Attacker is a modular framework for web services penetration testing. It is a free and easy to use software solution, which provides an all-in-one security checking interface with only a few clicks.

Currently the following attacks are implemented:
- Automatic XML Signature Wrapping attack against Web Services
- XML-Denial-of-Service Techniques against Web Services
- SOAPAction Spoofing and WS-Addressing Spoofing
Further Attacks in Development (even apart from Web Services)


http://sourceforge.net/projects/ws-attacker/

Speakers
avatar for Christian Mainka

Christian Mainka

Security Consultant, Horst Görtz Institute for IT Security, Chair for Network and Data Security, Ruhr-University Bochum
Christian Mainka is a Security Researcher at the Ruhr University Bochum, Chair for Network and Data Security. Since 2009, he focuses on XML and Web Services technologies and develops his penetration testing tool WS-Attacker and has published several papers in the field of XML sec... Read More →
avatar for Juraj Somorovsky

Juraj Somorovsky

Security Consultant, Ruhr-University Bochum
Juraj Somorovsky finished his PhD in the area of XML Security in 2013. In his thesis „On the Insecurity of XML Security“ he analyzes various attacks on Web Services and presents practical countermeasures against these attacks, which were applied in XML Security specifications... Read More →


Friday August 23, 2013 9:30am - 1:30pm
Alsterpanorama II Emporio

10:00am

Coffee Break
Friday August 23, 2013 10:00am - 10:25am
No specific Room

10:25am

Q-Box and H-Box: Raspberry PI for the Infrastructure and Hacker
This is a presentation/demonstration of utilizing Raspberry Pi to create two products hailed as the Q-Box and the H-Box
1. H-Box: Hacking Arsenal 
2. Q-Box: Small-Form Infrastructure Monitoring device. 

The Q-box represents a breakthrough in combining various network monitoring
functions in a small form factor with extremely low power consumption (8 watts) device. It represents a new generation of devices suitable for branch offices as well as small and medium-sized businesses that have heretofore been priced out of the market for this depth of network monitoring and intrusion detection. This presentation is an implementation of Nagios, Snort, and ModSecurity within the framework of Raspberry PI. Each of these aforementioned tools have significant deployment worldwide, all are efficient at their respective tasks, yet they are generally used as a foundation for products that cost very large sums. This presentation is not a demonstration to hype the benefit of using Raspberry PI. Rather, it is a proof-of-concept demonstration that visually addresses the ability of combining professional security tools into the infrastructure of an SMB or multinational client without the expensive outlay of server hardware. 

We will also compare and address the benefits of Q-box and the limitations of today’s Off the Shelf (OTF) solutions. A major limitation that has not been addressed is the processing limitations of an OTF Raspberry PI solution available in today’s market. Currently, our research utilizes a swap file capacity of 1.5 GB that will generate the rPi functional equivalent of 2GB RAM. This is far more than what is found in the rPi components on the market today and quite possibly as much as what may be found in far more expensive network appliance implementations that corporations use for monitoring and intrusion detection. The final benefit of the Q-box is its ability to convert the GPU into a RISC CPU. Network applicances do not need the graphics card, so this altercation was available and as such increases the efficiency of executing commands while minimizing power output.

There will be two live demonstrations: the Q-box on a private network and the H-Box on a local running Web Application.

The second demonstration is an implementation of H-Box. H-Box is a radical advance in a small form factor, easy to deploy hacking arsenal. Although there is at least one known implementation of Metasploit on a Raspberry Pi architecture, there are far more tools that can be added to one’s portable battery of hacking tools. This device is inconspicuous and offers security professionals a rapid breach solution via the HDMI or USB port of a computer, laptop or node.

Speakers
avatar for Fred Donovan

Fred Donovan

Fred is a Professor and an application security researcher.


Friday August 23, 2013 10:25am - 11:10am
Aussichtsreich Emporio

10:25am

Securing a modern JavaScript based single page web application
Modern web apps are often single page web apps. The heavy HTML-generating backend is replaced by JavaScript, JavaScript frameworks like Backbone.js and templating languages like mustache.js or underscore.js. Data is transferred via RESTful JSON services. We are moving functionality normally implemented on the server to the browser. Sometimes we even implement the backend using JavaScript. 

