Difference between revisions of "Boulder"

From OWASP
Jump to: navigation, search
(14 intermediate revisions by 3 users not shown)
Line 1: Line 1:
<!-- #REDIRECT [[Denver]] -->
 
 
 
{{Chapter Template|chaptername=Boulder|extra=The chapter leader is [[User:Mark_Major|Mark Major]].   
 
{{Chapter Template|chaptername=Boulder|extra=The chapter leader is [[User:Mark_Major|Mark Major]].   
 
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-boulder|emailarchives=http://lists.owasp.org/pipermail/owasp-boulder}}
 
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-boulder|emailarchives=http://lists.owasp.org/pipermail/owasp-boulder}}
Line 6: Line 4:
 
== Upcoming Events ==
 
== Upcoming Events ==
  
'''Thursday, April 19th at 6pm -- Hands-on Introduction to WebScarab & WebGoat'''
+
====Wednesday, January 16nd at 6pm – CTF Project Development====
 
+
The Boulder chapter's inaugural meeting will be held at the [https://maps.google.com/maps?q=1711+Pearl+St,+Boulder,+CO+80302&hl=en&ll=40.018955,-105.272412&spn=0.005801,0.016512&sll=40.019446,-105.273058&layer=c&cbp=13,345.63,,0,0.03&cbll=40.019323,-105.273016&hnear=1711+Pearl+St,+Boulder,+Colorado+80302&t=m&z=17&panoid=5v0RhKi7sjpi-Z5HcgKFFw Aerstone offices] on 17th and Pearl. To welcome newcomers, Tim Van Cleave of [http://www.tvg.com/ TVG Network] will introduce a couple of OWASP classics: [[:Category:OWASP_WebScarab_Project|WebScarab]], [[:Category:OWASP_WebGoat_Project|WebGoat]], and the [[:Top_10|OWASP Top 10]].
+
 
+
Tim's presentation will be an interactive demonstration of proxy-based web application security testing. If you want to play along, bring a laptop with wireless capability. To keep things moving, please have WebScarab and Firefox pre-installed.
+
* [http://sourceforge.net/projects/owasp/files/WebScarab/20070504-1631/ WebScarab]
+
* [http://www.mozilla.com/en-US/products/download.html Firefox]
+
* [http://www.oracle.com/technetwork/java/javase/downloads/index.html Java]
+
 
+
  
One word of caution: seating is limited, so '''please [http://www.meetup.com/OWASP-Boulder/ RSVP] early'''! I am very excited to kick off the Boulder chapter, and I hope to see you all there!
+
Plan, plot, hack, hang out.
  
 +
'''When''': Wednesday, January 2nd at 6:00pm
 +
<br>'''Where''': [https://aerstone.com/ Aerstone], located at [https://maps.google.com/maps?q=1711+Pearl+St,+Boulder,+CO+80302&hl=en&ll=40.018955,-105.272412&spn=0.005801,0.016512&sll=40.019446,-105.273058&layer=c&cbp=13,345.63,,0,0.03&cbll=40.019323,-105.273016&hnear=1711+Pearl+St,+Boulder,+Colorado+80302&t=m&z=17&panoid=5v0RhKi7sjpi-Z5HcgKFFw 1711 Pearl St.] (3rd floor).
 +
<br>'''Parking''': Free through the [http://files.meetup.com/3503072/Parking.png Whittier Neighborhood Zone].
 +
<br>'''RSVP''': available through [http://www.meetup.com/OWASP-Boulder/ MeetUp.com]
 +
<br>'''Virtual meeting''': available through [https://questconsultants.webex.com/ WebEx].
 +
<br>(Please call me if the door is locked or WebEx is down.)
  
<paypal>Boulder</paypal>
+
The standing agenda includes status updates on:
 +
* Participant VM
 +
* Scoreboard
 +
* Challenge management
 +
* Challenge development
 +
* Challenge-framework integration
 +
* General project administration
 +
* Roadblocks
  
 +
Any time left over will be used for collaboration and coding.
  
<!-- '''November Meeting combined with the Denver Chapter meeting:'''
 
  
Wednesday 18 November 2009, 6pm @ Raytheon Polar Services
+
====Thursday, January 17th at 6pm – OWASP Project Round-Up====
  
Anton Rager: "The Evils of XSS: Its not just for cookies anymore"
+
To kick off 2013 the Boulder Chapter is holding an OWASP Project Roundup. Chapter members will showcase OWASP projects --from well-known to obscure-- in a series of lightning talks.
  
