OWASP Israel 2007 Conference at the Interdisciplinary Center Herzliya (IDC)

Cross Site Request Forgery - Overview and Solutions Ofer Shezaf, OWASP IL chapter leader, Breach Security

Cross Site Request Forgery (CSRF) made the highest entry into this year's version of the OWASP top 10, jumping straight to number 5. But as common and dangerous as it is, CSRF has remained obscured to many, and the ways to protect your application even less well understood. This turbo talk will provide an overview of CSRF and the common ways to mitigate it, leading to Amichai Shulman’s presentation which will present innovative methods for protecting from CSRF.

Ofer will also update on the OWASP 2007 conference in San Jose and other OWASP news.

Defeating Web 2.0 Attacks without Recoding Applications Amichai Shulman, CTO, Imperva

Amichai will present a novel approach for solving client side solutions which would naturally be considered out of reach for server applications such as CSRF and JavaScript Hijacking. The method uses a gateway to inject a script that will require feedback from the client. If you have seen the presentation about content injection in the last OWASP IL meeting and felt it lacked actual working examples, Amichai provides some very strong evidence of the usefulness of this method.

This talk was presented in OWASP 2007 in San Jose.

Harvesting Skype Super-Nodes Omer Dekel, IDC

Skype has revolutionized the way we use VoIP and has entered almost every network and all parts of the Internet. However, little is known about the way the Skype Network operates. Further, since its traffic is encrypted and bypasses firewalls, the network administrators have almost no ability to monitor or filter Skype. In this work we explore the possibility of filtering Skype traffic by harvesting its Super Nodes (SNs), which form the heart of Skype, and of blocking the network nodes from connecting to them. Using experimental results and an analytic model we show that it is possible to collect a large enough number of SNs as to block, with a probability higher than 95%, the service for an arbitrary connecting client.

This talk is based on a research project done with Dr. Anat Bremler-Barr (IDC) & Prof. Hanoch Levy (ETH)

The PKI Lie - Attacking Certificate-Based Authentication Ofer Maor, CTO, Hacktics

While public key cryptography and client side certificates have certainly proved to be a very valuable security mechanism, blind reliance on them may lead to a disaster. These complex technologies are prone to implementation and deployment mistakes that hinders them useless. Ofer will discuss and demonstrate some common implementation pitfalls he often sees in real life PKI based authentication systems.

This talk was presented in OWASP 2007 in San Jose.

Hunting Down XSS Vulnerabilities Erez Metula, Applicatoin Security Consultant, 2Bsecure

XSS is the most common web application vulnerability and leads the OWASP top 10. The lecture will discuss automatic and manual approaches for detecting XSS vulnerabilities. Erez will present tools used to find XSS vulnerabilities as well as innovative method to overcome obstacles when looking for vulnerabilities.

How Dangerous Is It Out There? Dror Paz, Director of Professional Services, Breach Security

One of the key issues facing application security professionals is the lack of information about the actual risk. The number of reported incidents is small, and therefore while the potential danger of web layer attacks is known, whether and how this potential is abused is a great mystery. In the presentation, Dror Paz will show what’s really happening out there, based on work done in project such as the open proxy honeypot project, WASC statistics project and the Web Hacking Incidents database as well as information gathered (incognito) from Breach installations around the globe.

Smuggling SQL injection attacks Avi Douglen, Application Security Consultant, ComSec

SQL Injection is a common, well-understood application-level attack against databases. Several protection mechanisms exist for protecting from SQL injection attacks, including input validation and use of stored procedures. The presentation will discuss novel techniques to bypass these protection mechanisms by exploiting deference in interpretation between systems.

This is a new research work presented for the first time in OWASP Israel 2008.

SOA security Iris Levari, Amdocs

As application security specialists we need to follow up with information technology trends. Service Oriented Architecture (SOA) is a new method for developing large scale enterprise applications that promise to revolutionize the IT landscape. Applications built around SOA isolates each business process into a separate service that can serve and interconnect with other services. SOA can use different technologies such as XML, Web Services and SOAP as its infrastructure. The presentation will explain SOA and discuss the security features and considerations when adapting SOA.