What kinds of security problems can occur if we do this incorrectly? How do we mitigate the security problems found in these applications?

Speakers
avatar for Erlend Oftedal

Erlend Oftedal

CTO, Blank
Erlend is a developer, architect and security tester from Oslo, Norway. These days most of his work is around improving software development lifecycles with regards to security. Erlend is the head of the OWASP Norway chapter, and spends some of his free time on security research... Read More →


Friday August 23, 2013 10:25am - 11:10am
Großer Saal

10:25am

Web Fingerprinting: How, Who, and Why?
The web has become an essential part of our society and is currently the main medium of information delivery. Billions of users browse the web on a daily basis, and there are single websites that have reached over one billion user
accounts. In this environment, the ability to track users and their online habits can be very lucrative for advertising companies, yet very intrusive for the privacy of users.

Third-party cookies have played an integral role in user-tracking, due to the ease of use of remote script and image inclusions and their seamless integration on a main page of a website. Today, the more knowledgeable users, in an effort to hide from third-party advertisers, regularly delete delete their cookies and use the private-mode of their browsers.

This general unavailability of cookies motivated advertisers and trackers to find new ways of linking users to their browsing histories. Mayer in 2009 and Eckersley in 2010 both showed that the features of a browser and its plugins can be fingerprinted and used to track users without the need of cookies. Today, there is a small number of commercial companies that use such methods to provide device identification through web-based fingerprinting. Following the classification of Mowery et al., fingerprinting can be used either constructively or destructively. Constructively, a correctly identified device can be used to combat fraud, e.g., by detecting that a user who is trying to login to a site
is likely an attacker who stole a user's credentials or cookies, rather than the legitimate user. Destructively, device identification through fingerprinting can be used to track users between sites, without their knowledge and without a
simple way of opting-out.

In this talk, we first review Eckersley's Panopticlick, the first well known fingerprinting effort, and then
examine how web-based device fingerprinting currently works on the Internet. By analyzing the code of three popular browser-fingerprinting code providers, we reveal the techniques that allow websites to track users without the need of client-side identifiers. Among these techniques, we show how current commercial fingerprinting approaches use questionable practices, such as the circumvention of HTTP proxies to discover a user's real IP address and the installation of intrusive browser plugins. We also report on a large scale crawl, aimed towards the discovery of popular websites that currently make use of fingerprinting.

At the same time, we show how fragile the browser ecosystem is against fingerprinting through the use of novel browser-identifying techniques. With so many different vendors involved in browser development, we demonstrate how one can use diversions in the browsers' implementation to distinguish successfully not only the browser-family, but also specific major and minor versions. Browser extensions that help users spoof the user-agent of their browsers are also evaluated. We show that current commercial approaches can bypass the extensions, and, in addition, take advantage of their shortcomings by using them as additional fingerprinting features.

Speakers
avatar for Nick Nikiforakis

Nick Nikiforakis

Nick Nikiforakis is a final-year PhD candidate in the KU Leuven university, in Belgium. Nick’s main interest is the exploration of large-scale web ecosystems, from a security and privacy point of view. In previous work, he has analyzed, among others, referrer-anonymizing services [8], file-hosting services [5] and re- mote JavaScript inclusions [6]. Nick has also presented some of his work in Euro- pean hacking conferences (AthCon, Brucon and Confidence) and made the list of top 10 web-hacking techniques in 2011, by proposing a way to bypass... Read More →


Friday August 23, 2013 10:25am - 11:10am
Freiraum

11:15am

Insane in the IFRAME -- The case for client-side HTML sanitization
Server-side HTML sanitization is a familiar web application building block, yet despite years of offensive security research, defensive “sanitizer science” is still a kind of voodoo magic. This talk will make the case that as server-side HTML sanitizers lack the ability to effectively simulate every potential user agent, the client itself is the only party empowered to perform accurate sanitization. We will examine the DOM API primitives required to perform such client-side sanitization and review results and learning from a prototype implementation.

Bio:
David Ross is a Principal Security Software Engineer on the MSRC Engineering team at Microsoft. Prior to joining MSRC Engineering in 2002, Ross spent his formative years on the Internet Explorer Security Team.

