Phoenix

= Meeting Tuesday February 5th -- Dan Cornell, Using ThreadFix To Manage Application Vulnerabilities = Abstract: ThreadFix is an open source software vulnerability aggregation and management system that reduces the time it takes to fix software vulnerabilities. It imports the results from dynamic, static and manual testing to provide a centralized view of software security defects across development teams and applications. The system allows organizations to correlate testing results and streamline software remediation efforts by simplifying feeds to software issue trackers. This presentation will walk through the major functionality in ThreadFix and describe several common use cases such as merging the results of multiple open source and commercial scanning tools and services. It will also demonstrate how ThreadFix can be used to track the results of scanning over time and gauge the effectiveness of different scanning techniques and technologies. Finally it will provide examples of how tracking assurance activities across an organization’s application portfolio can help the organization optimize remediation activities to best address risks associated with vulnerable software.

Dan Cornell has over twelve years of experience architecting and developing web-based software systems. He leads Denim Group's security research team in investigating the application of secure coding and development techniques to improve web-based software development methodologies.

Dan was the founding coordinator and chairman for the Java Users Group of San Antonio (JUGSA) and currently serves as the OWASP San Antonio chapter leader, member of the OWASP Global Membership Committee and co-lead of the OWASP Open Review Project. Dan has spoken at such international conferences as ROOTs in Norway and OWASP EU Summit in Portugal.

Local News
OWASP Phoenix 2013 Meetings

Meetings are on the first Tuesday of the month, every month, 6:30 PM - 7:30 PM, for 1 hour.

Afterward, we'll head to a local watering hole for socializing and fun.

The meeting are located at:

University of Advancing Technology 2625 W. BASELINE RD. TEMPE, AZ 85283-1056

2012 Meetings Calendar
This calendar will likely be updated on month to month basis. In absence of a speaker for a monthly meeting we will opt for a short discussion.


 * January - Standard Android and iOS Tools for 2013
 * Febuary - Using ThreadFix To Manage Application Vulnerabilities: Dan Cornell, Denim Group
 * March  -TBD
 * April - Top Ten Web Defenses: Jim Manico is the VP of Security Architecture for WhiteHat Security

Resources
Archived pages on Phoenix/Tools and Phoenix/ToolsProfile

This chapter is dedicated to bringing together local businesses, students, and web and security enthusiasts in order to discuss current events, trends, tools, and offensive/defensive techniques related to web application security. We currently hold meetings every month, typically with one or two speakers at each meeting.

What talks would you like to see?
Please Update

Previous Meetings
Standard Android and iOS Tools for 2013

Andre Gironda 

Andre Gironda will be presenting on "Standard Android and iOS Tools for 2013" This is a follow-up to his 2012 talk.

Content Discovery and Link Extraction for Application Security Testing

Andre Gironda 

Andre Gironda, HP, will be presenting on "Content Discovery and Link Extraction for Application Security Testing". The talk will be focused on how to discover content the right way and make decisions before actual testing begins, as well as how to adjust needs during a on-going test. Most of the discussion will be tool agnostic, but it will help attendees if they have some prior experience with tools such as OWASP DirBuster or a commercial-grade crawler such as Netsparker Community Edition.

Andre Gironda is a mobile application security risk consultant for HP Fortify who lives in Tempe, AZ

Not the end of XSS

Michael Brooks 

XSS is by no means a solved problem. There is no silver bullet, function call or technology that makes you absolutely immune. This talk is focusing on bypassing Anti-XSS filters found in browsers as well as bypassing Content Security Policy (CSP) restrictions. This talk covers how these technologies are used to protect a web application and how they can be abused by an attacker.

Michael Brooks

Michael Brooks was in the top 1% of earners in the Google bug bounty program. He has written exploits for software you have probably used, patches have been written and we are all safer for it. A perfectly secure system can never be accomplished, test everything, trust nothing.

"Cool" Vulnerabilities

Lonnie Benavides 

Web application management software is often overlooked and can contain critical vulnerabilities. This talk will focus on four different publically known vulnerabilities within Adobe Cold Fusion. Exploitation of these issues results in a complete compromise of the underlying web server. Live demonstrations will be provided.

