London

London

Future Events

 * Thursday, December 4th


 * Location: KPMG, 39th Floor, One Canada Sq, E14 5AG, starting at 6.30pm (arrive between 6.00pm and 6.30pm), ending by 8.30pm. KMPG are sponsoring the meeting. Complementary drinks will be provided. IMPORTANT: You must RSVP (by sending an email to ivanr AT webkreator DOT com) if you want to attend.

Justin Clarke: SQL Injection Worms for Fun and Profit ([[Media:SPF.pdf|PDF]])

Earlier this year the first (publicly known) SQL Injection worm appeared. This worm used SQL Injection to insert malicious scripting tags into the pages of over 90,000 sites that were vulnerable to SQL injection.

Yet the exploit vector was fairly innocuous, easy to clean up, and easy to block. In other words, very much version 0.1 of what a SQL Injection worm can achieve.

This talk is going to discuss how far the rabbit hole can go with SQL injection based worms, including full compromise of the server OS, and why we should be worried by what is going to be coming next out of Russia/China/wherever, including a live demo of a proof of concept SQL injection worm, "weaponized".

Dinis Cruz: OWASP Summit 2008 Report

The OWASP Summit 2008 has been a great success. Dinis, also known as Chief OWASP Evangelist, is going to tell us what we've missed.

Justin Clarke: Protecting Vulnerable Applications with IIS7 ([[Media:SQL_Injection_for_Fun_&_Profit.pdf‎ |PDF]])

With the advent of IIS7 and its modular design, Microsoft has provided the ability to easily integrate custom ASP.NET HttpModules into the IIS7 request-handling pipeline. This session will present an IIS7 module designed to leverage this architecture to actively and dynamically protect web applications from attack. With minimal configuration, the module can be used to protect virtually any application running on the web server, including non-ASP.NET applications (such as those written in PHP, Cold Fusion, or classic ASP).

This presentation will outline the overall design and architecture of the module, including a detailed explanation of available features and attack defense techniques. The session will focus on live demonstrations of how the module can easily be installed to protect already-deployed applications and how it can block both traditional web application attacks, such as SQL injection and Cross-Site Scripting, and application-specific vulnerabilities like parameter manipulation and authorization attacks.

About Justin:

Justin is a Principal Consultant with Gotham Digital Science. He is the co-author of "Network Security Tools" (O'Reilly, 2005), a contributing author to "Network Security Assessment" (O'Reilly, 2007), and has spoken at Blackhat, EuSecWest, RSA, and OSCON in the past. He has over 10 years of security testing and consulting experience in network, application, source code and wireless testing work for some of the largest commercial and government organizations in the United States, United Kingdom, and New Zealand. Justin is active in developing security tools for penetrating and defending applications, servers, and wireless networks (e.g. SQLBrute), and as a compulsive tinkerer he can't leave anything alone without at least trying to see how it works.

Past Events

 * Thursday, September 4th


 * Location: KPMG 39th Floor, One Canada Sq, E14 5AG, starting at 7pm (arrive between 6.30pm and 7pm), ending by 9pm. KMPG are sponsoring the meeting. Complementary drinks and snacks will be provided.

James Fisher: DirBuster & Beyond (PDF)

An introduction to the DirBuster project, detailing how it works, what it can do for you, and the direction it will be taking in the future. Followed by an introduction to my unreleased project FuzzBuster, showing why it's different to other HTTP fuzzes out there.

Yiannis Pavlosoglou: JBroFuzz

[Summary will be updated if I get it from Yiannis, but you can always go to the JBroFuzz project homepage for more information.


 * Thursday, July 24th


 * Location: Auriol Kensington Rowing Club (map), starting at 7pm (arrive between 6.30pm and 7pm). Breach Security is sponsoring the meeting by paying for the costs of the venue.


 * Programme
 * 18:30 Arrive and make yourselves comfortable.
 * 19:00 Dinis Cruz: What is going on at OWASP?
 * 19:20 Colin Watson: Nominet Best Practices Award briefing (PDF)
 * 19:45 Dennis Hurst: AJAX / Web 2.0 / WebServices security concerns (PDF)
 * 20:30 Dinis Cruz: Building a tool for Security consultants: A story of a customized source code scanner
 * 21:15 Ivan Ristic: Evaluation Criteria for Web Application Firewalls (PDF) (talk from the recent OWASP AppSec Europe conference in Ghent).


