London

London

Thursday, July 9th 2009
Location: Barclays, Rooms 42/43, One Churchill Place, London E14 5HP

Talks

 * O2 - Advanced Source Code Analysis Toolkit - Dinis Cruz
 * In this talk Dinis Cruz will show the open source toolkit O2 (Ounce Open) which is specifically designed for developers and security consultants to be able to perform quick, effective and thorough source code security reviews. The O2 toolkit (http://www.o2-ounceopen.com) uses the scanning engines from Ounce Labs,  Microsoft's CAT.NET tool and FindBugs (with more engines to be added soon) and allows advanced filtering, manipulation and visualization of its findings. In the past, there has been a very healthy skepticism on the usability of Source Code analysis engines to find commonly found vulnerablities in real world applications. This presentation will show that with some creative and powerful tools, it IS possible to use O2 to discover those issues.


 * The Ultimate IDS Smackdown - How red vs. blue situations can influence more than one might assume - Mario Heiderich and Gareth Heyes
 * The talk is a vector and coding showdown between the lead dev of the PHPIDS and one of its most determined challengers trying and managing to break it wherever possible. Expect a bloody battle between security researchers and developers without limits, regular expression magic against code obfuscation excellence leading to an interesting result about vs-situations in software development and IT security.

Speakers

 * Mario Heiderich - I am Mario Heiderich, cologne based CTO for an online enterprise based in Cologne and New York. I was visitor and speaker on several OWASP conferences, maintain the PHPIDS and other security related projects and recently authored a German book on Web Security together with Christian Matthies, fukami and Johannes Dahse. I am currently into browser security, broken markup, client side attacks and digging the HTML5 specifications.
 * Gareth Heyes - I'm from the UK and I like hacking javascript and XSS filters. I am not a security expert, in fact I'm the anti-security expert. Don't expect statistics from me, I like vectors and interesting code. I authored Hackvertor and many other security related tools.

RSVP
Please RSVP for this meeting, as space is limited. As mentioned at the last meeting, we're going to trial an event signup system, so please RSVP at http://owasp-london.eventbrite.com. Note, please enter your real name, as this will be given to Barclays building security to ensure you are let into the building.

Also, if you are no longer able to attend, please email Justin at justin.clarke@owasp.org so your space can be released for someone else.

Thursday, May 21st 2009
Location: Barclays, Presentation Suite 2, One Churchill Place, London E14 5HP


 * Hash Cookies - A simple recipe - John Fitzpatrick ([[Media:Hash-cookies 2009-05-21.pdf|PDF]])
 * Hash cookies is a concept devised in concert with a couple of other guys whilst discussing an application test we were working on. The goal of hash cookies being to make session hijacking attempts infeasible through re-hashing the session cookie on future requests to the server.
 * The aim of this talk is to put across the concept of hash cookies and then have the audience don their ninja suits and break it. That way we can work towards a robust secure mechanism for securing sessions which, hopefully, hash cookies is a good solid step towards.


 * OWASP Google Hacking Project - Christian Heinrich ([[Media:Cmlh - OWASP Google Hacking Project - OWASP EU 2009 and OWASP London Chapter May 2009 Meeting - Post Update 22 May 2009.zip|PDF (zipped)]])
 * Two Proof of Concepts (PoC) used during the reconnaissance phase of a penetration test will be demonstrated:
 * "TCP Input Text" extracts TCP Ports and Fully Qualified Domain Names (FQDN) from Google Search Results into a .csv file and individual shell scripts for nmap and netcat to provide assurance of a listening TCP service since the last crawl performed by the "GoogleBot".
 * "Download Indexed Cache" retrieves content indexed within the Google Cache and supports the "Search Engine Reconnaissance" section of the recently released OWASP Testing Guide v3. During the demonstration of "Download Indexed Cache", the superiority of this approach will be proven over lesser methodologies, such as "Google Hacking" and the associated Google Hacking Database (GHDB).
 * The impact of mitigating controls, such as  Tags and robots.txt, based on the recommendations within the "Spiders/Robots/Crawlers" section of the recently released OWASP Testing Guide v3, will be explained.


 * Thursday, March 12th


 * Location: KPMG, 39th Floor, One Canada Sq, E14 5AG

OWASP Global Industry Committee - Colin Watson ([[Media:Owasp-london-industry-committee-march-2009.pdf|PDF]])

The Global Industry Committee was one of six new OWASP committees created during the EU Summit in Portugal last year. Colin Watson will talk about the committee's aims, plan, how to get involved, who it has been engaging with and what else it has been doing in the first few months.