Lonnie Benavides is a penetration tester and the lead of the Boeing Red Team. Lonnie has been pen testing since 2003 when he joined an Air Force Red Team based out of McChord Air Force Base in Washington State. He has taken over military bases, aircraft, and banks. Lonnie and his family relocated from Seattle to Phoenix in February.

Sweet Pickles

Chase Schultz 

Sweet Pickles is inspired by a talk presented at Blackhat by Marco Salverio about practical pickle exploitation. Sweet pickles aims to address some of the concerns presented by Marco in his Sour Pickles talk. Using strong cryptography methods Sweet Pickles attempts to address the problem of confidentiality and authenticity of a python pickle while in transit. Sweet pickles utilizes Advaced Encryption Standard(AES) and Elliptic Curve Cryptography(ECC) to help secure Python's Serialized Objects(Pickles). Sweet pickles was first presented at the International Cyber Defense Workshop hosted by the Department of Defense by Chase. This presentation will be an elaboration on the research Chase has done on python pickles and his work to secure them.

Bio: Chase Schultz is currently a student at the University of Advancing Technology. He is majoring in Network Security and hopes to finish his degree in December of 2021(End of the world and all that aside…) Chase enjoy's application security and hunting bugs in software. He's spent time working for Stach & Liu as a web application penetration tester and also leads the [Buffer]Overflow Club at UAT. He developed Sweet pickles as a project in his free time to address the problems presented at Blackhat 2011 in the Sour Pickles talk. He is fluent in Python, C/C++, Assembly and random shit. Beyond playing with Python, Chase enjoys reverse engineering, and general software exploitation. Also enjoyed are Andre's random cocktails and IPA's.

Standard Android and iOS Tools for 2012

Andre Gironda

Abstract: This will be a talk that discusses the baseline toolchains around Android and iOS applications, whether trying to gain insight into in-app activities, OS activities, IPC, as well as standard networking protocols for both static and runtime.

Bio: Andre Gironda is a mobile application security risk consultant for HP Fortify who lives in Tempe, AZ

Application Security: More Than Just Secure Coding Practices

Scott White

Abstract: From a penetration tester's perspective, this presentation will examine a holistic approach to managing application security since attack vectors are not adequately mitigated using secure coding practices and traditional code reviews.

Bio: Scott is a Senior Information Security Engineer at Diebold, Inc., holding a bachelors degree in computer science, a master's degree in network security, and is well-respected in the information security industry. He manages the global application security process ensuring that new and existing applications conform to industry and secure coding best practices. Additionally, he heads up offensive security efforts within Diebold, continually testing its systems and associates through penetration tests, product reviews, and social engineering exercises. He has held various past positions in support, system administration, web development, penetration testing, and application security for both public and private organizations servicing clients in the government and commercial spaces. His experience includes performing web application security assessments, internal, external, and physical penetration tests, source code reviews, social engineering, and developer training. With over 5 years working directly with information security and over 10 years programming experience, he has a thorough web application security understanding from both developer and attacker viewpoints. He has spoken at Defcon, the world’s largest hacker’s convention, and has also been called on by organizations such as the FBI and Secret Service as a subject matter expert. He is the technical editor for the popular book, "Metasploit The Penetration Tester's Guide".

wxFramework (Web Exploitation Framework)

Ken Johnson

The project’s goal is to assist penetration testers in exploiting web application and web service weaknesses. Because exploitation of applications is rarely point and click and usually requires multiple steps, network exploitation frameworks often fall short of the goal. The framework is intended to assist attackers along their exploitation journey. During this talk we will preview the new graphical interface for the first time and demonstrate how it changes or enhances the reasons you may wish to try wXf.

Bio:

Ken Johnson is a Senior Application Security Consultant performing source code analysis and web application penetration testing. Ken is the primary developer of the Web Exploitation Framework (wXf) and contributes to various open source application security projects. He has spoken at AppSec DC, OWASP NoVA, Northern Virginia Hackers Association and is a contributor to the Attack Research team.

