Loading…
Welcome to the full schedule of the OWASP AppSec Research EU 2013 conference days. You’ll find the schedule for the training days at http://trainings2013.appsec.eu

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

AppSec Talk [clear filter]
Thursday, August 22
 

11:00am CEST

Experience made in Technical Due Diligence
Acquisitions are a possibility for companies to grew and enlarge their possibilities and portfolio. As part of the acquisition process companies have to perform due diligence (DD) analysis. Architecture and technology assessments are often conducted as a retrospective. During the DD and Acquisitions Processes it is often forgotten that systems, platforms and software solutions creating a complex „ECO-System“ that are key for the most business-processes. Also mobile- and Web applications as well as software services are an integral element in the offered products or services.
The evaluation of Software and Information Security as part of due diligences is relative unexplored and maybe not so much in focus of due diligences in the past.
Such as technology and architecture reviews can be carried out properly and efficiently, will be described by way of a process model. Here, based on the experience of the speaker touched the aspects which technical tools are available for analysis, such as a relatively objective assessment can be achieved and how the results can be communicated to all stakeholders.

Speakers
avatar for Amir Alsbih

Amir Alsbih

Dr. Amir Alsbih is the Chief Information Security Officer at the Haufe Group and directs the Internal Audit department. He is CISSP-ISSMP, CISSP and GCFA. His responsibilities include both technical and organizational aspects of information security. This is about risk and safety... Read More →


Thursday August 22, 2013 11:00am - 11:45am CEST
Großer Saal

11:00am CEST

Qualitative Comparison of SSL Validation Alternatives
Although SSL/TLS is in widespread use today, certificate validation currently suffers from the weakest link property created by the fact that any trusted CA can sign a certificate for any domain. Thus, if a single CA is compromised or coerced, any and all hosts using CA- signed certificates can be endangered. Several recent high profile hacking cases have brought attention to this problem and a number of promising new approaches to strengthen SSL security are being discussed. In this paper we propose an evaluation framework based on a catalog of desirable benefits of SSL validation systems. We evaluate the current CA-based PKI and the the following alternative approaches: Perspectives, Conver- gence, Certificate Transparency, Sovereign Keys, TACK and DANE. We identify the different strengths and weaknesses of the systems, try to shed light on the trade-offs all systems have to make and show which disadvantages they incur that currently hinder adoption.

Speakers
SF

Sascha Fahl

Sascha Fahl is a PhD student and research assistant at the Distributed Computing & Security Group at Leibniz University Hannover, Germany. He studied Computer Science at Philipps University Marburg where he received his Diplom in 2011. His current research is focused on usability... Read More →
avatar for Henning Perl

Henning Perl

Henning Perl received his Master's degree in computer science in December 2011 from the Leibniz University Hanover, Germany and joined the university's Distributed Computing & Security Group in January 2012 as a doctorate student. While he was still a graduate student he developed... Read More →
avatar for Matthew Smith

Matthew Smith

Prof. Smith is a Professor of Computer Science at Leibniz University Hannover, Germany where he leads the Distributed Computing & Security Group. He studied Computer Science at the University of Siegen and received a PhD from Philipps University Marburg in 2008. His current research... Read More →


Thursday August 22, 2013 11:00am - 11:45am CEST
Freiraum

11:50am CEST

OWASP - CISO Guide and CISO report 2013 for managers
This talk will present two new OWASP projects, the CISO guide and the first results of the CISO Survey report 2013. Its main goal is to provide guidance on application and web security for senior managers and to introduce Chief Information Security Officers (CISO) to the OWASP Application Security Guide.
With a constantly evolving threat landscape where hackers are seeking to attack web applications to compromise customer’s sensitive data and company proprietary information, CISOs are challenged by their businesses to make decisions on how to mitigate the risks. Often risk decisions include the trade-off between current and new web application security measures and to decide where to invest. An investment in application security program is critical for reducing the application security risks besides meeting the goals of governance and compliance with the information security policies.

OWASP has developed a guidance , the OWASP CISO Guide, to specifically to address the needs of CISOs to help them in prioritising the risk mitigation of web application vulnerabilities might severely and negatively impact the organisation and jeopardising the business.

From the strategic point of view, risk mitigation is an ongoing activity that requires CISOs to pay close attention to new threats and plan for new application security activities in different security domains that include application security governance, risk management, compliance and security in the SDLC processes. Among the CISO goals for application security, meeting compliance with information security policies is often the one that has the most focus. This guide aims also to help CISOs in using compliance of web applications with security standards and regulations as justification for investing in application security activities.

For several organizations today the costs to the business due to the impacts of security incidents is much higher than the cost of non-compliance and failing audits. Since investment in compliance as well as operations risk management are among CISO responsibilities, the focus of investment in risk management is articulated as “what are the most cost effective measures to manage security risks”.

Finally, after application security investments are made, it is important for the CISO to measure and report on the status of governance, risk and compliance of the application security program. Some guidance on metrics suitable for measuring governance, risk and compliance of application security processes is also included in this guide.

Agenda
1. Business cases & Risk-cost decision criteria for application security investment
2. Prioritization and Criteria for Mitigating Application Security Risks
3. Application Security Processes
4. Selection of Metrics For Managing Risks & Application Security

Speakers
avatar for Tobias Gondrom

Tobias Gondrom

Managing Director, Thames Stanley: Information Security and Risk Management Advisory
Tobias Gondrom is Managing Director of Thames Stanley, a CISO and Information Security & Risk Management Advisory based in Hong Kong, United Kingdom and Germany. He has fifteen years of experience in software development, application security, cryptography, electronic signatures and... Read More →


Thursday August 22, 2013 11:50am - 12:35pm CEST
Großer Saal

11:50am CEST

Recipes for enabling HTTPS
Securely enabling HTTPS turns out to be tricky and time consuming. There is the considerable accidental complexity of web application and server configuration. Then there is lots of advice on what versions of SSL, TLS, which ciphers and modes to avoid, but precious little on how to do it right. No week seems to pass without something being added to the list of DON’Ts, as attacks continue to grow more sophisticated.
In this demo-packed presentation, we do give advice. Even better, we give it in the form of Puppet scripts, ideal for capturing and enforcing best practices across servers. This is the DevOps approach to enabling HTTPS. Participants learn how to set up HTTPS-enabled web servers with Puppet, how to review and adapt existing manifests according to specific needs and prevailing cryptographic advice, and how to incorporate third-party modules.
We discuss pain points in the configuration, show how Puppet helps with change management and demonstrate how to migrate an existing user base via HSTS.