Many security professionals, security administrators and developers are aware of Cross-Site Scripting (XSS) vulnerabilities, but disregard them as a significant risk to an organization. Traditionally XSS attacks have either involved nuisance re-direction of a client or leakage of client cookies/state information to an attacker. They are almost always a one-shot XSS exploit against a vulnerable server and dont have the ability to execute multiple transactions against an XSS vulnerable site.  
+
'''When''': Thursday, January 17th at 6:00pm
 +
<br>'''Where''': [https://aerstone.com/ Aerstone], located at [https://maps.google.com/maps?q=1711+Pearl+St,+Boulder,+CO+80302&hl=en&ll=40.018955,-105.272412&spn=0.005801,0.016512&sll=40.019446,-105.273058&layer=c&cbp=13,345.63,,0,0.03&cbll=40.019323,-105.273016&hnear=1711+Pearl+St,+Boulder,+Colorado+80302&t=m&z=17&panoid=5v0RhKi7sjpi-Z5HcgKFFw 1711 Pearl St.] (3rd floor).
 +
<br>'''Parking''': Free through the [http://files.meetup.com/3503072/Parking.png Whittier Neighborhood Zone].
 +
<br>'''RSVP''': available through [http://www.meetup.com/OWASP-Boulder/events/93638032/ MeetUp.com]
 +
<br>'''Virtual meeting''': available through [https://questconsultants.webex.com/questconsultants/j.php?ED=16221943&UID=495177262&RT=MiM2 WebEx].
  
This presentation briefly outlines current XSS attacks, then discusses and demonstrates methods to create multi-transaction XSS attacks or persistent XSS based browser hi-jacking. Browser hi-jacking uses the victim browser to leverage existing trust that a browser may have with an XSS vulnerable site, and performs an arbitrary number of transactions from the victim browser against the vulnerable site. This means that the attacker can use the victims browser to attack a site that is behind a firewall, requires client-side certificates, filters IP addresses, or has a cached authentication with the victim browser this is way beyond cookie theft as an attacker is actually using the victims browser to access the site. Attack modes can include transparent site traversal thru victim browser (read and/or write to server with access of victim from remote attack console), passive monitoring of victim interaction with target site, or active MITM content modification of information to/from victim browser.  
+
To make this work I need volunteers. Your job is to pick a project, learn a bit about it, then present it to the rest of the group. Informal discussions are good, prepared presentations are better, and live demos are best. The goal is lively, informative, low-stress discussions rather than formal, extensively-research presentations. Spend an hour or two familiarizing yourself with your project (you do not need to be an expert on it), jot your notes into a couple of slides, then share with the group for 5 - 10 minutes.
  
A custom tool (XSS-Proxy) will be demonstrated that demonstrates the ability for a remote attacker to perform these XSS based attacks. XSS persistence and commands are controlled from a Perl based HTTP attack server with victim/XSS target content forwarded to the same server. This does not rely on any new vulnerability in browsers and currently works in modern JavaScript enabled IE and Mozilla/Firefox based browsers.  
+
Need help selecting a project? Take a look at the [[:Category:OWASP_Project|OWASP Projects page]]. Try tools you use already (the [[:Category:OWASP Top Ten Project|OWASP Top 10]]), tools you've heard of and want to learn more about ([[:Category:OWASP_WebGoat_Project|WebGoat]]), or discover something entirely new ([[:Category:OWASP Enterprise Security API|ESAPI]]). All projects are encouraged, from the popular to the esoteric. Still undecided? Send me a note with your interest in presenting and I will happily suggest some projects to choose from.
  
Presenter: Anton Rager
+
To avoid duplicates, project topics will be first-come first-served. Email your topic idea to either mark.major or rob.jepson at owasp.org and we will add you to the meeting agenda. Please check this Wiki (or the [http://www.meetup.com/OWASP-Boulder/ chapter's MeetUp.com page]) to see what other people have taken prior to choosing your topic.
  
Anton Rager is an independent security researcher focused on vulnerability exploitation, VPN security and wireless security. He is currently a programmer with an undisclosed network storage startup where he focuses on application development, Linux network magic, and Linux kernel/driver hacking.
+
Current project presentations (in no particular order):
He is best known for his work with 802.11 wireless WEP security and associated testing/analysis tools. In 2001 he released WEPCrack, the first open-source, public domain utility to validate the WEP/RC4 attack discovered by Fluhrer, Mantin and Shamir. Anton was also a Contributing Technical Editor to the book Maximum Wireless Security. In 2003 he continued researching 802.11/WEP and developed an injection attack and open-source tool (WEPWedgie) that allows network scanning attacks of WEP encrypted networks without knowledge of WEP keys. This tool/attack is mentioned in the book WI-FOO: The Secrets of Wireless Hacking as well as multiple online articles.
+
*Mike: DirBuster
 +
*Greg: Mantra
 +
*Chris: Zap
 +
*Mark: TBD (whatever is left over)
  
Anton has also focused heavily on IPSec VPN security issues and in 2001 implemented the first open-source utility to allow password attacks against IKE based IPSec VPN connections (IKECrack). Follow-on IPSec research resulted in an IKE protocol testing tool (IKEProber) that highlighted multiple vulnerabilities in common IPSec client/gateway implementations.  
+
Please remember that seating is limited and is prioritized for those who RSVP through MeetUp. If you have a change of plans, please update your RSVP status to allow space for those on the waiting list. Food and drinks are provided and the facilities will remain open after the meeting for socializing and networking. All meetings are free to attend.
  