Speakers
avatar for David Ross

David Ross

Microsoft
David Ross is a Principal Security Software Engineer on the MSRC Engineering team at Microsoft. Prior to joining MSRC Engineering in 2002, Ross spent his formative years on the Internet Explorer Security Team.


Friday August 23, 2013 11:15am - 12:00pm
Großer Saal

11:15am

Making Security Tools accessible for Developers
n late 2012 Mozilla released the first iteration of Minion, an open source security testing platform, and has been busy improving the architecture and service.

Leading into 2013, Minion will gain several powerful new features that will help anyone in the SDLC leverage powerful security tools with little knowledge or experience.

This session will provide an overview of what Minion is, how we use it at Mozilla, and how the community can leverage this powerful new platform to improve their security program.

Speakers
YB

Yvan Boily Minion

Application Security Manager, Mozilla
Yvan Boily is an Application Security Manager with Mozilla Corporation, and prior to that has a background in security with Finance and Government.  Yvan Boily has previously launched an OWASP chapter in Winnipeg and currently leads the OWASP Vancouver chapter.


Friday August 23, 2013 11:15am - 12:00pm
Aussichtsreich Emporio

11:15am

Making the Future Secure with Java
The world is not the same place it was when Java started. It’s 2013, and attackers are intensely motivated, sophisticated, and well organized. Java security is a significant concern across many organizations as well as for individuals. Attend to learn more about Oracle’s progress on Java platform security and some our plans for the future.

Speakers
avatar for Milton Smith

Milton Smith

Sr. Principle Product Security Manager - Java, Oracle
Milton Smith (Twitter, @spoofzu) Leads the strategic security program for Java platform products as Sr. Principal Security PM at Oracle. Milton is responsible for defining the security vision for Java and managing working relationships with security organizations, researchers, an... Read More →


Friday August 23, 2013 11:15am - 12:00pm
Freiraum

12:05pm

Javascript libraries (in)security: A showcase of reckless uses and unwitting misuses
Client side code is a growing part of the modern web and those common
patterns or libraries, that are supposed to help developer's life,
have the drawbacks to add complexity to the code exposing unexpected
features with no or little warning.

We will focus on the most popular JavaScript libraries such as jQuery,
YUI etc and common design pattern, describing how happens
that wrong assumptions can lead to unexpected, unsafe behavior.
Several code example and live demos during the talk will try to clear both
exploitation techniques and positive coding strategies.

The presentation will also show some interesting case study, collected
and identified during two years of real world applications analysis.

Speakers

Friday August 23, 2013 12:05pm - 12:50pm
Großer Saal

12:05pm

OWASP Top 10 - 2013
The OWASP Top 10 was originally released in 2003 to raise awareness of the importance of application security. As the field evolves, the Top 10 needs to be periodically updated to keep with up with the times. The Top 10 was updated in 2004, 2007, 2010, and now in 2013.

The OWASP Top 10 has become the defacto standard for web application security and is referenced by numerous important standards and guidelines around the world, including the Payment Card Industry (PCI) standard, as just one example.

This presentation will explain how the OWASP Top 10 for 2013 changed from the previous version and why. It will then briefly go through each item in the OWASP Top 10 for 2013, explaining the risks each issue introduces to an enterprise, how attackers can exploit them, and what your organization can do to eliminate or avoid such risks in your application portfolio.

Speakers
avatar for Dave Wichers

Dave Wichers

COO, Aspect Security
Dave Wichers is a cofounder and the Chief Operating Officer (COO) of Aspect Security, a company that specializes in application security services. He is also a long time contributor to OWASP including being a member of the OWASP Board since it was formed in 2003. | | | Dave... Read More →


Friday August 23, 2013 12:05pm - 12:50pm
Freiraum

12:05pm

OWASP ZAP Innovations
The Zed Attack Proxy is one of the most popular OWASP projects, and has an enthusiastic developer community which encourages participation.
There are many new developments in progress that will provide functionality currently unavailable in other security tools.
In this session Simon will give a quick introduction for newcomers to ZAP, and then dive into the new changes demonstrating whats available right now and explaining what will be available in the very near future..