Speakers
NB

Nelis Boucké

Nelis Boucké is a software engineer, consultant and entrepreneur. Nelis obtained a Ph.D. in Computer Science from the K.U.Leuven in 2009 and is Certified TOGAF 9 Professional. He has experience in both industry and research projects on software architecture for complex distributed... Read More →
TH

Thomas Herlea

Thomas Herlea is an IT security consultant specialized in application security. He performs vulnerability assessments and consults on secure development with the Trasys Group. Previously, he was employed by Verizon Business. Thomas is an alumnus of the COSIC research group and an... Read More →
avatar for Yo Peeters

Yo Peeters

Johan Peeters is an independent software architect. He serves both large companies and SMEs and has addressed software development issues ranging from product definition to acceptance testing. He is the founder of secappdev.org... Read More →


Thursday August 22, 2013 11:50am - 12:35pm CEST
Freiraum

1:50pm CEST

A Perfect CRIME? Only time will tell
In 2012, security researchers shook the world of security with their CRIME attack against the SSL encryption protocol. CRIME (Compression Ratio Info-leak Made Easy) attack used an inherent information leakage vulnerability resulting from the HTTP compression usage to defeat SSL’s encryption. 
However, the CRIME attack had two major practical drawbacks. The first is the attack threat model: CRIME attacker is required to control the plaintext AND to be able to intercept the encrypted message. This attack model limits the attack to mostly MITM (Man In The Middle) situation. 
The second issue is the CRIME attack was solely aimed at HTTP requests. However, most of the current web does not compress HTTP requests. The few protocols that did support HTTP requests compression (SSL compression and SPDY) had dropped their support following the attack details disclosure, by thus rendering the CRIME attack irrelevant. 
In our work we address these two limitations by introducing the TIME (Timing Info-leak Made Easy) attack for HTTP responses. 
By using timing information differential analysis to infer on the compressed payload’s size, the CRIME attack’s attack model can be simplified and its requirements can be loosened. In TIME’s attack model the attacker only needs to control the plaintext, theoretically allowing any malicious site to launch a TIME attack against its innocent visitors, to break SSL encryption and/or Same Origin Policy (SOP). 
Changing the target of the attack from HTTP requests to HTTP responses significantly increases the attack surface, as most of the current web utilizes HTTP response compression to save bandwidth and latency. 

Speakers
avatar for Tal Be'Ery

Tal Be'Ery

Tal Be’ery is the web security research team leader at Imperva’s Application Defense Center (ADC). In this position, he leads the efforts to capture and analyze hacking activities. The insights obtained in this process are incorporated into the design of new security mechanisms... Read More →


Thursday August 22, 2013 1:50pm - 2:35pm CEST
Freiraum

1:50pm CEST

From the Trenches: Real-World Agile SDLC
Ideally, all organizations would incorporate security into their Agile development processes; however, best-practices Agile SDL models typically assume a simplified, idealized model of how software is built. These models also impose impractical requirements without providing the necessary support or expertise. In reality, software development often involves multiple Agile teams working on various components of a larger product, and only the most well-resourced enterprises or ISVs have the bandwidth to execute on the ideal Agile SDL, while smaller organizations are forced to adapt and make tradeoffs.

In this session, we’ll discuss how Veracode has incorporated security into our own Agile development lifecycle for a product that involves anywhere from two to seven Scrum teams working in concert to ship monthly releases. We do this without designating any security experts full-time to the project. We’ll explain how we’ve evolved our practices to optimize the way our security research team interacts with our engineering teams and accommodates their processes. We’ll also talk about some of the lessons we’ve learned along the way, including things that haven’t worked or wouldn’t scale, and how other organizations can use our experience to integrate security practices into their own Agile development programs.

Speakers
avatar for Ryan O' Boyle

Ryan O' Boyle

Manager, Product Security, Veracode
Ryan O'Boyle is the Manager of Product Security at Veracode. Prior to joining Veracode, he helped create the internal penetration testing team at Fidelity Investments. He has presented at conferences including AppSec USA & EU, BlackHat EU, and RSA Europe. Throughout his career, Ryan... Read More →
avatar for Chris Eng

Chris Eng

VP Research, Veracode
Chris Eng is vice president of research at Veracode, where he leads the team responsible for integrating security expertise into Veracode’s core product offerings. Prior to Veracode, he was technical director at Symantec (formerly @stake) and an engineer at the National Security... Read More →


Thursday August 22, 2013 1:50pm - 2:35pm CEST
Großer Saal

2:40pm CEST

MalloDroid, Hunting Down Broken SSL in Android Apps
In a study [1], we investigated the SSL/TLS security of 13,500 free Android apps from Google's Play Market and identified serious security threats for their users. Our analysis revealed that 1,074 (8.0 %) of the examined apps contained SSL/TLS code that was potentially vulnerable to MITM attacks. Various forms of SSL/TLS misuse were discovered during a further manual audit of 100 selected apps that allowed us to successfully launch MITM attacks against 41 apps and gather a large variety of sensitive data. 

From these 41 apps, we captured amongst others credentials for American Express, Diners Club, Paypal, bank accounts, Facebook, Twitter, Google, Yahoo, Microsoft Live ID, Box, WordPress, remote servers, arbitrary email accounts, and IBM Sametime.

During our investigation, we conducted static code analysis to identify apps that applied inappropriate SSL certificate validation strategies. In this work, we present our tool MalloDroid and make it available to the public. MalloDroid is based on the Androguard [2] reverse engineering framework and provides a comfortable and easy-to-use command line interface for developers of apps, security auditors and all other interested parties to identify Android apps that include customized TrustManager and HostnameVerifier implementations. It also discovers if apps overwrite the onReceivedSSLError method in Android's WebViewClient used by many apps. Additionally, MalloDroid includes a signature database of known implementations that apply broken SSL certificate validation and reports a risk-level for customized SSL implementations. With the help of MalloDroid, code that breaks effective SSL certificate validation can be easily identified.

As a second contribution, we present results of interviews we conducted with 15 developers of vulnerable apps with the intention to identify the reasons behind the broken SSL certificate validation in Android apps. We asked developers why they implemented SSL certificate validation the way they did it and if they were aware of security implications of their decisions. Based on the interviews, we were able to identify some common problems Android app developers seem to have with using SSL in a secure way. We even found developers who stated that they apply code security audits that check whether SSL is used, but these audits did not check correct SSL certificate validation.

We hope that both, MalloDroid and the interview results, will help Android developers understand the problems that can occur in SSL code and help them create truly secure SSL connections. We also believe this work can support security auditors and penetration testers in their efforts.