The Software Assurance Maturity Model - Introduction and a Use Case - Matt Bartoldus ([[Media:OpenSAMM.pdf|PDF]])

The OWASP CLASP Project has been going through modification to move more towards a maturity model. As a result, the Software Assurance Maturity Model (SAMM) project has been released in a beta version. The goal is to "define a usable security framework with sequential, measurable goals that can be used by small, medium, and large organisations in any line of business that involves software development". This talk will introduce SAMM and give a brief overview of its contents. We will then discuss how SAMM is currently being used to measure the level of information security activities within an EU based financial organisation's development methodology and providing the framework for implementing such activities into their everyday development activities (SDLC).

SQL injection: Not only AND 1=1 - Bernardo Damele A. G. ([[Media:SQLinjectionNotOnly.pdf|PDF]])

The presentation will cover a quick preamble on SQL injection definition, sqlmap and its key features. It will then illustrate the details of common and uncommon problems and respective solutions with examples that a penetration tester or a SQL injection tool developer faces when he wants to take advantage of any kind of web application SQL injection flaw on real world web applications, for instance SQL injection in ORDER BY and LIMIT clauses, single entry UNION query SQL injection, blind SQL injection algorithm speed enhancements, specific web application technologies IDS bypasses and more.


 * Thursday, December 4th


 * Location: KPMG, 39th Floor, One Canada Sq, E14 5AG

Justin Clarke: SQL Injection Worms for Fun and Profit ([[Media:SPF.pdf|PDF]])

Earlier this year the first (publicly known) SQL Injection worm appeared. This worm used SQL Injection to insert malicious scripting tags into the pages of over 90,000 sites that were vulnerable to SQL injection.

Yet the exploit vector was fairly innocuous, easy to clean up, and easy to block. In other words, very much version 0.1 of what a SQL Injection worm can achieve.

This talk is going to discuss how far the rabbit hole can go with SQL injection based worms, including full compromise of the server OS, and why we should be worried by what is going to be coming next out of Russia/China/wherever, including a live demo of a proof of concept SQL injection worm, "weaponized".

Dinis Cruz: OWASP Summit 2008 Report

The OWASP Summit 2008 has been a great success. Dinis, also known as Chief OWASP Evangelist, is going to tell us what we've missed.

Andrew Nairn: Protecting Vulnerable Applications with IIS7 ([[Media:SQL_Injection_for_Fun_&_Profit.pdf‎ |PDF]])

With the advent of IIS7 and its modular design, Microsoft has provided the ability to easily integrate custom ASP.NET HttpModules into the IIS7 request-handling pipeline. This session will present an IIS7 module designed to leverage this architecture to actively and dynamically protect web applications from attack. With minimal configuration, the module can be used to protect virtually any application running on the web server, including non-ASP.NET applications (such as those written in PHP, Cold Fusion, or classic ASP).

This presentation will outline the overall design and architecture of the module, including a detailed explanation of available features and attack defense techniques. The session will focus on live demonstrations of how the module can easily be installed to protect already-deployed applications and how it can block both traditional web application attacks, such as SQL injection and Cross-Site Scripting, and application-specific vulnerabilities like parameter manipulation and authorization attacks.


 * Thursday, September 4th


 * Location: KPMG 39th Floor, One Canada Sq, E14 5AG, starting at 7pm (arrive between 6.30pm and 7pm), ending by 9pm. KMPG are sponsoring the meeting. Complementary drinks and snacks will be provided.

James Fisher: DirBuster & Beyond (PDF)

An introduction to the DirBuster project, detailing how it works, what it can do for you, and the direction it will be taking in the future. Followed by an introduction to my unreleased project FuzzBuster, showing why it's different to other HTTP fuzzes out there.

Yiannis Pavlosoglou: JBroFuzz

[Summary will be updated if I get it from Yiannis, but you can always go to the JBroFuzz project homepage for more information.


 * Thursday, July 24th


 * Location: Auriol Kensington Rowing Club (map), starting at 7pm (arrive between 6.30pm and 7pm). Breach Security is sponsoring the meeting by paying for the costs of the venue.


 * Programme
 * 18:30 Arrive and make yourselves comfortable.
 * 19:00 Dinis Cruz: What is going on at OWASP?
 * 19:20 Colin Watson: Nominet Best Practices Award briefing (PDF)
 * 19:45 Dennis Hurst: AJAX / Web 2.0 / WebServices security concerns (PDF)
 * 20:30 Dinis Cruz: Building a tool for Security consultants: A story of a customized source code scanner
 * 21:15 Ivan Ristic: Evaluation Criteria for Web Application Firewalls (PDF) (talk from the recent OWASP AppSec Europe conference in Ghent).


 * Thursday, April 3rd


 * Location: Auriol Kensington Rowing Club (map), starting at 7pm (arrive between 6.30pm and 7pm). Breach Security is sponsoring the meeting by paying for the costs of the venue.