2011 Appsec Tools State-of-the-Art

Andre Gironda

Abstract: Every tool you should leverage during an app pen-test or secure code review will be discussed. The two best web proxies, Burp Pro (@portswigger) and Fiddler (@ericlaw) will be demonstrated along with the two best crawlers from @netsparker and WebInspect. The results from @sectooladdict will be discussed and the analysis demonstrated on @owaspbwa. Additional topics will be discussed, such as executive management reporting using dradisframework.org by way of imports from @w3af. There will also be topics for application developers, such as the new OWASP Data Exchange Format Project, as well as using CAT.NET, RIPS, LAPSE+, and Fortify to go from vulnerable sources to runtime analysis to full exploitation. Even esoteric tools from long-ago that have held their value will be discussed and potentially demonstrated

BIO: Andre works for the HP Application Security Center (ASC) doing application penetration-testing, secure code review, and reverse engineering. He has 9 years of direct experience with application security topics, has been using Burp Suite on pen-tests since early 2005, and runs his own tool benchmarks at home in Tempe, AZ.

Andrew Wilson &amp; Michael Brooks

Traps of Gold

Bio: Michael Brooks is on the Google Security Hall Of Fame. He works for the security company Sitewatch.

Bio: Andrew Wilson is a Security Consultant at Trustwave. He is a member of Trustwave's SpiderLabs - the advanced security team focused on penetration testing, incident response, and application security. He has over 9 years experience building and securing software for a variety of companies. Andrew specializes in application security assessment, penetration testing, threat modeling and secure development life cycle.

Obfuscating Search Queries with Hayst.ac

David Huerta

Hayst.ac, is a browser userscript to obfuscate search queries with machine-generated queries with the goal to be as close to indistinguishable from the human generated ones as possible. This is ultimately to discourage the use of search histories as a source of user profiling.

Bio: After arriving in Arizona from the posh, cosmopolitan enclave of southeastern Idaho, David founded the DeVry Linux User Group (DeLUG) in 2003, an originally student organization that drew members and activities from the greater West Valley Free software community, including students at GCC and ASU West. He also serves on the board of directors for HeatSync Labs, a hackerspace in Chandler.

OWASP O2 Platform Dinis Cruz

The O2 Platform is focused on automating application security knowledge and workflows. It is specifically designed for developers and security consultants to be able to perform quick, effective and thorough source code-driven application security reviews (blackbox + whitebox). In addition to the manual findings created/discovered by security consultants, the OWASP O2 Platform allows the easy consumption of results from multiple OWASP projects and commercial scanning tools. This allows security consultants to find, exploit and automate (via Unit Tests) security vulnerabilities usually dismissed by the community as impossible to find/recreate. More importantly, it provides security consultants a mechanism to: (a) "talk" with developers (via UnitTest), (b) give developers a way to replicate + "check if it's fixed" the vulnerabilities reported and (c) engage in a two-way conversion on the best way to fix/remediate those vulnerabilities. For more details see https://www.owasp.org/index.php/OWASP_O2_Platform, to download binary or source goto http://code.google.com/p/o2platform/downloads/list

Bio Dinis Cruz is a Security Consultant based in London (UK) and specialized in: ASP.NET/J2EE Application Security, Application Security audits and .NET Security Curriculum Development. For the past couple years Dinis has focused on the field of Static Source Code Analysis and Dynamic Website Assessments (aka penetration testing), and is the main developer of the OWASP O2 Platform which is an Open Source project that is focused on 'Automating Security Consultants Knowledge/Workflows' and 'Allowing non-security experts to access and consume Security Knowledge'. Dinis is currently focused on making the O2 Platform the industry standard for consuming, instrumenting and data-sharing between: the multiple WebAppSec tools, the Security consultants and the final users (from management to developers). (https://www.owasp.org/index.php/User:Dinis.cruz)

Improving your Fu - Andrew Wilson

Delivering high quality results is the goal and earmark of any serious security practitioner. Professional penetration testing requires a set of reliable skills that will enable him/her to deliver consistently. Tools simply aren't enough. This talk outlines 10 of the more important disciplines and practices you can do to build or grow that solid foundation.

Bio:

Exploitation Redux and Bug Bounties - Michael Brooks

Talk covered some of the recent vulnerabilities affecting Google and Mozilla, highlights such exploits as exploitation by email.

List of bounty winners and a lot of blog links: http://www.google.com/corporate/halloffame.html Interesting SMTP based XSS http://spareclockcycles.org/2010/12/14/gmail-google-chrome-xss-vulnerability/ XSS via event handlers: http://adblockplus.org/blog/finding-security-issues-in-a-website-or-how-to-get-paid-by-google Good examples of strange XSS: http://google-gruyere.appspot.com/ My Exploits (Including the Majordomo 2 Directory Traversal Vulnerability) http://www.exploit-db.com/author/?a=628

Bio: Michael Brooks is on the Google Security Hall Of Fame. He works for the security company Sitewatch.

