Difference between revisions of "Netherlands May 14, 2013"

From OWASP
Jump to: navigation, search
Line 15: Line 15:
 
===Discovering flaws using JS-Enabled crawlers===
 
===Discovering flaws using JS-Enabled crawlers===
 
Automated testing of security faults on a web page is common practice these days. However, most modern web application aren't a set of pages anymore. They load their content dynamically using AJAX and tailor the results to the user's needs using JavaScript. Running the automated tools on these applications is much harder, if not impossible. Using Crawljax, a JavaScript enabled Crawler, testing all pages and states of such web applications becomes possible again. In this presentation, I will give an overview of the possibilities Crawljax offers.
 
Automated testing of security faults on a web page is common practice these days. However, most modern web application aren't a set of pages anymore. They load their content dynamically using AJAX and tailor the results to the user's needs using JavaScript. Running the automated tools on these applications is much harder, if not impossible. Using Crawljax, a JavaScript enabled Crawler, testing all pages and states of such web applications becomes possible again. In this presentation, I will give an overview of the possibilities Crawljax offers.
 +
 +
===Securing Password Storage - Increasing Resistance to Brute Force Attacks===
 +
In this talk Tiago Teles takes apart password protection scheme analyzing the attack
 +
resistance of hashes, hmacs, adaptive hashes (such as script), and encryption
 +
schemes. First, we present a threat model for password storage. Then audience
 +
members will learn the construction, performance, and protective properties of these
 +
primitives. Discussion of the primitives will be from a critical perspective modeled as
 +
an iterative secure design session.
 +
Ultimately, this session presents the solution and code donated as part of the on-
 +
going OWASP PSM (password storage module) project. Discussion of this solution
 +
will include key techniques for hardening PSM learned through years of delivering
 +
production JavaEE code to customers...
  
 
==Speakers==
 
==Speakers==
Line 21: Line 33:
 
===Alex Nederlof===
 
===Alex Nederlof===
 
Alex Nederlof is a Msc student in Compute Science, Software Engineering. Active in web application development for 4 years at E.Novation BTC. Now working on Crawljax, a JavaScript-enabled Crawler.
 
Alex Nederlof is a Msc student in Compute Science, Software Engineering. Active in web application development for 4 years at E.Novation BTC. Now working on Crawljax, a JavaScript-enabled Crawler.
 +
===Tiago Teles===
 +
Tiago Teles is a Technical Consultant with 7 years of experience in clients across
 +
different sectors and countries, including banking, insurance, telecommunications
 +
and commercial organizations in a variety of roles, Development, Business
 +
Intelligence, Quality Assurance and Delivering Training.
  
 
==Venue==
 
==Venue==

Revision as of 10:52, 15 April 2013

Contents

May 14, 2013

"In this Chapter meeting we will not REST until we have designed an access control mechanism to protect your web services..."

Programme

18:30 - 19:15 Registration & Pizza
19:15 - 20:00
20:00 - 20:15 Break
20:15 - 21:00
21:00 - 21:30 Networking

Presentations

Neutralizing Peer-to-Peer Botnets

This presentation is a case study on our takedown efforts against state-of-the-art peer-to-peer botnets. Unlike conventional botnets, peer-to-peer botnets are decentralized, and thus cannot be disabled by neutralizing centralized control facilities. Takedowns against peer-to-peer botnets require a highly decentralized approach targeting the infected drones themselves. We describe the technical and ethical challenges we faced in our own takedown attempts.

Discovering flaws using JS-Enabled crawlers

Automated testing of security faults on a web page is common practice these days. However, most modern web application aren't a set of pages anymore. They load their content dynamically using AJAX and tailor the results to the user's needs using JavaScript. Running the automated tools on these applications is much harder, if not impossible. Using Crawljax, a JavaScript enabled Crawler, testing all pages and states of such web applications becomes possible again. In this presentation, I will give an overview of the possibilities Crawljax offers.

Securing Password Storage - Increasing Resistance to Brute Force Attacks

In this talk Tiago Teles takes apart password protection scheme analyzing the attack resistance of hashes, hmacs, adaptive hashes (such as script), and encryption schemes. First, we present a threat model for password storage. Then audience members will learn the construction, performance, and protective properties of these primitives. Discussion of the primitives will be from a critical perspective modeled as an iterative secure design session. Ultimately, this session presents the solution and code donated as part of the on- going OWASP PSM (password storage module) project. Discussion of this solution will include key techniques for hardening PSM learned through years of delivering production JavaEE code to customers...

Speakers

Dennis Andriesse

Dennis Andriesse is a Ph.D. candidate in the System and Network Security Group at VU University Amsterdam. His research focuses on binary code (de)obfuscation and reverse engineering techniques. Next to that, he is also interested in advanced malware, particularly in the resilience of peer-to-peer botnets.

Alex Nederlof

Alex Nederlof is a Msc student in Compute Science, Software Engineering. Active in web application development for 4 years at E.Novation BTC. Now working on Crawljax, a JavaScript-enabled Crawler.

Tiago Teles

Tiago Teles is a Technical Consultant with 7 years of experience in clients across different sectors and countries, including banking, insurance, telecommunications and commercial organizations in a variety of roles, Development, Business Intelligence, Quality Assurance and Delivering Training.

Venue

Avans Hogeschool Room: OB007 Onderwijsboulevard 215 5223 DE 's-Hertogenbosch