[1] Fahl, S., Harbach, M., Muders, T., Smith, M., Baumgartner, L., and Freisleben, B. "Why Eve and Mallory Love Android: An Analysis of Android SSL (In)security." In Proc. of CCS 2012 pp. 50 - 61.
[2] cf. https://code.google.com/p/androguard/

Speakers
SF

Sascha Fahl

Sascha Fahl is a PhD student and research assistant at the Distributed Computing & Security Group at Leibniz University Hannover, Germany. He studied Computer Science at Philipps University Marburg where he received his Diplom in 2011. His current research is focused on usability... Read More →
MH

Marian Harbach

Marian Harbach is a PhD student and research assistant at the Distributed Computing & Security Group at Leibniz University Hannover, Germany. He studied Computer Science at Philipps University Marburg and Monash University Melbourne until 2011. His current research is focused on usability... Read More →
avatar for Matthew Smith

Matthew Smith

Prof. Smith is a Professor of Computer Science at Leibniz University Hannover, Germany where he leads the Distributed Computing & Security Group. He studied Computer Science at the University of Siegen and received a PhD from Philipps University Marburg in 2008. His current research... Read More →


Thursday August 22, 2013 2:40pm - 3:25pm CEST
Freiraum

2:40pm CEST

OWASP Top 10 Proactive Controls
The major cause of web insecurity is poor development practices. We cannot “firewall” or “patch” our way to secure websites. Programmers need to learn to build websites differently. No company or industry is immune.
The OWASP Ten Ten Proactive Controls Project is a Top-Ten like document that focuses directly on informing developers of necessary secure coding techniques. While not complete, this talk does descrive the bare minimum required of a development team if they wish to have even a small chance of producing moderately secure software.

- Validation
- Whitelist Validation (struggles with internationalization)
- URL validation (as part of redirect features)
- HTML Validation (as part of untrusted content from features like TinyMCE)

Authentication
- Password storage, HMAC's for scale
- Multi-factor AuthN implementation details
- OAuth
- Forgot password workflow

Access Control
- Limits of access control
- Permission-based access control

Encoding
- Output encoding for XSS
- Query Parameterization
- Other encodings for LDAP, XML construction and OS Command injection resistance

Data Protection
- Secure number generation
- Certificate pinning
- Proper use of AES (CBC/IV Management)

Secure Requirements
- Core requirements for any project (technical)
- Business logic requirements (project specific)

Secure Architecture and Design
- When to use request, session or database for data flow

Speakers
avatar for Jim Manico

Jim Manico

Jim Manico is the VP of Security Architecture for WhiteHat Security, a web security firm. He authors and delivers developer security awareness training for WhiteHat Security and has a background building software as a developer and architect for over 20 years. Jim is also a global... Read More →


Thursday August 22, 2013 2:40pm - 3:25pm CEST
Großer Saal

3:55pm CEST

Content Security Policy - the panacea for XSS or placebo?
Content Security Policy (CSP) is the mechanism to mitigate one of the most
popular web application issues called Cross-Site Scripting (XSS).
CSP is a declarative policy that allows application to inform the browser
about specific areas where application expects all resources to be loaded,
such as scripts and images.

In this presentation, we will talk about:

1. XSS. Very briefly because in 2013 pretty much everyone knows about this attack.
2. CSP. What risks this mechanism covers and what does not:

- CSP inside
- Browser support status and issues
- Policy definition mistakes and CSP common security considerations
- XSS without JS

3. Experience. How we implemented CSP on a service with an audience
more than 11 million users per week:

- Changes in servce
- Bugs in browser implementations
- Problems with 3rd party libraries
- Way from Report-Only to Block mode

Speakers
avatar for Taras Ivashchenko

Taras Ivashchenko

Yandex
Taras Ivashchenko - Information Security Officer at YandexFor a long time he focused on penetration tests (especially by PCI DSS standard), but his main focus has always been on web application security and web technologies in common. He is well known for his research (http://www.oxdef.info... Read More →


Thursday August 22, 2013 3:55pm - 4:40pm CEST
Großer Saal

3:55pm CEST

HTTP(S)-Based Clustering for Assisted Cybercrime Investigations
Over the past several years there has been a noticeable rise in the number of reported targeted attacks, which are also commonly referred to as advanced persistent threats (APTs). This is seen by security experts as a landscape shift from a world dominated by widespread malware that infect indiscriminately, to a more selectively targeted approach with higher gain. One thing that is clear about targeted attacks is that they are difficult to detect, and not much research has been conducted so far in detecting these attacks. In this paper, we propose a novel system called SPuNge that processes threat information collected on the users' side to detect potential targeted attacks for further investigation. We use a combination of clustering and correlation techniques to identify groups of machines that share a similar behavior with respect to the malicious resources they access and the industry in which they operate (e.g., oil & gas). We evaluated our system against real data collected by an antivirus vendor from over 20 million customers installations worldwide. Our results show that our approach works well in practice and is helpful in assisting security analysts in cybercrime investigations.

Speakers
avatar for Marco Balduzzi

Marco Balduzzi

Dr. Marco Balduzzi holds a Ph.D. in applied IT security from Télécom ParisTech and a M.Sc. in computer engineering from the University of Bergamo. His interests concern all aspect of computer security, with particular emphasis on real problems that affect systems and networks... Read More →


Thursday August 22, 2013 3:55pm - 4:40pm CEST
Freiraum

4:45pm CEST

Improving the Security of Session Management in Web Applications
Session management is a critical component of modern web applications, allowing a server to keep track of user-specific state, such as an authentication status. Unfortunately, many applications deploy session management over an insecure HTTP channel, making them vulnerable to eavesdropping, session hijacking or session fixation attacks. On the contrary, state-of-practice guidelines advocate the deployment of session management on a secure HTTPS channel, using the HttpOnly and Secure cookie attributes, effectively eliminating these well-known session management attacks. The goal of this paper is to provide secure session management to web applications deployed over HTTP. 

We propose a secure and lightweight session management mechanism, effectively improving session management security with HTTP deployments. By establishing a safely contained, shared secret between browser and server, an attacker is prevented from taking over a user’s session, since the secret is never transmitted, nor accessible. We demonstrate the applicability of our solution to a common scenario involving third-party authentication, clearly indicating the gained security properties. 

Our secure and lightweight session management mechanism raises the security bar for HTTP deployments, which will eventually lead to secure session management for all web applications.

Speakers
WJ

Wouter Joosen

imec-DistriNet - KU Leuven
avatar for Lieven Desmet (KU Leuven)

Lieven Desmet (KU Leuven)

Senior Research Manager, KU Leuven
Lieven Desmet is a Senior Research Manager on Software Secure at the imec-DistriNet Research Group (KU Leuven, Belgium), where he coaches researchers in (web) application security and participates in dissemination and valorization activities. His interests are in security of middleware... Read More →
avatar for Frank Piessens

Frank Piessens

Full professor, imec-DistriNet, KU Leuven
Frank Piessens is a professor at the Department of Computer Science of the KU Leuven, Belgium. His research interests lie in software security, including security in operating systems and middleware, architectures, applications, Java and .NET, and software interfaces to security technologies. He... Read More →
avatar for Philippe De Ryck

Philippe De Ryck

Founder, Pragmatic Web Security
Philippe De Ryck helps developers protect companies through better web security. As the founder of Pragmatic Web Security, he travels the world to train developers on web security and security engineering. His Ph.D. in web security from KU Leuven lies at the basis of his exceptional... Read More →


