Difference between revisions of "8th OWASP IL chapter meeting"

From OWASP
Jump to: navigation, search
(New page: == At Watchfire, Herzliya, Wednesday, September 5th 2007, 17:00 == rightThe next meeting of OWASP IL, The Israeli Chapter of OWASP, would be he...)
 
 
(20 intermediate revisions by one user not shown)
Line 1: Line 1:
== At Watchfire, Herzliya, Wednesday, September 5th 2007, 17:00 ==
+
[[Category:Israel]]
 +
== At Watchfire, Herzliya, Wednesday, September 5th 2007, 16:45 ==
  
[[Image:OWASP_IL_Sponsor_Watchfire.jpg‎|right]]The next meeting of OWASP IL, The Israeli Chapter of OWASP, would be held at Watchfire offices in Herzelia on Wed, September 5th at 17:00. Watchfire will also sponsore the meeting.
+
[[Image:OWASP_IL_global_security_week_logo.jpg|left|200px]][[Image:OWASP_IL_Sponsor_Watchfire.jpg‎|right]]
 +
The 8th meeting of OWASP IL, The Israeli Chapter of OWASP, was held at Watchfire offices in Herzliya on Wednesday, September 5th at 17:00. Watchfire also sponsored the event. The meeting was part of [http://www.owasp.org/index.php/OWASP_Week_September_2007 OWASP week], a worldwide OWASP week of conferences on Privacy in the 21st Century which is in turn OWASP contribution to the [http://www.globalsecurityweek.com/ Global Security Week].
  
The agenda of the meeting is:
 
  
<big>'''15:00 – 15:10 Gathering and refreshments'''</big>
+
The agenda of the meeting was:
  
Dr. Anat Bremler-Barr, Program Academic Director.[[Image:OWASP_IL_IDC.jpg|right]]
+
<big>'''[[media:OWASP_IL_8_OWASP_Introduction.pdf|OWASP Updates]]'''</big>
  
 
<big>'''15:10 – 15:40 Sophisticated Denial of Service attacks'''</big>
 
  
Dr. Anat Bremler-Barr,  Efi Arazi School of Computer Science, IDC Herzliya
+
<big>'''[[media:OWASP_IL_8_Dangling_Pointer.pdf‎|Straight from Blackhat: Dangling Pointers]]'''</big>
  
In Denial of Service attack, the attackers consume the resources of the victim, a server or a network, causing degradation in performance or even total failure of the victim. The basic DDoS attack is a simple brute force flooding, where the attacker sends as much traffic as he can to consume the network resources. In contrast, the sophisticated DDoS attack aims to hurt the weakest point in the victim's applications by sending specific traffic type that burdens the application the most. In this talk we will cover recent works that show that several common mechanisms are vulnerable to sophisticated DDoS attacks. For example, Crosby and Wallach showed that using bandwidth of less than a typical dialup modem can bring a dedicated Bro server to its knees. We will discuss some basic guidelines of how to design applications to be resilient to sophisticated attacks.
+
Jonathan Afek, Senior Security Researcher, [http://www.watchfire.com Watchfire]
  
+
Jonthan will bring to us his acclaimed Blackhat presentation. Dangling pointers are a common programming error, but even OWASP experts assumed, until now, that exploiting this vulnerability can lead only to crashes and therefore only to denial of service attacks (see [http://www.owasp.org/index.php/Using_freed_memory OWASP vulnerability guide]). The research team at Watchfire proved that dangling pointers can be exploited to take control of a vulnerable system, elevating the severity of dangling pointers.
<big>'''15:40 – 16:00 [[Media:Enterprise_portals_security.pdf|Malicious content in enterprise portals]]'''</big>
+
  
Shalom Carmel, A security icon, the world's authority on hacking AS/400 and a BlackHat 2006 speaker
+
The presentation will explain the vulnerability and demonstrate a real exploit of the vulnerability using IIS as an example.
  