Speakers
avatar for Simon Bennetts

Simon Bennetts

Security, Mozilla
Simon Bennetts has been developing web applications since 1997, and strongly believes that you cannot build secure web applications without knowing how to attack them. He is the OWASP Zed Attack Proxy Project Leader and works for Mozilla as part of the Cloud Security Team.


Friday August 23, 2013 12:05pm - 12:50pm
Aussichtsreich Emporio

12:50pm

Lunch Break
Friday August 23, 2013 12:50pm - 2:05pm
No specific Room

2:05pm

Clickjacking Protection Under Non-trivial Circumstances
An important and timely attack technique on the Web is Clickjacking (also called UI redressing), in which an attacker tricks an unsuspicious victim into clicking on a specific element without the victim's explicit consent. Many web masters deployed different countermeasures to this kind of attack to protect their websites from being exploitable. Based on our paper [1], this talk gives an overview of the currently available countermeasures. Thereby, it demonstrates that these countermeasures are either not applicable to many of the possible use cases or are vulnerable to different kinds of attacks. Among other bypasses of state-of-the-art protection mechanisms we present a technique we call Nested Clickjacking that enables us to perform Clickjacking against the social network Google+ (despite of deployed countermeasures). Furthermore, we present the results of a large scale empirical study on the usage of current anti-clickjacking mechanisms on about 2 million web pages. The results of our analysis show that about 15 % of the analyzed web sites deploy countermeasures against Clickjacking.

After exploring the shortcomings and limitations, we present a novel approach that is capable of defending a Web site against current attacks and that is applicable to many scenarios where traditional countermeasures cannot be used.

[1] Sebastian Lekies, Mario Heiderich, Dennis Appelt, Thorsten Holz, and Martin Johns. On the fragility and limitations of current browser-provided clickjacking protection schemes. In WOOT, pages 53–63, 2012.

Speakers
SL

Sebastian Lekies

Sebastian Lekies is a PhD candidate at SAP and the University of Bochum. His main field of research is Web application security.  Thereby, he mainly focuses on client-side Web attacks such as Cross-Site Scripting, ClickJacking, DNS-Rebinding, Cross-Site Request Forgery, etc.  H... Read More →
avatar for Ben Stock

Ben Stock

Ben Stock studied for his Bachelor at the University of Mannheim and | advanced to Technische Universität Darmstadt to graduate with a Master's | degree in IT security. His earlier work was mainly in the area of malware | and his Bachelor thesis on the Waledac botnet was awarded... Read More →


Friday August 23, 2013 2:05pm - 2:35pm
Großer Saal

2:05pm

Do You Have a Scanner or a Scanning Program?
By this point, most organizations have acquired at least one code or application scanning technology to incorporate into their software security program. Unfortunately, for many organizations the scanner represents the entirety of that so-called “program” and often the scanners are not used correctly or on a consistent basis. 

This presentation looks at the components of a comprehensive software security program, the role that automation plays in these programs and tools and techniques that can be used to help increase the value an organization receives from its application scanning activities. It starts by examining common traps organizations fall into where they fail to address coverage concerns – either breadth of scanning coverage across the application portfolio or depth of coverage issues where application scans do not provide sufficient insight into the security state of target applications. After discussing approaches to address these coverage issues, the presentation walks through metrics organizations can use to keep tabs on their scanning progress to better understand what is being scanned, how frequently and at what depth. 

The presentation also contains a demonstration of how freely available tools such as the open source ThreadFix application vulnerability management platform and the OWASP Zed Attack Proxy (ZAP) scanner can be combined to create a baseline scanning program for an organization and how this approach can be generalized to use any scanning technology.

Speakers
avatar for Dan Cornell

Dan Cornell

CTO, Denim Group
A globally recognized application security expert, Dan Cornell holds over 15 years of experience architecting, developing and securing web-based software systems. As Chief Technology Officer and Principal at Denim Group, Ltd., he leads the technology team to help Fortune 500 comp... Read More →


Friday August 23, 2013 2:05pm - 2:35pm
Aussichtsreich Emporio

2:05pm

WAFEC - content and history of an unbiased project challenge
The Web Application Firewall Evaluation Criteria was initally released in 2006 by the Web Application Security Consortium (WASC).