Thursday August 22, 2013 4:45pm - 5:30pm CEST
Freiraum

4:45pm CEST

Security Testing Guidelines for mobile Apps
Smartphones and Tablets increasingly become part of our everyday life. Apps of all kinds assist us with work and personal activities. Beside the additional benefits of these Apps, the extended use of mobile devices is currently also one of the biggest threats for sensitive business data and user privacy. Due to their mobility smartphones and tablets are exposed to additional risks: they are connected to public and insecure networks, they are easily lost or stolen and location services can be misused to track users. In addition to that IT managers and developers usually do not care too much about security for mobile devices yet and focus on trendy solutions and usability. But this carefreeness is risky because attackers are aware of the lack of security measures for many mobile Apps, too. 
As for most software security and privacy should be considered during all stages of mobile app development. In particular it should be verified and approved before the release or installation. But an adopted approach for the specific requirements of testing the security of mobile Apps was not available a short time ago. This led to the decision to develop such a method and resulted in a “Mobile Security Testing Guide”. This guide incorporates existing models for penetration testing and extends and adopts them to meet the requirements for security evaluation of mobile Apps. It includes platform-independent standard procedures and offers flexible options to adapt it to the needs of the penetration tester or customer. 
This presentation will give an overview of the “Mobile Security Testing Guide”, outline differences and similarities to a conventional penetration test and shows with examples how to apply it in practice. 

Speakers
avatar for Florian Stahl

Florian Stahl

Lead Consultant Information Security, msg systems ag
Florian Stahl is a German security and privacy consultant and evangelist. He is Master in information systems and computer science and has CISSP and CIPT certifications. Currently Florian is Lead Consultant at msg systems in Munich. He is regular speaker at conferences, writes... Read More →
avatar for Johannes Stroeher

Johannes Stroeher

msg systems ag


Thursday August 22, 2013 4:45pm - 5:30pm CEST
Großer Saal

5:35pm CEST

A Doorman for Your Home - Control-Flow Integrity Means in Web Frameworks
Modern web applications frequently implement complex control flows, which require the users to perform actions in a given order. Users interact with a web application by sending HTTP requests with parameters and in response receive web pages with hyperlinks that indicate the expected next actions. If a web application takes for granted that the user sends only those expected requests and parameters, malicious users can exploit this assumption by crafting harming requests. We analyze recent attacks on web applications with respect to user-defined requests and identify their root cause in the missing explicit control-flow definition and enforcement. Then, we evaluate the most prevalent web application frameworks in order to assess possibly existing means to explicitly define and enforce intended control flows. While we find that all tested frameworks allow individual retrofit solutions, only one out of ten provides a dedicated control-flow integrity protection feature. Finally, we describe ways to equip web applications with control-flow integrity properties.

Speakers
avatar for Bastian Braun

Bastian Braun

Bastian Braun received a diploma in computer science (with honors) and a bachelor degree in economics from RWTH Aachen in 2006. Afterwards, he joined the research group "Security in Distributed Systems" at the University of Hamburg. In 2008, he moved to the University of Passau where... Read More →


Thursday August 22, 2013 5:35pm - 6:20pm CEST
Freiraum

5:35pm CEST

Eradicating DNS Rebinding with the Extended Same-Origin Policy
The Web's principal security policy is the Same-Origin Policy (SOP), whichenforces origin-based isolation of mutually distrusting Web applications. Sincethe early days, the SOP was repeatedly undermined with variants of the DNSRebinding attack, allowing untrusted script code to gain illegitimate access toprotected network resources.  To counter these attacks, the browser vendorsintroduced countermeasures, such as DNS Pinning, to mitigate the attack. Inthis talk, we present a novel DNS Rebinding attack method leveraging the HTML5Application Cache. Our attack allows reliable DNS Rebinding attacks,circumventing all currently deployed browser-based defense measures.Furthermore, we analyze the fundamental problem which allows DNS Rebinding towork in the first place: The SOP's main purpose is to ensure securityboundaries of Web servers. However, the Web servers themselves are onlyindirectly involved in the corresponding security decision. Instead, the SOPrelies on information obtained from the domain name system, which is notnecessarily controlled by the Web server's owners. This mismatch is exploitedby DNS Rebinding. Based on this insight, we propose a light-weight extension tothe SOP which takes Web server provided information into account. Wesuccessfully implemented our extended SOP for the Chromium Web browser andreport on our implementation's interoperability and security properties.

Speakers
avatar for Ben Stock

Ben Stock

Ben Stock studied for his Bachelor at the University of Mannheim andadvanced to Technische Universität Darmstadt to graduate with a Master'sdegree in IT security. His earlier work was mainly in the area of malwareand his Bachelor thesis on the Waledac botnet was awarded the CAST... Read More →


Thursday August 22, 2013 5:35pm - 6:20pm CEST
Großer Saal
 
Friday, August 23
 

10:25am CEST

Q-Box and H-Box: Raspberry PI for the Infrastructure and Hacker
This is a presentation/demonstration of utilizing Raspberry Pi to create two products hailed as the Q-Box and the H-Box
1. H-Box: Hacking Arsenal 
2. Q-Box: Small-Form Infrastructure Monitoring device. 

The Q-box represents a breakthrough in combining various network monitoring
functions in a small form factor with extremely low power consumption (8 watts) device. It represents a new generation of devices suitable for branch offices as well as small and medium-sized businesses that have heretofore been priced out of the market for this depth of network monitoring and intrusion detection. This presentation is an implementation of Nagios, Snort, and ModSecurity within the framework of Raspberry PI. Each of these aforementioned tools have significant deployment worldwide, all are efficient at their respective tasks, yet they are generally used as a foundation for products that cost very large sums. This presentation is not a demonstration to hype the benefit of using Raspberry PI. Rather, it is a proof-of-concept demonstration that visually addresses the ability of combining professional security tools into the infrastructure of an SMB or multinational client without the expensive outlay of server hardware. 

We will also compare and address the benefits of Q-box and the limitations of today’s Off the Shelf (OTF) solutions. A major limitation that has not been addressed is the processing limitations of an OTF Raspberry PI solution available in today’s market. Currently, our research utilizes a swap file capacity of 1.5 GB that will generate the rPi functional equivalent of 2GB RAM. This is far more than what is found in the rPi components on the market today and quite possibly as much as what may be found in far more expensive network appliance implementations that corporations use for monitoring and intrusion detection. The final benefit of the Q-box is its ability to convert the GPU into a RISC CPU. Network applicances do not need the graphics card, so this altercation was available and as such increases the efficiency of executing commands while minimizing power output.

There will be two live demonstrations: the Q-box on a private network and the H-Box on a local running Web Application.

The second demonstration is an implementation of H-Box. H-Box is a radical advance in a small form factor, easy to deploy hacking arsenal. Although there is at least one known implementation of Metasploit on a Raspberry Pi architecture, there are far more tools that can be added to one’s portable battery of hacking tools. This device is inconspicuous and offers security professionals a rapid breach solution via the HDMI or USB port of a computer, laptop or node.