In 2005, enterprise portals rank in the top 10 of CIO technology focus areas in many surveys. The main drivers of the portal business growth are the horizontal portal suites, which provide content management capabilities, application integration tools, and specific solutions for collaboration and knowledge management. This lecture will address the security problems an enterprise may have due to the various content management abilities in a typical Portal implementation, and will focus on cross site scripting attacks.
 
  
  
<big>'''16:00 – 16:30 Information Warfare against commercial companies – lessons from dealing with hostile internet entities'''</big>
+
<big>'''[[media:OWASP_IL_8_Evasive_Crimeware_attacks_Business_drivers_and_Proposed.pdf‎|Evasive Crimeware attacks, Business drivers, and Proposed Defense]]'''</big>
  
Ariel Pisetsky, CISO and Infrastructure Manager, NetVision
+
Iftach Amit, Director Security Research, [http://www.finjan.com Finjan]
  
During the recent war in the north, many information security events where detected in private and government organization. These events, usually no more than web site defacement, provide an opportunity to examine a large scale hostile activity against web sites affiliated with Israel. Commercial companies with no direct relation to the war found themselves under a direct attack or indirectly affected due to attacks on ISPs and the Internet Infrastructure in Israel.  
+
Any web based attack requires a business model in order to spread. As the director of research for Finjan, Iftach monitors the highly successful web attacks focusing on client abuse and malware installation and the community that creates them. In the presentation Iftach will share with us his research findings.
  
In the presentation we will discuss what happened during this summer of war, whether it can be classified as information warfare and what are the lessons that can be learnt going forward
+
The presentation will cover the business drivers of client side attack vectors, explore recent examples of such attacks with an eye-opening review of the attacker community and its operation methods, and conclude with a technical discussion of the cat and mouse game between cutting edge solutions and ever advancing attack vectors.
  
 
'''16:30 – 16:45 Break, coffee, tea & fruits'''
 
  
+
<big>'''[[media:OWASP_IL_8_JavaScript_Agent_Injection.pdf‎|JavaScript Agent Injection as a solution for client side browser vulnerabilities]]'''</big>
<big>'''16:45 – 17:15 [[Media:Secure_coding.pdf|Real vs. Virtual Patching]]'''</big>
+
  
Ravid Lazinski, Technical Manager, Applicure Technologies
+
Ofer Shezaf, OWASP IL Leader; CTO, Breach Security, [http://www.breach.com Breach Security]
  
The penetration team has found a bug. What's next? In order to prevent exploitation, the application has to be patched.
+
As we have seen in Iftach's presentation, clients are not very secure. While we, as web site owners, may not be directly responsible, this situation is just as much a problem for us: law might hold us responsible and the conquered and potentially trusted client may pose a risk to our web site. Good examples of problems which blurs the lines between client and server are the [http://www.gnucitizen.org/blog/universal-pdf-xss-after-party/ Universal PDF XSS] and [http://en.wikipedia.org/wiki/Cross-site_request_forgery Cross Site Request Forgery].
  
The presentation will discuss the advantage and disadvantages of the two available solutions: patching the application or using an external patching solution in a process called "virtual patching".
+
Content Injection is a method proposed by Ivan Ristic, the creator of [http://www.modsecurity.org ModSecurity] to enable a Web Application Firewall to protect against this family of problems. The presentation will explain this novel method and build on it to offer some practical recipes for protection against client side problems.
 
+
+
<big>'''17:15 – 17:45 [[Media:The_Core_Rule_Set.pdf|"The Core Rule Set": Generic detection of application layer attacks]]'''</big>
+
 
+
Ofer Shezaf, CTO, Breach Security, OWASP IL chapter Leader, Director, the Web Application Security Consortium
+
 
+
Web Applications are unique, each one having its own vulnerabilities and therefore a positive security model is usually considered the optimal way to protect them. The [http://www.modsecurity.org ModSecurity] open source project has recently released a "core rule set", essentially a set of super signatures that try to provide significant security to custom application without the effort of defining a positive security model.
+
 