 * Thursday, April 3rd


 * Location: Auriol Kensington Rowing Club (map), starting at 7pm (arrive between 6.30pm and 7pm). Breach Security is sponsoring the meeting by paying for the costs of the venue.


 * Programme
 * 18h30 Arrive and make yourselves comfortable.
 * 19h00 PHP Code Analysis: Real World Examples (David Kierznowski)
 * 20h00 Abusing PHP sockets for fun and profit (Rodrigo Marcos; also available: source code, Flash demo)
 * 20h45 Web Application Security Badges (Colin Watson) - [[Media:owasp-london-security-badges.pdf|PDF]]
 * 21h00 Discussion: OWASP Best Practice Challenge 2008 nomination.
 * 21h30 End.


 * Thursday, December 6th


 * Location: Auriol Kensington Rowing Club (map), starting at 7pm (arrive between 6.30pm and 7pm). Breach Security sponsoring the meeting by paying for the costs of the venue.


 * Programme
 * 18h30 Arrive and make yourselves comfortable.
 * 19h00 Adrian Pastor: Cracking into embedded devices and beyond! ([[Media:Cracking-into-embedded-devices-and-beyond.pdf]])
 * 19h45 Rodrigo Marcos: Blind SQL Injection: Optimization Techniques (PPT).
 * 20h15 OWASP London Chapter (discussion).
 * 20h45 PDP: Client-Side Security (discussion).
 * 21h30 End.


 * Wednesday, September 5th (participating in the OWASP Day event). Read meeting notes here.
 * Location: Auriol Kensington Rowing Club (map), starting at 7pm (arrive between 6.30pm and 7pm). Breach Security sponsored the meeting by paying for the costs of the venue.


 * Programme:
 * 18h30 Arrive and make yourselves comfortable.
 * 19h00 Petko D. Petkov, a.k.a pdp (architect), founder of the GNUCITIZEN group: For my next trick... hacking Web2.0.
 * 20h00 Discussion: "Privacy in the 21st Century?", moderator: Ivan Ristic.
 * 21h00 Discussion: "Future of the OWASP London Chapter".
 * 21h30 End


 * Thursday 22nd March
 * Location: The Water Poet Pub, Liverpool St, London map, description
 * We are going to use the downstairs room which you can access from the back of the pub
 * Presentations:
 * Mark O'Neill "Security Vulnerabilities in AJAX and Web 2.0" - 60 m
 * Dinis Cruz "OWASP Spring of Code and Owasp world update " - 30 m


 * Thursday 22nd February
 * Location: The Water Poet Pub, Liverpool St, London map, description
 * We are going to use the downstairs room which you can access from the back of the pub
 * Presentations:
 * by Dinis Cruz (Chief OWASP Evangelist) :
 * OWASP, the Open Web Application Security Project 30m - The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted. All of the OWASP tools, documents, blogs, and chapters are free and open to anyone interested in improving application security. In this presentation Dinis will show the latest guides and tools from OWASP which should be part of every company's security efforts.
 * Buffer Overflows on .Net and Asp.Net 30m - One of the common myths about the .Net Framework is that it is immune to Buffer Overflows. Although this might be correct in pure managed and verifiable .Net code, large percentage of .Net and Asp.Net applications code is unmanaged code. In this talk Dinis will show the areas in .Net and Asp.Net applications that are vulnerable to Buffer Overflows (including the demo of a .Net Buffer Overflow Fuzzer).
 * 0wning Vista's userland - The CAS / UAC missed opportunity, and what I think MS should had done - In this presentation Dinis will explore the missed opportunity by Microsoft to use technologies like .Net's CAS (Code Access Security) and Vista's UAC (User Access Control) to create secure and trustworthy userland environments that protect the user's assets. In the hope that might make a small difference, ideas and solutions for the future will also be presented.
 * by Ivan Ristic:
 * ModSecurity - 30m


 * Schedule:
 * 6pm - 7pm arrive and grab a drink
 * 7:00 - OWASP, the Open Web Application Security Project, Dinis Cruz
 * 7:45 - ModSecurity, Ivan Ristic
 * 8:15 - Buffer Overflows on .Net and Asp.Net, Dinis Cruz
 * 8:50 - 0wning Vista's userland - The CAS / UAC missed opportunity, and what I think MS should had done, Dinis Cruz
 * 9:00 - Dinner

Other Activities

 * 16th October 2008 - COI Browser Standards for Public Websites

The London and Scotland Chapters joint response to the Central Office of Information draft document on browser standards for public websites (version 0.13).