 * Programme
 * 18h30 Arrive and make yourselves comfortable.
 * 19h00 PHP Code Analysis: Real World Examples (David Kierznowski)
 * 20h00 Abusing PHP sockets for fun and profit (Rodrigo Marcos; also available: source code, Flash demo)
 * 20h45 Web Application Security Badges (Colin Watson) - [[Media:owasp-london-security-badges.pdf|PDF]]
 * 21h00 Discussion: OWASP Best Practice Challenge 2008 nomination.
 * 21h30 End.


 * Thursday, December 6th


 * Location: Auriol Kensington Rowing Club (map), starting at 7pm (arrive between 6.30pm and 7pm). Breach Security sponsoring the meeting by paying for the costs of the venue.


 * Programme
 * 18h30 Arrive and make yourselves comfortable.
 * 19h00 Adrian Pastor: Cracking into embedded devices and beyond! ([[Media:Cracking-into-embedded-devices-and-beyond.pdf]])
 * 19h45 Rodrigo Marcos: Blind SQL Injection: Optimization Techniques (PPT).
 * 20h15 OWASP London Chapter (discussion).
 * 20h45 PDP: Client-Side Security (discussion).
 * 21h30 End.


 * Wednesday, September 5th (participating in the OWASP Day event). Read meeting notes here.
 * Location: Auriol Kensington Rowing Club (map), starting at 7pm (arrive between 6.30pm and 7pm). Breach Security sponsored the meeting by paying for the costs of the venue.


 * Programme:
 * 18h30 Arrive and make yourselves comfortable.
 * 19h00 Petko D. Petkov, a.k.a pdp (architect), founder of the GNUCITIZEN group: For my next trick... hacking Web2.0.
 * 20h00 Discussion: "Privacy in the 21st Century?", moderator: Ivan Ristic.
 * 21h00 Discussion: "Future of the OWASP London Chapter".
 * 21h30 End


 * Thursday 22nd March
 * Location: The Water Poet Pub, Liverpool St, London map, description
 * We are going to use the downstairs room which you can access from the back of the pub
 * Presentations:
 * Mark O'Neill "Security Vulnerabilities in AJAX and Web 2.0" - 60 m
 * Dinis Cruz "OWASP Spring of Code and Owasp world update " - 30 m


 * Thursday 22nd February
 * Location: The Water Poet Pub, Liverpool St, London map, description
 * We are going to use the downstairs room which you can access from the back of the pub
 * Presentations:
 * by Dinis Cruz (Chief OWASP Evangelist) :
 * OWASP, the Open Web Application Security Project 30m - The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted. All of the OWASP tools, documents, blogs, and chapters are free and open to anyone interested in improving application security. In this presentation Dinis will show the latest guides and tools from OWASP which should be part of every company's security efforts.
 * Buffer Overflows on .Net and Asp.Net 30m - One of the common myths about the .Net Framework is that it is immune to Buffer Overflows. Although this might be correct in pure managed and verifiable .Net code, large percentage of .Net and Asp.Net applications code is unmanaged code. In this talk Dinis will show the areas in .Net and Asp.Net applications that are vulnerable to Buffer Overflows (including the demo of a .Net Buffer Overflow Fuzzer).
 * 0wning Vista's userland - The CAS / UAC missed opportunity, and what I think MS should had done - In this presentation Dinis will explore the missed opportunity by Microsoft to use technologies like .Net's CAS (Code Access Security) and Vista's UAC (User Access Control) to create secure and trustworthy userland environments that protect the user's assets. In the hope that might make a small difference, ideas and solutions for the future will also be presented.
 * by Ivan Ristic:
 * ModSecurity - 30m


 * Schedule:
 * 6pm - 7pm arrive and grab a drink
 * 7:00 - OWASP, the Open Web Application Security Project, Dinis Cruz
 * 7:45 - ModSecurity, Ivan Ristic
 * 8:15 - Buffer Overflows on .Net and Asp.Net, Dinis Cruz
 * 8:50 - 0wning Vista's userland - The CAS / UAC missed opportunity, and what I think MS should had done, Dinis Cruz
 * 9:00 - Dinner

Other Activities
Open Web Application Security Project was nominated by OWASP London for the Best Security Initiative Award in the Nominet Best Practice Challenge 2009. Short-listed June 2009. Announcement due 2 July 2009.
 * March 2009 - Entry for Nominet Best Practice Challenge 2009


 * 16th October 2008 - COI Browser Standards for Public Websites

The London and Scotland Chapters joint response to the Central Office of Information draft document on browser standards for public websites (version 0.13).