Speakers
avatar for Fred Donovan

Fred Donovan

Fred is a Professor and an application security researcher.


Friday August 23, 2013 10:25am - 11:10am CEST
Aussichtsreich Emporio

10:25am CEST

Securing a modern JavaScript based single page web application
Modern web apps are often single page web apps. The heavy HTML-generating backend is replaced by JavaScript, JavaScript frameworks like Backbone.js and templating languages like mustache.js or underscore.js. Data is transferred via RESTful JSON services. We are moving functionality normally implemented on the server to the browser. Sometimes we even implement the backend using JavaScript. 

What kinds of security problems can occur if we do this incorrectly? How do we mitigate the security problems found in these applications?

Speakers
avatar for Erlend Oftedal

Erlend Oftedal

Security Engineer, Autodesk
Erlend is a developer, architect and security tester from Oslo, Norway. These days most of his work is around improving software development lifecycles with regards to security. Erlend is the head of the OWASP Norway chapter, and spends some of his free time on security research... Read More →


Friday August 23, 2013 10:25am - 11:10am CEST
Großer Saal

10:25am CEST

Web Fingerprinting: How, Who, and Why?
The web has become an essential part of our society and is currently the main medium of information delivery. Billions of users browse the web on a daily basis, and there are single websites that have reached over one billion user
accounts. In this environment, the ability to track users and their online habits can be very lucrative for advertising companies, yet very intrusive for the privacy of users.

Third-party cookies have played an integral role in user-tracking, due to the ease of use of remote script and image inclusions and their seamless integration on a main page of a website. Today, the more knowledgeable users, in an effort to hide from third-party advertisers, regularly delete delete their cookies and use the private-mode of their browsers.

This general unavailability of cookies motivated advertisers and trackers to find new ways of linking users to their browsing histories. Mayer in 2009 and Eckersley in 2010 both showed that the features of a browser and its plugins can be fingerprinted and used to track users without the need of cookies. Today, there is a small number of commercial companies that use such methods to provide device identification through web-based fingerprinting. Following the classification of Mowery et al., fingerprinting can be used either constructively or destructively. Constructively, a correctly identified device can be used to combat fraud, e.g., by detecting that a user who is trying to login to a site
is likely an attacker who stole a user's credentials or cookies, rather than the legitimate user. Destructively, device identification through fingerprinting can be used to track users between sites, without their knowledge and without a
simple way of opting-out.

In this talk, we first review Eckersley's Panopticlick, the first well known fingerprinting effort, and then
examine how web-based device fingerprinting currently works on the Internet. By analyzing the code of three popular browser-fingerprinting code providers, we reveal the techniques that allow websites to track users without the need of client-side identifiers. Among these techniques, we show how current commercial fingerprinting approaches use questionable practices, such as the circumvention of HTTP proxies to discover a user's real IP address and the installation of intrusive browser plugins. We also report on a large scale crawl, aimed towards the discovery of popular websites that currently make use of fingerprinting.

At the same time, we show how fragile the browser ecosystem is against fingerprinting through the use of novel browser-identifying techniques. With so many different vendors involved in browser development, we demonstrate how one can use diversions in the browsers' implementation to distinguish successfully not only the browser-family, but also specific major and minor versions. Browser extensions that help users spoof the user-agent of their browsers are also evaluated. We show that current commercial approaches can bypass the extensions, and, in addition, take advantage of their shortcomings by using them as additional fingerprinting features.

Speakers
avatar for Nick Nikiforakis

Nick Nikiforakis

Nick Nikiforakis is a final-year PhD candidate in the KU Leuven university, in Belgium. Nick’s main interest is the exploration of large-scale web ecosystems, from a security and privacy point of view. In previous work, he has analyzed, among others, referrer-anonymizing services... Read More →


Friday August 23, 2013 10:25am - 11:10am CEST
Freiraum

11:15am CEST

Insane in the IFRAME -- The case for client-side HTML sanitization
Server-side HTML sanitization is a familiar web application building block, yet despite years of offensive security research, defensive “sanitizer science” is still a kind of voodoo magic. This talk will make the case that as server-side HTML sanitizers lack the ability to effectively simulate every potential user agent, the client itself is the only party empowered to perform accurate sanitization. We will examine the DOM API primitives required to perform such client-side sanitization and review results and learning from a prototype implementation.

Bio:
David Ross is a Principal Security Software Engineer on the MSRC Engineering team at Microsoft. Prior to joining MSRC Engineering in 2002, Ross spent his formative years on the Internet Explorer Security Team.

Speakers
avatar for David Ross

David Ross

Microsoft
David Ross is a Principal Security Software Engineer on the MSRC Engineering team at Microsoft. Prior to joining MSRC Engineering in 2002, Ross spent his formative years on the Internet Explorer Security Team.


Friday August 23, 2013 11:15am - 12:00pm CEST
Großer Saal

11:15am CEST

Making Security Tools accessible for Developers
n late 2012 Mozilla released the first iteration of Minion, an open source security testing platform, and has been busy improving the architecture and service.

Leading into 2013, Minion will gain several powerful new features that will help anyone in the SDLC leverage powerful security tools with little knowledge or experience.

This session will provide an overview of what Minion is, how we use it at Mozilla, and how the community can leverage this powerful new platform to improve their security program.

Speakers
YB

Yvan Boily Minion

Application Security Manager, Mozilla
Yvan Boily is an Application Security Manager with Mozilla Corporation, and prior to that has a background in security with Finance and Government.  Yvan Boily has previously launched an OWASP chapter in Winnipeg and currently leads the OWASP Vancouver chapter.


Friday August 23, 2013 11:15am - 12:00pm CEST
Aussichtsreich Emporio

11:15am CEST

Making the Future Secure with Java
The world is not the same place it was when Java started. It’s 2013, and attackers are intensely motivated, sophisticated, and well organized. Java security is a significant concern across many organizations as well as for individuals. Attend to learn more about Oracle’s progress on Java platform security and some our plans for the future.

Speakers
avatar for Milton Smith

Milton Smith

Sr. Principle Product Security Manager - Java, Oracle
Milton Smith (Twitter, @spoofzu) Leads the strategic security program for Java platform products as Sr. Principal Security PM at Oracle. Milton is responsible for defining the security vision for Java and managing working relationships with security organizations, researchers, and... Read More →


Friday August 23, 2013 11:15am - 12:00pm CEST
Freiraum

12:05pm CEST

Javascript libraries (in)security: A showcase of reckless uses and unwitting misuses
Client side code is a growing part of the modern web and those common
patterns or libraries, that are supposed to help developer's life,
have the drawbacks to add complexity to the code exposing unexpected
features with no or little warning.

We will focus on the most popular JavaScript libraries such as jQuery,
YUI etc and common design pattern, describing how happens
that wrong assumptions can lead to unexpected, unsafe behavior.
Several code example and live demos during the talk will try to clear both
exploitation techniques and positive coding strategies.