SharePoint Hacking - Advanced SharePoint Security Tools and Tips     -Francis Brown

http://www.stachliu.com/resources/tools/sharepoint-hacking-diggity-project/

Microsoft SharePoint products and technologies continue to grow in popularity and have become the core foundation upon which many organizations have built their web presence. Unfortunately, guidance concerning common SharePoint security issues tends to be overly complex and often misunderstood. Ultimately this results in insecurely configured and deployed SharePoint instances in production environments.

This demonstration rich presentation will cover our newly released SharePoint hacking tools and techniques that security professionals can easily use to identify and exploit common insecure configurations in SharePoint applications. Some of the areas we’ll attempt to tackle are: • Identifying vulnerable SharePoint applications using public search engines such as Google and Bing • Gaining unauthorized access to SharePoint administrative web interfaces • Exploiting holes in SharePoint site user permissions and inheritance • Illustrating the dangers of granting excessive access to normal user accounts • Pillaging Active Directory via insecure SharePoint services • Attacking 3rd party plugins/code within SharePoint • And much more…

Bio:

Appsec Design Reviews Reloaded - Andre Gironda The best place to start in the software lifecycle is during the design phase. Workflow tools exist for SDL processes, build servers, penetration-testing activities, and many other application security checkpoints. However, very few tools and techniques exist or are readily available when performing application security design reviews. The full process of application security should be agreed upon during the design phase by the security department and all relevant application development teams. The direction of the projects and the patterns used in the application architectures can also be augmented from an application security perspective. This presentation will provide discussion around how to solve many of these and other challenges in application security. The focus will be on web applications that use common technologies, such as managed code frameworks. Bio: Andre has contributed to many OWASP documents and has been working in the appsec space for almost 5 years. He is a local to the Phoenix area and has presented on application security topics recently at BSides, OWASP, and Toorcon events.

Professional Burping

Burp suite is by and large considered one of the de-facto tools for testing web applications for security flaws. This talk will cover many of the professional version only features and various advanced usages that can be done to really take advantage of all this tool has to offer. Topics will include a quick review of burp, effectively leveraging professional only tools, deep dive into intruder, and using 3rd party extensions. Andrew Wilson's Bio:

Debugger Basics: Software Cracking and Buffer Overflows Finding and exploiting a basic buffer overflow, start to finish including fuzzing to command shell. A small primer before "warez and keygens": bypassing a serial number based registration for software, the most basic form of software cracking.

Bio: Scott White is a Senior Penetration Tester for SecureState LLC, a pure play information securityassessment company based in Cleveland, Ohio. He is the web application security expert on the Profiling team. His day to day duties include web application security assessments, internal, external, and physical penetration tests, source code reviews, and developer training. Scott holds a bachelors of science in computer science and a master of science in network security. With over 5 years working with security and over 10 years programming experience, he has a thorough web application security understanding from both the developer and attacker viewpoints. He has spoken at Defcon, the world’s largest hacker’s convention held in Las Vegas each year, and has also been called on by organizations such as the FBI and Secret Service as a subject matter expert. Scott White Senior Penetration Tester www.securestate.com http://securestate.blogspot.com

Database Security and Encryption, Adrian Lane

Bio: Adrian is a Security Strategist and brings over 22 years of industry experience to the Securosis team, much of it at the executive level. Adrian specializes in database security, data security, and software development. With experience at Ingres, Oracle, and Unisys, he has extensive experience in the vendor community, but brings a pragmatic perspective to selecting and deploying technologies having worked on "the other side" as CIO in the finance vertical. Prior to joining Securosis, Adrian served as the CTO/VP at companies such as IPLocks, Touchpoint, CPMi and Transactor/Brodia. He has been invited to present at dozens of security conferences, contributed articles to many major publications, and is easily recognizable by his "network hair" and propensity to wear loud colors. Once you get past his windy rants on data security and incessant coffee consumption, he is quite entertaining. Adrian is a Computer Science graduate of the University of California at Berkeley with post-graduate work in operating systems at Stanford University.

masSEXploitation, Mike Brooks  This talk covers the use of chaining vulnerabilities in order to bypass layered security systems. This talk will also cover ways of obtaining wormable remote code execution on a modern LAMP platform. These attacks where developed by me, and they are very new. These attacks are as real as it gets, and the results are making the headlines.