This talk will explain the history of WAFEC, starting at 1.0 to today. We will describe the problems and solutions bringing together communities, security enthusiasts and vendors to write an unbiased paper about an important security product. These efforts finally ended in building one joined project about it by the two security communities, WASC and OWASP.

We will also describe the purpose of WAFEC 2.0, its goals, its audience, and how it can be used to evaluate the suitability of different WAFs.

Speakers
AH

Achim Hoffmann

Starting with Linux/network security in the nineties. Achim Hoffmann has been working in web application security since more than 12 years. While working as a developer for web-application for several years he started concentrating on web application security as major subject in different roles like penetration tester... Read More →


Friday August 23, 2013 2:05pm - 2:35pm
Freiraum

2:40pm

An Alternative Approach for Real-Life SQLi Detection
SQL injection vulnerabilities are known for at least 15 years and still belong to the highest risk category in the OWASP TOP 10 for 2013. The problem seems not to be solved yet. A web application firewall should protect vulnerable web applications against SQL injection attacks, but distinguishing malicious SQL injections from regular human input is a hard job. Inspired by libinjection, an optimized tokenizer and parser to detect SQL injections, we combined lexical analysis of user-supplied data with smart regular expression filters. As a result of this we found a new way to reduce false positives while still efficiently detecting SQL injections.

Speakers

Friday August 23, 2013 2:40pm - 3:10pm
Freiraum

2:40pm

Introducing OWASP OWTF 5x5
Background: The Offensive (Web) Testing Framework (aka OWTF) is a free and opensource OWASP+PTES-focused tool. Its objective is to unite great tools and make pen testing more efficient. Full details available at http://owtf.org.

In this talk there will be a brief introduction to OWASP OWTF. This will be followed up with demos of the latest features up until the time of the conference (with special focus on the Brucon sponsored 5x5 development features before the conference) to help pen testers get the most out of this tool and/or provide them with new ideas to improve their pen testing process.

OWASP OWTF is a tool that tries to achieve a new level of efficiency and comprehensiveness by combining great standards (OWASP aligned, PTES in the to-do list), great tools, websites and knowledge in the public domain together with continuous reporting using an interactive report that allows the pen tester to analyse the information in a similar fashion to the thought process of a chess player.

OWASP OWTF intends to find an optimal balance between automation and human analysis so that the best of both worlds can be attained.

Speakers
AA

Abraham Aranguren

After an infosec honour mark at university, from 2000 until 2007 Abraham's contact with security was mostly from a defensive point of view: fixing vulnerabilities, source code reviews and vulnerability prevention at the design level as an application and framework architect... Read More →


Friday August 23, 2013 2:40pm - 3:10pm
Aussichtsreich Emporio

2:40pm

Origin Policy Enforcement in Modern Browsers
The Same Origin Policy is the foremost security policy in all browsers. Like
most browser code, it underwent a significant amount of changes to keep up with
the recent development for HTML5. This talk covers the Same Origin Policy
implemented in modern browsers. It goes into detail where browsers behave
similarly and where differences occur. The presentation of noteworthy
exceptions, regardless of whether they are intended or have evolved out of
legacy features, is then followed by an analysis of previous flaws. We identify
parsing mismatches as the key source of policy bypasses and suggest methods to
analyze and test browser code with regard to this discovery. The talk also gives
an outlook into things that may come and evaluates the origin as a measure to
bind authority for HTML5 APIs. Using our methods we have also identified
security issues in the Java Runtime Environment and Mozilla Firefox, which will
be presented in the end

Speakers

Friday August 23, 2013 2:40pm - 3:10pm
Großer Saal

3:15pm

I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome extensions
Browser extensions can let you easily make notes, entertain you with a game, or take an annotated screenshot of the website you're visiting. They can also XSS any website you're visiting, harvest your browsing history, replace your cookies, silently change your proxy or execute code on your machine. Even benign, legitimate extesions can do this, just because they were poorly coded. These flaws are fairly common, and the attacks are easy. In this talk meterpreter sessions will be opened, Google will be XSSed, all your mailbox will belong to us and your PGP private keys will be extracted. But as constructing attack payloads is so boring, we'll present tools that help you find vulnerable extensions, confirm the vulnerabilities and exploit them. After the talk you'll be set to go to either attack Chrome extensions or code them properly as multiple code examples will be given.