More recently he has been working with web application security issues and in 2005 devised a novel Cross-Site-Scripting (XSS) attack method and open-source tool (XSS-Proxy) to allow browser hijacking with XSS vulnerable sites. This tool/attack is also highlighted in Phishing Exposed book and as well as the book XSS-Attacks that he co-authored with other leading XSS researchers.
 
Anton has presented at well-known security conferences and has conducted many security training and security awareness primers with industry and government sectors. He currently resides and works near Denver, Colorado. In addition to an addictive computer security hobby, Anton is also an extreme mountain biker, snowboarder, naturalist, guitarist and philosopher hack.
 
  
Agenda
+
====Special Thanks====
 +
The Boulder chapter is grateful for the continued sponsorship of Aerstone. Thank you for providing the venue, refreshments, and other resources necessary to keep the chapter running strong.
  
• 6pm: Pizza & pop @ Raytheon Polar Services, courtesy of Accuvant
+
[[File:BoulderSponsorAerstone.png]]
  
• 6:30pm: Introduction and Chapter business
 
  
• 6:45pm -- 8pm: Presentation
+
[[Category:OWASP Chapter]]
-->
+
[[Category:Colorado]]

Revision as of 18:21, 3 January 2013

Contents

OWASP Boulder

Welcome to the Boulder chapter homepage. The chapter leader is Mark Major.
Click here to join the local chapter mailing list.

Participation

OWASP Foundation (Overview Slides) is a professional association of global members and is and open to anyone interested in learning more about software security. Local chapters are run independently and guided by the Chapter_Leader_Handbook. As a 501(c)(3) non-profit professional association your support and sponsorship of any meeting venue and/or refreshments is tax-deductible. Financial contributions should only be made online using the authorized online chapter donation button. To be a SPEAKER at ANY OWASP Chapter in the world simply review the speaker agreement and then contact the local chapter leader with details of what OWASP PROJECT, independent research or related software security topic you would like to present on.

Sponsorship/Membership

Btn donate SM.gif to this chapter or become a local chapter supporter.

Or consider the value of Individual, Corporate, or Academic Supporter membership. Ready to become a member? Join Now BlueIcon.JPG

Upcoming Events

Wednesday, January 16nd at 6pm – CTF Project Development

Plan, plot, hack, hang out.

When: Wednesday, January 2nd at 6:00pm
Where: Aerstone, located at 1711 Pearl St. (3rd floor).
Parking: Free through the Whittier Neighborhood Zone.
RSVP: available through MeetUp.com
Virtual meeting: available through WebEx.
(Please call me if the door is locked or WebEx is down.)

The standing agenda includes status updates on:

  • Participant VM
  • Scoreboard
  • Challenge management
  • Challenge development
  • Challenge-framework integration
  • General project administration
  • Roadblocks

Any time left over will be used for collaboration and coding.


Thursday, January 17th at 6pm – OWASP Project Round-Up

To kick off 2013 the Boulder Chapter is holding an OWASP Project Roundup. Chapter members will showcase OWASP projects --from well-known to obscure-- in a series of lightning talks.

When: Thursday, January 17th at 6:00pm
Where: Aerstone, located at 1711 Pearl St. (3rd floor).
Parking: Free through the Whittier Neighborhood Zone.
RSVP: available through MeetUp.com
Virtual meeting: available through WebEx.

To make this work I need volunteers. Your job is to pick a project, learn a bit about it, then present it to the rest of the group. Informal discussions are good, prepared presentations are better, and live demos are best. The goal is lively, informative, low-stress discussions rather than formal, extensively-research presentations. Spend an hour or two familiarizing yourself with your project (you do not need to be an expert on it), jot your notes into a couple of slides, then share with the group for 5 - 10 minutes.

Need help selecting a project? Take a look at the OWASP Projects page. Try tools you use already (the OWASP Top 10), tools you've heard of and want to learn more about (WebGoat), or discover something entirely new (ESAPI). All projects are encouraged, from the popular to the esoteric. Still undecided? Send me a note with your interest in presenting and I will happily suggest some projects to choose from.

To avoid duplicates, project topics will be first-come first-served. Email your topic idea to either mark.major or rob.jepson at owasp.org and we will add you to the meeting agenda. Please check this Wiki (or the chapter's MeetUp.com page) to see what other people have taken prior to choosing your topic.

Current project presentations (in no particular order):

  • Mike: DirBuster
  • Greg: Mantra
  • Chris: Zap
  • Mark: TBD (whatever is left over)

Please remember that seating is limited and is prioritized for those who RSVP through MeetUp. If you have a change of plans, please update your RSVP status to allow space for those on the waiting list. Food and drinks are provided and the facilities will remain open after the meeting for socializing and networking. All meetings are free to attend.


Special Thanks

The Boulder chapter is grateful for the continued sponsorship of Aerstone. Thank you for providing the venue, refreshments, and other resources necessary to keep the chapter running strong.

BoulderSponsorAerstone.png