The presentation will also show some interesting case study, collected
and identified during two years of real world applications analysis.

Speakers

Friday August 23, 2013 12:05pm - 12:50pm CEST
Großer Saal

12:05pm CEST

OWASP Top 10 - 2013
The OWASP Top 10 was originally released in 2003 to raise awareness of the importance of application security. As the field evolves, the Top 10 needs to be periodically updated to keep with up with the times. The Top 10 was updated in 2004, 2007, 2010, and now in 2013.

The OWASP Top 10 has become the defacto standard for web application security and is referenced by numerous important standards and guidelines around the world, including the Payment Card Industry (PCI) standard, as just one example.

This presentation will explain how the OWASP Top 10 for 2013 changed from the previous version and why. It will then briefly go through each item in the OWASP Top 10 for 2013, explaining the risks each issue introduces to an enterprise, how attackers can exploit them, and what your organization can do to eliminate or avoid such risks in your application portfolio.

Speakers
avatar for Dave Wichers

Dave Wichers

COO, Aspect Security
Dave Wichers is a cofounder and the Chief Operating Officer (COO) of Aspect Security, a company that specializes in application security services. He is also a long time contributor to OWASP including being a member of the OWASP Board since it was formed in 2003. Dave has over 20... Read More →


Friday August 23, 2013 12:05pm - 12:50pm CEST
Freiraum

12:05pm CEST

OWASP ZAP Innovations
The Zed Attack Proxy is one of the most popular OWASP projects, and has an enthusiastic developer community which encourages participation.
There are many new developments in progress that will provide functionality currently unavailable in other security tools.
In this session Simon will give a quick introduction for newcomers to ZAP, and then dive into the new changes demonstrating whats available right now and explaining what will be available in the very near future..

Speakers
avatar for Simon Bennetts

Simon Bennetts

ZAP Project Lead, StackHawk
Simon Bennetts has been developing web applications since 1997, and strongly believes that you cannot build secure web applications without knowing how to attack them. He is the OWASP Zed Attack Proxy Project Leader and works for Mozilla as part of the Cloud Security Team.


Friday August 23, 2013 12:05pm - 12:50pm CEST
Aussichtsreich Emporio

2:05pm CEST

Clickjacking Protection Under Non-trivial Circumstances
An important and timely attack technique on the Web is Clickjacking (also called UI redressing), in which an attacker tricks an unsuspicious victim into clicking on a specific element without the victim's explicit consent. Many web masters deployed different countermeasures to this kind of attack to protect their websites from being exploitable. Based on our paper [1], this talk gives an overview of the currently available countermeasures. Thereby, it demonstrates that these countermeasures are either not applicable to many of the possible use cases or are vulnerable to different kinds of attacks. Among other bypasses of state-of-the-art protection mechanisms we present a technique we call Nested Clickjacking that enables us to perform Clickjacking against the social network Google+ (despite of deployed countermeasures). Furthermore, we present the results of a large scale empirical study on the usage of current anti-clickjacking mechanisms on about 2 million web pages. The results of our analysis show that about 15 % of the analyzed web sites deploy countermeasures against Clickjacking.

After exploring the shortcomings and limitations, we present a novel approach that is capable of defending a Web site against current attacks and that is applicable to many scenarios where traditional countermeasures cannot be used.

[1] Sebastian Lekies, Mario Heiderich, Dennis Appelt, Thorsten Holz, and Martin Johns. On the fragility and limitations of current browser-provided clickjacking protection schemes. In WOOT, pages 53–63, 2012.

Speakers
SL

Sebastian Lekies

Sebastian Lekies is a PhD candidate at SAP and the University of Bochum. His main field of research is Web application security.  Thereby, he mainly focuses on client-side Web attacks such as Cross-Site Scripting, ClickJacking, DNS-Rebinding, Cross-Site Request Forgery, etc.  He... Read More →
avatar for Ben Stock

Ben Stock

Ben Stock studied for his Bachelor at the University of Mannheim andadvanced to Technische Universität Darmstadt to graduate with a Master'sdegree in IT security. His earlier work was mainly in the area of malwareand his Bachelor thesis on the Waledac botnet was awarded the CAST... Read More →


Friday August 23, 2013 2:05pm - 2:35pm CEST
Großer Saal

2:05pm CEST

Do You Have a Scanner or a Scanning Program?
By this point, most organizations have acquired at least one code or application scanning technology to incorporate into their software security program. Unfortunately, for many organizations the scanner represents the entirety of that so-called “program” and often the scanners are not used correctly or on a consistent basis. 

This presentation looks at the components of a comprehensive software security program, the role that automation plays in these programs and tools and techniques that can be used to help increase the value an organization receives from its application scanning activities. It starts by examining common traps organizations fall into where they fail to address coverage concerns – either breadth of scanning coverage across the application portfolio or depth of coverage issues where application scans do not provide sufficient insight into the security state of target applications. After discussing approaches to address these coverage issues, the presentation walks through metrics organizations can use to keep tabs on their scanning progress to better understand what is being scanned, how frequently and at what depth. 

The presentation also contains a demonstration of how freely available tools such as the open source ThreadFix application vulnerability management platform and the OWASP Zed Attack Proxy (ZAP) scanner can be combined to create a baseline scanning program for an organization and how this approach can be generalized to use any scanning technology.

Speakers
avatar for Dan Cornell

Dan Cornell

Vice President, Product Strategy, COALFIRE
A globally recognized software security expert, Dan Cornell has over 20 years of experience architecting, developing and securing software systems. As Vice President of Product Strategy at Coalfire, Dan works with customers and industry partners to help drive the direction of their... Read More →


Friday August 23, 2013 2:05pm - 2:35pm CEST
Aussichtsreich Emporio

2:05pm CEST

WAFEC - content and history of an unbiased project challenge
The Web Application Firewall Evaluation Criteria was initally released in 2006 by the Web Application Security Consortium (WASC).

This talk will explain the history of WAFEC, starting at 1.0 to today. We will describe the problems and solutions bringing together communities, security enthusiasts and vendors to write an unbiased paper about an important security product. These efforts finally ended in building one joined project about it by the two security communities, WASC and OWASP.

We will also describe the purpose of WAFEC 2.0, its goals, its audience, and how it can be used to evaluate the suitability of different WAFs.

Speakers
AH

Achim Hoffmann

Starting with Linux/network security in the nineties. Achim Hoffmann has been working in web application security since more than 12 years. While working as a developer for web-application for several years he started concentrating on web application security as major subject in... Read More →


Friday August 23, 2013 2:05pm - 2:35pm CEST
Freiraum

2:40pm CEST

An Alternative Approach for Real-Life SQLi Detection
SQL injection vulnerabilities are known for at least 15 years and still belong to the highest risk category in the OWASP TOP 10 for 2013. The problem seems not to be solved yet. A web application firewall should protect vulnerable web applications against SQL injection attacks, but distinguishing malicious SQL injections from regular human input is a hard job. Inspired by libinjection, an optimized tokenizer and parser to detect SQL injections, we combined lexical analysis of user-supplied data with smart regular expression filters. As a result of this we found a new way to reduce false positives while still efficiently detecting SQL injections.