Bio: I will be giving this talk at this years Defcon and it will 3rd year in a row that I spoken. According to the Department of Homeland Security I have found a vulnerability with a severity metric of 13.5 which makes it into the top 1,000 most dangerous of all time. I am the top answerer of security questions on StackOverflow.com (The Rook). I actively hunt for vulnerabilities on a verity of platforms. I write exploit code and make it public.

http://www.exploit-db.com/exploits/16103/ (Directory Traversal exploitable via email) http://www.exploit-db.com/exploits/15838/ (Exploit chain:captcha bypass-&gt;sqli(insert)-&gt;persistant xss on front page)

Involuntary Case Studies in Data Breaches, Rich Mogull, Securosis

It's absolutely bass ackwards, but while the bad guys constantly share details of their exploits, including techniques, when it comes to real incidents, actual defenders rarely talk about what worked, and what didn't. Our entire industry is built on anecdote and the few tidbits we can glean from press reports. Thus we, as an industry, don't link means and methods to actual security outcomes. Without this information we're like a bunch of blindfolded wannabe ninjas trying to catch rounds from a machine gun with our bare hands. In this session we'll name names as we build in-depth case studies based on publicly available information, some of which isn't overly public. We will combine these with the latest information from breach reports released by incident response companies and the Dataloss Database. The session will build a picture of how real breaches happen, which security controls really work, and which compliance checkboxes are a complete and total waste of time.

Application Security Tools  - Web Application Proxy Editors and Scanners - Andre Gironda  - Adam Muntner Risk Assessment Considerations for Web Applications (brief talk+discussion) - Erich Newell

 â and other web+network trust issues â Andre Gironda

In computing, the same origin policy is an important security measure for client-side scripting (mostly Javascript). It prevents a document or script loaded from one "origin" from getting or setting properties of a document from a different "origin". It was designed to protect browsers from executing code from external websites, which could be malicious.

XSS and CSRF vulnerabilities exploit trust shared between a user and a website by circumventing the same-domain policy. DNS Pinning didn't pan out exactly right, either. Can client-side scripting allow malicious code to get into your browser history and cache? Can it enumerate what plugins you have installed in your browser, or even programs you have installed to your computer? Can it access and modify files on your local hard drive or other connected filesystems? Can client-side scripts be used to access and control everything you access online? Can it be used to scan and attack your Intranet / local network? Does an attacker have to target you in order to pull off one of these attacks successfully? If I turn off Javascript or use NoScript, am I safe? What other trust relationships does the web application n-Tier model break?

Data@Risk â Protecting Web Applications Throughout the Development Lifecycle from Hackers - Brian Christian

Brian Christian, Co-founder and Application Security Engineer, S.P.I. Dynamics, Inc. discussed what Web application security is and why it is needed throughout the entire development lifecycle. We will discuss common vulnerabilities in the Web application layer and why they are so easily exploited. This session demonstrates how to defend against common attacks at the Web application layer with examples covering Web application hacking methods such as SQL Injection, Blind SQL Injection, Cross-Site Scripting (XSS), Parameter Manipulation, etc. We will also review how compliance and regulatory legislation such as PCI, GLBA, HIPAA, CASB 1386, and Sarbanes-Oxley, etc. specifically relates to and affects Web application security. Additionally, we will examine how security throughout the development lifecycle is essential to the security of Web application code and the protection of proprietary data.

Web Application 0-Day â Jon Rose

Learn about how to identify, exploit, and remediate some of the most common security vulnerabilities in web applications. Weâll be using real-world examples in a dynamic, fun, and open discussion using publicly available source code.

Discovering Web Application Vulnerabilities with Google CodeSearch

Building Application Security into the SDLC - Adam Muntner

Adam will share his experiences about how organizations can integrate application security into all phases of the Software Development Life Cycle, from the creation of functional specifications all the way through deployment, maintenance, and updates. He will explain how to "bake security in" rather than "ice it on."