London

Future Events

 * Thursday, September 4th


 * Location: KPMG 39th Floor, One Canada Sq, E14 5AG, starting at 7pm (arrive between 6.30pm and 7pm). KMPG are sponsoring the meeting. Complementary drinks will be provided.


 * Programme

1 James Fisher: DirBuster & Beyond

An introduction to the DirBuster project, detailing how it works, what it can do for you, and the direction it will be taking in the future. Followed by an introduction to my unreleased project FuzzBuster, showing why it's different to other HTTP fuzzes out there.

DirBuster is a popular OWASP project:

http://www.owasp.org/index.php/Category:OWASP_DirBuster_Project

2 Yiannis Pavlosoglou: Web Authentication Combining Single Packet Authorization (WACSPA)

This presentation aims to demonstrate a pioneering way of authenticating on a web-site, by means of accessing the login interface via port knocking.

As Single Packet Authorization is beginning to mature as a subject discipline, attaching a time window of opportunity towards the ability of logging in to a web-site adds an extra layer of security, well beyond the remit of the application layer.

In this presentation, the basic concept will be presented, a system description given, as well as a detailed outline of the tools used to develop this type of web authentication.

Past Events

 * Thursday, July 24th


 * Location: Auriol Kensington Rowing Club (map), starting at 7pm (arrive between 6.30pm and 7pm). Breach Security is sponsoring the meeting by paying for the costs of the venue.


 * Programme
 * 18:30 Arrive and make yourselves comfortable.
 * 19:00 Dinis Cruz: What is going on at OWASP?
 * 19:20 Colin Watson: Nominet Best Practices Award briefing (PDF)
 * 19:45 Dennis Hurst: AJAX / Web 2.0 / WebServices security concerns (PDF)
 * 20:30 Dinis Cruz: Building a tool for Security consultants: A story of a customized source code scanner
 * 21:15 Ivan Ristic: Evaluation Criteria for Web Application Firewalls (PDF) (talk from the recent OWASP AppSec Europe conference in Ghent).


 * Thursday, April 3rd


 * Location: Auriol Kensington Rowing Club (map), starting at 7pm (arrive between 6.30pm and 7pm). Breach Security is sponsoring the meeting by paying for the costs of the venue.


 * Programme
 * 18h30 Arrive and make yourselves comfortable.
 * 19h00 PHP Code Analysis: Real World Examples (David Kierznowski)
 * 20h00 Abusing PHP sockets for fun and profit (Rodrigo Marcos; also available: source code, Flash demo)
 * 20h45 Web Application Security Badges (Colin Watson)
 * 21h00 Discussion: OWASP Best Practice Challenge 2008 nomination.
 * 21h30 End.


 * Thursday, December 6th


 * Location: Auriol Kensington Rowing Club (map), starting at 7pm (arrive between 6.30pm and 7pm). Breach Security sponsoring the meeting by paying for the costs of the venue.


 * Programme
 * 18h30 Arrive and make yourselves comfortable.
 * 19h00 Adrian Pastor: Cracking into embedded devices and beyond! ([[Media:Cracking-into-embedded-devices-and-beyond.pdf]])
 * 19h45 Rodrigo Marcos: Blind SQL Injection: Optimization Techniques (PPT).
 * 20h15 OWASP London Chapter (discussion).
 * 20h45 PDP: Client-Side Security (discussion).
 * 21h30 End.


 * Wednesday, September 5th (participating in the OWASP Day event). Read meeting notes here.
 * Location: Auriol Kensington Rowing Club (map), starting at 7pm (arrive between 6.30pm and 7pm). Breach Security sponsored the meeting by paying for the costs of the venue.


 * Programme:
 * 18h30 Arrive and make yourselves comfortable.
 * 19h00 Petko D. Petkov, a.k.a pdp (architect), founder of the GNUCITIZEN group: For my next trick... hacking Web2.0.
 * 20h00 Discussion: "Privacy in the 21st Century?", moderator: Ivan Ristic.
 * 21h00 Discussion: "Future of the OWASP London Chapter".
 * 21h30 End


 * Thursday 22nd March
 * Location: The Water Poet Pub, Liverpool St, London map, description
 * We are going to use the downstairs room which you can access from the back of the pub
 * Presentations:
 * Mark O'Neill "Security Vulnerabilities in AJAX and Web 2.0" - 60 m
 * Dinis Cruz "OWASP Spring of Code and Owasp world update " - 30 m


 * Thursday 22nd February
 * Location: The Water Poet Pub, Liverpool St, London map, description
 * We are going to use the downstairs room which you can access from the back of the pub
 * Presentations:
 * by Dinis Cruz (Chief OWASP Evangelist) :
 * OWASP, the Open Web Application Security Project 30m - The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted. All of the OWASP tools, documents, blogs, and chapters are free and open to anyone interested in improving application security. In this presentation Dinis will show the latest guides and tools from OWASP which should be part of every company's security efforts.
 * Buffer Overflows on .Net and Asp.Net 30m - One of the common myths about the .Net Framework is that it is immune to Buffer Overflows. Although this might be correct in pure managed and verifiable .Net code, large percentage of .Net and Asp.Net applications code is unmanaged code. In this talk Dinis will show the areas in .Net and Asp.Net applications that are vulnerable to Buffer Overflows (including the demo of a .Net Buffer Overflow Fuzzer).
 * 0wning Vista's userland - The CAS / UAC missed opportunity, and what I think MS should had done - In this presentation Dinis will explore the missed opportunity by Microsoft to use technologies like .Net's CAS (Code Access Security) and Vista's UAC (User Access Control) to create secure and trustworthy userland environments that protect the user's assets. In the hope that might make a small difference, ideas and solutions for the future will also be presented.
 * by Ivan Ristic:
 * ModSecurity - 30m


 * Schedule:
 * 6pm - 7pm arrive and grab a drink
 * 7:00 - OWASP, the Open Web Application Security Project, Dinis Cruz
 * 7:45 - ModSecurity, Ivan Ristic
 * 8:15 - Buffer Overflows on .Net and Asp.Net, Dinis Cruz
 * 8:50 - 0wning Vista's userland - The CAS / UAC missed opportunity, and what I think MS should had done, Dinis Cruz
 * 9:00 - Dinner