Speakers

Friday August 23, 2013 2:40pm - 3:10pm CEST
Freiraum

2:40pm CEST

Introducing OWASP OWTF 5x5
Background: The Offensive (Web) Testing Framework (aka OWTF) is a free and opensource OWASP+PTES-focused tool. Its objective is to unite great tools and make pen testing more efficient. Full details available at http://owtf.org.

In this talk there will be a brief introduction to OWASP OWTF. This will be followed up with demos of the latest features up until the time of the conference (with special focus on the Brucon sponsored 5x5 development features before the conference) to help pen testers get the most out of this tool and/or provide them with new ideas to improve their pen testing process.

OWASP OWTF is a tool that tries to achieve a new level of efficiency and comprehensiveness by combining great standards (OWASP aligned, PTES in the to-do list), great tools, websites and knowledge in the public domain together with continuous reporting using an interactive report that allows the pen tester to analyse the information in a similar fashion to the thought process of a chess player.

OWASP OWTF intends to find an optimal balance between automation and human analysis so that the best of both worlds can be attained.

Speakers
avatar for Anirudh Anand

Anirudh Anand

Lead Security Engineer, CRED
Anirudh Anand is a security engineer with a primary focus on Web and Mobile Application Security. He is currently working as a Lead Security Engineer at CRED and also Security Trainer at 7asecurity. He has been submitting bugs and contributing to security tools for over 8 years. In... Read More →


Friday August 23, 2013 2:40pm - 3:10pm CEST
Aussichtsreich Emporio

2:40pm CEST

Origin Policy Enforcement in Modern Browsers
The Same Origin Policy is the foremost security policy in all browsers. Like
most browser code, it underwent a significant amount of changes to keep up with
the recent development for HTML5. This talk covers the Same Origin Policy
implemented in modern browsers. It goes into detail where browsers behave
similarly and where differences occur. The presentation of noteworthy
exceptions, regardless of whether they are intended or have evolved out of
legacy features, is then followed by an analysis of previous flaws. We identify
parsing mismatches as the key source of policy bypasses and suggest methods to
analyze and test browser code with regard to this discovery. The talk also gives
an outlook into things that may come and evaluates the origin as a measure to
bind authority for HTML5 APIs. Using our methods we have also identified
security issues in the Java Runtime Environment and Mozilla Firefox, which will
be presented in the end

Speakers

Friday August 23, 2013 2:40pm - 3:10pm CEST
Großer Saal

3:15pm CEST

I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome extensions
Browser extensions can let you easily make notes, entertain you with a game, or take an annotated screenshot of the website you're visiting. They can also XSS any website you're visiting, harvest your browsing history, replace your cookies, silently change your proxy or execute code on your machine. Even benign, legitimate extesions can do this, just because they were poorly coded. These flaws are fairly common, and the attacks are easy. In this talk meterpreter sessions will be opened, Google will be XSSed, all your mailbox will belong to us and your PGP private keys will be extracted. But as constructing attack payloads is so boring, we'll present tools that help you find vulnerable extensions, confirm the vulnerabilities and exploit them. After the talk you'll be set to go to either attack Chrome extensions or code them properly as multiple code examples will be given.

The presentation will consist of technical overview of Google Chrome extensions architecture, its built-in security mechanisms, inluding Content Security Policy. Focus will be given into bypassing the protections by leveraging poor extension coding, UI redressing attacks or side-channel attacks. Several flaws in popular Chrome extensions will be demonstrated, with varying consequences from universal XSS flaw to Remote Code Execution on clients machine.

Having analyzed top 10 000 most popular extensions from Chrome Web Store, we will describe several identified vulnerability classes including, but not limited to:

* XSS in content scripts
* XSS in view pages
* Direct URL access
* UI interface spoofing
* DOM content extraction
* NPAPI binary vulnerabilities

These vulnerabilities will be demonstrated on real-world examples from vulnerable code snippets to complete exploits for them. The usual attack scenario will be attacking an extension via malicious web page that abuses extension mechanisms to inject code or extract information.

Currently Google phases out extensions with manifest v1, while slowly forcing developers to create extensions with manifest v2. However, security mechanisms introduced in v2 manifests, including obligatory Content Security Policy, still leave many possibilities for a successful exploitation. During the talk special focus will we given into exploiting v2 extensions and exploring the contraints of their new security model in attack scenarios.


Friday August 23, 2013 3:15pm - 3:45pm CEST
Großer Saal

3:15pm CEST

OWASP AppSensor – In Theory, In Practice and In Print
The AppSensor Project defines the concept of application-specific real time attack detection and response. Begun as an OWASP Summer of Code 2008 project by Michael Coates, he has led an active team of contributors to enhance, extend, document and code the idea. The project is now listed on the US Department Homeland Security's Software Assurance page about resilient software.

During 2013 a new AppSensor Guide book has been written to document the cumulated knowledge of the contributors, provide illustrative case studies, and most importantly showcase several demonstration working implementations. In 2012 and 2013 the development team have built on a previous core Java version to create a standalone web services AppSensor engine. This effort was supported by the Google Summer of Code 2012.

In this presentation Dennis Groves and Colin Watson will briefly summarise the concept, explain alternative architectural models, discuss the newly published implementation guide which the two speakers have been the primary authors, and explain the code and web services implementations that attendees will be able to use immediately in their own projects. Additionally, new research activities using a modified web application honeypot to test the efficacy of the AppSensor concept will be described.

Speakers
avatar for Dennis Groves

Dennis Groves

Co-Founder, OWASP
Dennis Groves is the co-founder of OWASP and a well known thought leader in application security who's work focuses on multidisciplinary approaches to information security risk management. He holds an MSc in Information Security from Royal Holloway, University of London. 
avatar for Colin Watson

Colin Watson

Technical Director, Watson Hall Ltd
Colin Watson is founder of Watson Hall Ltd, based in London, where his work involves the management of application risk, designing defensive measures, building security & privacy in to systems development and keeping abreast of relevant international legislation and standards. He... Read More →


Friday August 23, 2013 3:15pm - 3:45pm CEST
Freiraum

3:15pm CEST

OWASP Hackademic: a practical environment for teaching application security
Teachers of Application Security in higher education institutions and universities are presented with some unique challenges, especially when compared to other scientific or even computer science fields. This is mainly because students have to learn how to design, implement and protect applications against both known and unknown attacks. Moreover, the so far established stereotypes present the potential intruders as being ingenious and able to penetrate almost every system.

The OWASP Hackademic Challenges Project introduces the "attacker's perspective" in higher education by implementing realistic scenarios with known vulnerabilities in a safe, controllable environment. Students can attempt to discover and exploit these vulnerabilities in order to learn important concepts of information security through the attacker's perspective.