+
The lecture will discuss generic application security signatures and rules, how they differ from network centric signatures and their strengths and limitations when dealing with the OWASP top 10 attacks.
+
 
+
+
'''17:50 – 18:00 Break'''
+
 
+
 
+
<big>'''18:00 – 18:30 [[Media:OWASP_10_Most_Common_Backdoors.pdf|The OWASP Top Ten Backdoors]]'''</big>
+
 
+
Yaniv Simsolo, Application Security Consultant, Comsec Consulting
+
 
+
Just as the OWASP Top Ten outlines the top ten mistakes that developers make in applications, the top ten backdoors discuss the features developed on purpose, that do just the same: leave the application vulnerable. Backdoors are more common than developers and system professionals think. Hackers and malicious users can exploit backdoors easily, without leaving any special traces in the system. An SQL interface to an application, providing a lot of flexibility but little security is a good example of such a backdoor.
+
 
+
The presentation will discuss common backdoors found in web applications and how they relate to the OWASP top 10.
+
 
+
 
+
<big>'''18:30 – 19:15 [[Media:Hacking_The_FrameWork.ppt|Hacking The Framework]]'''</big>
+
 
+
Nimrod Luria, Head Of Consulting Services, 2Bsecure
+
 
+
Modern development environment such as .Net and J2EE promise enhanced security by relying on the framework services rather than good coding. The presentation will demonstrate using real hacking demos the weak points in such frameworks using .Net as an example.
+

Latest revision as of 10:19, 15 December 2008

At Watchfire, Herzliya, Wednesday, September 5th 2007, 16:45

OWASP IL global security week logo.jpg
OWASP IL Sponsor Watchfire.jpg

The 8th meeting of OWASP IL, The Israeli Chapter of OWASP, was held at Watchfire offices in Herzliya on Wednesday, September 5th at 17:00. Watchfire also sponsored the event. The meeting was part of OWASP week, a worldwide OWASP week of conferences on Privacy in the 21st Century which is in turn OWASP contribution to the Global Security Week.


The agenda of the meeting was:

OWASP Updates


Straight from Blackhat: Dangling Pointers

Jonathan Afek, Senior Security Researcher, Watchfire

Jonthan will bring to us his acclaimed Blackhat presentation. Dangling pointers are a common programming error, but even OWASP experts assumed, until now, that exploiting this vulnerability can lead only to crashes and therefore only to denial of service attacks (see OWASP vulnerability guide). The research team at Watchfire proved that dangling pointers can be exploited to take control of a vulnerable system, elevating the severity of dangling pointers.

The presentation will explain the vulnerability and demonstrate a real exploit of the vulnerability using IIS as an example.


Evasive Crimeware attacks, Business drivers, and Proposed Defense

Iftach Amit, Director Security Research, Finjan

Any web based attack requires a business model in order to spread. As the director of research for Finjan, Iftach monitors the highly successful web attacks focusing on client abuse and malware installation and the community that creates them. In the presentation Iftach will share with us his research findings.

The presentation will cover the business drivers of client side attack vectors, explore recent examples of such attacks with an eye-opening review of the attacker community and its operation methods, and conclude with a technical discussion of the cat and mouse game between cutting edge solutions and ever advancing attack vectors.


JavaScript Agent Injection as a solution for client side browser vulnerabilities

Ofer Shezaf, OWASP IL Leader; CTO, Breach Security, Breach Security

As we have seen in Iftach's presentation, clients are not very secure. While we, as web site owners, may not be directly responsible, this situation is just as much a problem for us: law might hold us responsible and the conquered and potentially trusted client may pose a risk to our web site. Good examples of problems which blurs the lines between client and server are the Universal PDF XSS and Cross Site Request Forgery.

Content Injection is a method proposed by Ivan Ristic, the creator of ModSecurity to enable a Web Application Firewall to protect against this family of problems. The presentation will explain this novel method and build on it to offer some practical recipes for protection against client side problems.