The presentation will consist of technical overview of Google Chrome extensions architecture, its built-in security mechanisms, inluding Content Security Policy. Focus will be given into bypassing the protections by leveraging poor extension coding, UI redressing attacks or side-channel attacks. Several flaws in popular Chrome extensions will be demonstrated, with varying consequences from universal XSS flaw to Remote Code Execution on clients machine.

Having analyzed top 10 000 most popular extensions from Chrome Web Store, we will describe several identified vulnerability classes including, but not limited to:

* XSS in content scripts
* XSS in view pages
* Direct URL access
* UI interface spoofing
* DOM content extraction
* NPAPI binary vulnerabilities

These vulnerabilities will be demonstrated on real-world examples from vulnerable code snippets to complete exploits for them. The usual attack scenario will be attacking an extension via malicious web page that abuses extension mechanisms to inject code or extract information.

Currently Google phases out extensions with manifest v1, while slowly forcing developers to create extensions with manifest v2. However, security mechanisms introduced in v2 manifests, including obligatory Content Security Policy, still leave many possibilities for a successful exploitation. During the talk special focus will we given into exploiting v2 extensions and exploring the contraints of their new security model in attack scenarios.


Friday August 23, 2013 3:15pm - 3:45pm
Großer Saal

3:15pm

OWASP AppSensor – In Theory, In Practice and In Print
The AppSensor Project defines the concept of application-specific real time attack detection and response. Begun as an OWASP Summer of Code 2008 project by Michael Coates, he has led an active team of contributors to enhance, extend, document and code the idea. The project is now listed on the US Department Homeland Security's Software Assurance page about resilient software.

During 2013 a new AppSensor Guide book has been written to document the cumulated knowledge of the contributors, provide illustrative case studies, and most importantly showcase several demonstration working implementations. In 2012 and 2013 the development team have built on a previous core Java version to create a standalone web services AppSensor engine. This effort was supported by the Google Summer of Code 2012.

In this presentation Dennis Groves and Colin Watson will briefly summarise the concept, explain alternative architectural models, discuss the newly published implementation guide which the two speakers have been the primary authors, and explain the code and web services implementations that attendees will be able to use immediately in their own projects. Additionally, new research activities using a modified web application honeypot to test the efficacy of the AppSensor concept will be described.

Speakers
avatar for Dennis Groves

Dennis Groves

Co-Founder, OWASP
Dennis Groves is the co-founder of OWASP and a well known thought leader in application security who's work focuses on multidisciplinary approaches to information security risk management. He holds an MSc in Information Security from Royal Holloway, University of London. 
avatar for Colin Watson

Colin Watson

Technical Director, Watson Hall Ltd
Colin Watson is founder of Watson Hall Ltd, based in London, where his work involves the management of application risk, designing defensive measures, building security & privacy in to systems development and keeping abreast of relevant international legislation and standards. He... Read More →


Friday August 23, 2013 3:15pm - 3:45pm
Freiraum

3:15pm

OWASP Hackademic: a practical environment for teaching application security
Teachers of Application Security in higher education institutions and universities are presented with some unique challenges, especially when compared to other scientific or even computer science fields. This is mainly because students have to learn how to design, implement and protect applications against both known and unknown attacks. Moreover, the so far established stereotypes present the potential intruders as being ingenious and able to penetrate almost every system.

The OWASP Hackademic Challenges Project introduces the "attacker's perspective" in higher education by implementing realistic scenarios with known vulnerabilities in a safe, controllable environment. Students can attempt to discover and exploit these vulnerabilities in order to learn important concepts of information security through the attacker's perspective.

Its main difference from other projects that implement vulnerable applications for educational purposes, is that it is has been created mainly for use in a classroom environment, while most other solutions take a more self-learning approach. The OWASP Hackademic Challenges are currently used by more than a dozen universities around the world and are also part of the "Hacking Lab" and "OWASP University Challenge". In addition, we have received contributions to the project by several researchers, including the New Jersey Institute of Technology.