Its main difference from other projects that implement vulnerable applications for educational purposes, is that it is has been created mainly for use in a classroom environment, while most other solutions take a more self-learning approach. The OWASP Hackademic Challenges are currently used by more than a dozen universities around the world and are also part of the "Hacking Lab" and "OWASP University Challenge". In addition, we have received contributions to the project by several researchers, including the New Jersey Institute of Technology.

The OWASP Hackademic Challenges simulate real-world scenarios that application security consultants and penetration testers encounter during their day-to-day engagements, combined with the academic requirements of a related module. These exercises can be used to complement the respective theoretical lectures. Statistical analysis of the feedback we received from students through questionnaires, shows that the students embraced this approach and have benefited significantly from going through these exercises. In practice, the OWASP Hackademic Challenges help students become more enthusiastic about application security by gaining a realistic, hands-on experience on some real-world vulnerabilities.

In this presentation we will give an overview of the Hackademic Challenges and analyze its scientific background. In addition, we will present new features introduced to the interface that was developed during the Google Summer of Code 2012 and more importantly security improvements that were made possible by using OWASP ESAPI. The new interface introduces significant capabilities and features mainly for teachers and administrators. Moreover, as the project is still under development, we expect a bunch of new features to be ready by the conference dates.

Moreover, we will introduce a new scoring mechanism. CTF-type challenges usually follow a binary scoring system (solved/not solved), which is not sufficient for university classes. We have implemented a much more complex scoring system, that takes into account various parameters in order to depict how easy it was for the student to solve the challenge and how much time was required. Using this system, students can be graded according to their performance.

A demo of the new Hackademic portal and challenges will also be delivered, emphasizing on how it can be used in a real classroom and giving the chance to attendees to get their hands on it.

This presentation will include several significant improvements compared to the one delivered in OWASP AppSec USA 2012 (video: http://videos.2012.appsecusa.org/video/54157393)

Speakers
SG

Spyros Gasteratos

Spyros Gasteratos is a software engineer at Telesto Technologies Ltd. He has undertaken numerous projects in several fields of IT, such as Linux administration, web server hardening and web development. He is the project leader and the main developer of the OWASP Hackademic Challenges... Read More →
avatar for Konstantinos Papapanagiotou, Spryros Gastreratos

Konstantinos Papapanagiotou, Spryros Gastreratos

Information Security Services Team Lead, OTE
Both trainers are Hackademic project leaders, long time OWASP members and application security professionals


Friday August 23, 2013 3:15pm - 3:45pm CEST
Aussichtsreich Emporio

3:50pm CEST

New OWASP ASVS 2013
We are excited to announce and share the next version of the OWASP Application Security Verification Standard (ASVS) project. Since the last release in 2009, we have made significant improvements to the standard, including but not limited to: 

1. Content updates to add new relevant content and clarify existing content 
2. Document segregation 
3. Case studies 
4. Mapping to other relevant standards 

In this presentation, we will walk through the major changes that we believe will increase adoption of the standard in industry. 

Speakers

Friday August 23, 2013 3:50pm - 4:20pm CEST
Freiraum

3:50pm CEST

Sandboxing Javascript
The inclusion of third-party scripts in web pages is a common practice. In this talk, we report on a large-scale crawl of more than three million pages of the top 10,000 Alexa sites, and identify the trust relationships of these sites with their library providers. The study illustrates that more than half of the Alexa top 10 000 sites include scripts from more than 5 different origins. However, such script inclusions carry risks, as the included scripts operate with the privileges of the including website. 
Furthermore, we give an overview of current techniques to sandbox third-party JavaScript, and mitigate the risks of including untrusted scripts. The overview ranges from state-of-practice techniques towards novel approaches from academia. As part of the overview, we discuss JavaScript subsets and server-side transformation techniques such as AdSafe and Google CAJA, modified browser environments such as WebJail and ConScript, and client-side security architectures. 
In particular, we focus on JavaScript security architectures on top of the Same-Origin Policy, CSP and sandboxed iframes, and client-side sandboxing techniques such as TreeHouse and JSand. 
JSand is a server-driven but client-side JavaScript sandboxing framework. JSand requires no browser modifications: the sandboxing framework is implemented in JavaScript and is delivered to the browser by the websites that use it. Enforcement is done entirely at the client side: JSand enforces a server-specified policy on included scripts without requiring server-side filtering or rewriting of scripts. Most importantly, JSand is complete: access to all resources is mediated by the sandbox. 
We describe the design and implementation of JSand, and we show that it is secure, backwards compatible, and that it performs sufficiently well. 

Speakers
avatar for Lieven Desmet (KU Leuven)

Lieven Desmet (KU Leuven)

Senior Research Manager, KU Leuven
Lieven Desmet is a Senior Research Manager on Software Secure at the imec-DistriNet Research Group (KU Leuven, Belgium), where he coaches researchers in (web) application security and participates in dissemination and valorization activities. His interests are in security of middleware... Read More →
avatar for Nick Nikiforakis

Nick Nikiforakis

Nick Nikiforakis is a final-year PhD candidate in the KU Leuven university, in Belgium. Nick’s main interest is the exploration of large-scale web ecosystems, from a security and privacy point of view. In previous work, he has analyzed, among others, referrer-anonymizing services... Read More →


Friday August 23, 2013 3:50pm - 4:20pm CEST
Großer Saal

3:50pm CEST

The SPaCIoS Tool: property-driven and vulnerability-driven security testing for Web-based application scenarios
In this talk, we present how the SPaCIoS Tool supports security analysts and developers in the security assessment of a system under testing. In particular, we describe the main workflows and components that have been implemented as part of the SPaCIoS Tool and that rely on a combination of model-checking, model-based security testing, mutation testing, and penetration testing techniques to detect vulnerabilities and to evaluate the security implications of specific design and deployment decisions. We also report on a number of experiments we have been carrying out. In particular, we have been applying the tool as a proof of concept on a set of security testing problem cases drawn from industrial and open-source web-based application scenarios. We have also been executing collaboration projects with business units at industry as a stepping stone towards the industry migration of the SPaCIoS Tool.

Speakers
avatar for Luca Compagna

Luca Compagna

Researcher, SAP
Dr. Luca Compagna is part of the Security Research team at SAP where is contributing to the research strategy and to the software security analysis area in particular. He received his Ph.D. in Computer Science jointly from the U. of Genova and U. of Edinburgh. His area of interests... Read More →
avatar for Luca Viganò

Luca Viganò

Prof. Dr. Luca Viganò received his Ph.D. in Computer Science from the University of Saarbruecken, Germany, in 1997, and his Habilitation in Computer Science from the University of Freiburg, Germany, in 2003. He held a senior research scientist position at ETH Zurich, Switzerland... Read More →


Friday August 23, 2013 3:50pm - 4:20pm CEST
Aussichtsreich Emporio