The OWASP Hackademic Challenges simulate real-world scenarios that application security consultants and penetration testers encounter during their day-to-day engagements, combined with the academic requirements of a related module. These exercises can be used to complement the respective theoretical lectures. Statistical analysis of the feedback we received from students through questionnaires, shows that the students embraced this approach and have benefited significantly from going through these exercises. In practice, the OWASP Hackademic Challenges help students become more enthusiastic about application security by gaining a realistic, hands-on experience on some real-world vulnerabilities.

In this presentation we will give an overview of the Hackademic Challenges and analyze its scientific background. In addition, we will present new features introduced to the interface that was developed during the Google Summer of Code 2012 and more importantly security improvements that were made possible by using OWASP ESAPI. The new interface introduces significant capabilities and features mainly for teachers and administrators. Moreover, as the project is still under development, we expect a bunch of new features to be ready by the conference dates.

Moreover, we will introduce a new scoring mechanism. CTF-type challenges usually follow a binary scoring system (solved/not solved), which is not sufficient for university classes. We have implemented a much more complex scoring system, that takes into account various parameters in order to depict how easy it was for the student to solve the challenge and how much time was required. Using this system, students can be graded according to their performance.

A demo of the new Hackademic portal and challenges will also be delivered, emphasizing on how it can be used in a real classroom and giving the chance to attendees to get their hands on it.

This presentation will include several significant improvements compared to the one delivered in OWASP AppSec USA 2012 (video: http://videos.2012.appsecusa.org/video/54157393)

Speakers
SG

Spyros Gasteratos

Spyros Gasteratos is a software engineer at Telesto Technologies Ltd. He has undertaken numerous projects in several fields of IT, such as Linux administration, web server hardening and web development. He is the project leader and the main developer of the OWASP Hackademic Chall... Read More →
avatar for Konstantinos Papapanagiotou, Spryros Gastreratos

Konstantinos Papapanagiotou, Spryros Gastreratos

Information Security Services Team Lead, OTE
Both trainers are Hackademic project leaders, long time OWASP members and application security professionals


Friday August 23, 2013 3:15pm - 3:45pm
Aussichtsreich Emporio

3:50pm

New OWASP ASVS 2013
We are excited to announce and share the next version of the OWASP Application Security Verification Standard (ASVS) project. Since the last release in 2009, we have made significant improvements to the standard, including but not limited to: 

1. Content updates to add new relevant content and clarify existing content 
2. Document segregation 
3. Case studies 
4. Mapping to other relevant standards 

In this presentation, we will walk through the major changes that we believe will increase adoption of the standard in industry. 

Speakers

Friday August 23, 2013 3:50pm - 4:20pm
Freiraum

3:50pm

Sandboxing Javascript
The inclusion of third-party scripts in web pages is a common practice. In this talk, we report on a large-scale crawl of more than three million pages of the top 10,000 Alexa sites, and identify the trust relationships of these sites with their library providers. The study illustrates that more than half of the Alexa top 10 000 sites include scripts from more than 5 different origins. However, such script inclusions carry risks, as the included scripts operate with the privileges of the including website. 
Furthermore, we give an overview of current techniques to sandbox third-party JavaScript, and mitigate the risks of including untrusted scripts. The overview ranges from state-of-practice techniques towards novel approaches from academia. As part of the overview, we discuss JavaScript subsets and server-side transformation techniques such as AdSafe and Google CAJA, modified browser environments such as WebJail and ConScript, and client-side security architectures. 
In particular, we focus on JavaScript security architectures on top of the Same-Origin Policy, CSP and sandboxed iframes, and client-side sandboxing techniques such as TreeHouse and JSand. 
JSand is a server-driven but client-side JavaScript sandboxing framework. JSand requires no browser modifications: the sandboxing framework is implemented in JavaScript and is delivered to the browser by the websites that use it. Enforcement is done entirely at the client side: JSand enforces a server-specified policy on included scripts without requiring server-side filtering or rewriting of scripts. Most importantly, JSand is complete: access to all resources is mediated by the sandbox. 
We describe the design and implementation of JSand, and we show that it is secure, backwards compatible, and that it performs sufficiently well. 

Speakers
avatar for Lieven Desmet

Lieven Desmet

Research Manager, imec-DistriNet-KU Leuven
Lieven Desmet is Research Manager on Software Secure at the imec-DistriNet Research Group (KU Leuven, Belgium), where he coaches junior researchers in web application security and participates in dissemination and valorization activities. His interests are in security of middlewa... Read More →
avatar for Nick Nikiforakis

Nick Nikiforakis

Nick Nikiforakis is a final-year PhD candidate in the KU Leuven university, in Belgium. Nick’s main interest is the exploration of large-scale web ecosystems, from a security and privacy point of view. In previous work, he has analyzed, among others, referrer-anonymizing services [8], file-hosting services [5] and re- mote JavaScript inclusions [6]. Nick has also presented some of his work in Euro- pean hacking conferences (AthCon, Brucon and Confidence) and made the list of top 10 web-hacking techniques in 2011, by proposing a way to bypass... Read More →


Friday August 23, 2013 3:50pm - 4:20pm
Großer Saal

3:50pm

The SPaCIoS Tool: property-driven and vulnerability-driven security testing for Web-based application scenarios
In this talk, we present how the SPaCIoS Tool supports security analysts and developers in the security assessment of a system under testing. In particular, we describe the main workflows and components that have been implemented as part of the SPaCIoS Tool and that rely on a combination of model-checking, model-based security testing, mutation testing, and penetration testing techniques to detect vulnerabilities and to evaluate the security implications of specific design and deployment decisions. We also report on a number of experiments we have been carrying out. In particular, we have been applying the tool as a proof of concept on a set of security testing problem cases drawn from industrial and open-source web-based application scenarios. We have also been executing collaboration projects with business units at industry as a stepping stone towards the industry migration of the SPaCIoS Tool.

Speakers
avatar for Luca Compagna

Luca Compagna

Researcher, SAP
Dr. Luca Compagna is part of the Security Research team at SAP where is contributing to the research strategy and to the software security analysis area in particular. He received his Ph.D. in Computer Science jointly from the U. of Genova and U. of Edinburgh. His area of interes... Read More →
avatar for Luca Viganò

Luca Viganò

Prof. Dr. Luca Viganò received his Ph.D. in Computer Science from the University of Saarbruecken, Germany, in 1997, and his Habilitation in Computer Science from the University of Freiburg, Germany, in 2003. He held a senior research scientist position at ETH Zurich, Switzerland... Read More →


Friday August 23, 2013 3:50pm - 4:20pm
Aussichtsreich Emporio

4:20pm

Coffee Break
Friday August 23, 2013 4:20pm - 4:45pm
No specific Room

4:45pm

Closing Note: "Access Control of the Web - The Web of Access Control"
Many (most?) of the familiar security problems of the Web can be understood
as instances of broken access control once one adopts a generalized view of
access control that leaves behind the user centric approaches of the 1970s
and 1980s. We will propose a framework for discussing access control in the
Web with a particular focus on the web of entities owning sensitive
resources, defining policies, and enforcing policies, and on the questions
of trust arising in this context. I.e., why should an entity receiving a
policy trust that this policy is in its own interest and/or in the interest
of the owner of the resource the policy refers to.

Speakers
DG

Dieter Gollmann

Prof Dieter Gollmann received his Dipl.-Ing. in Engineering Mathematics (1979) and Dr.tech. (1984) from the University of Linz, Austria in the Department for System Science. He earned the Dr. habil. at the University of Karlsruhe, Germany, where he was awarded the 'venia legendi' for Computer Science in 1991. He was a Lecturer in Computer Science at Royal Holloway, University of London, and rejoined Royal Holloway later in 1990, where he was the first Course Director of the MSc in Information Security. He's still giving guest lectures in Royal Holloway. He joined Microsoft Research in Cambridge in 1998. Then in 2003, he took the chair for Security in Distributed Applications at Hamburg University of Technology, Germany. Dieter Gollmann is an editor-in-chief of the International Journal of Information Security and an associate editor of the IEEE Security... Read More →


Friday August 23, 2013 4:45pm - 5:30pm
Aussichtsreich Emporio

5:30pm

Closing Ceremony
Now we face the final curtain. Agenda: * Thank you! * Prices CTF * Details next year * Slides, Videos

Speakers

Friday August 23, 2013 5:30pm - 5:45pm
Aussichtsreich Emporio