Loading…
AppSec Europe 2014 has ended
Welcome to the full schedule of the OWASP AppSec Research EU 2014 conference days

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Builder and Breaker Track [clear filter]
Thursday, June 26
 

11:15

Warning Ahead: Security Storms are Brewing in Your JavaScript
JavaScript controls our lives – we use it to zoom in and out of a map, to automatically schedule doctor appointments and to play online games. But have we ever properly considered the security state of this scripting language? 

Before dismissing the (in)security posture of JavaScript on the grounds of a client-side problem, consider the impact of JavaScript vulnerability exploitation to the enterprise: from stealing server-side data to infecting users with malware. Hackers are beginning to recognize this new playground and are quickly adding JavaScript exploitation tools to their Web attack arsenal. 

In this talk we explore the vulnerabilities behind Javascript, including: 
• A new class of vulnerabilities unique only to JavaScript 
• Vulnerabilities in 3rd-party platforms which are exploited through JavaScript code 
• HTML5 is considered the NG-Javascript. In turn, HTML5 introduces a new set of vulnerabilities 

Speakers
avatar for Maty Siman

Maty Siman

Founder and CTO, Checkmarx
Maty is the CTO and founder of Checkmarx. Maty has more than a decade of experience in software development, IT security and source-code analysis. Prior to founding Checkmarx, Maty worked for two years at the Israeli Prime Minister’s Office as a senior IT security expert and project... Read More →


Thursday June 26, 2014 11:15 - 12:05
LAB002
  • Company 74

12:05

25 Million Flows Later – Large-scale Detection of DOM-based XSS
In recent years, the Web witnessed a move towards sophisticated client-side functionality. This shift caused a significant increase in complexity of deployed JavaScript code and thus, a proportional growth in potential client-side vulnerabilities, with DOM-based Cross-site Scripting being a high impact representative of such security issues.

In this paper, we present a fully automated system to detect and validate DOM-based XSS vulnerabilities, consisting of a taint-aware JavaScript engine and corresponding DOM implementation as well as a context-sensitive exploit generation approach. Using these components, we conducted a large-scale analysis of the Alexa top 5000. In this study, we identified 6167 unique vulnerabilities distributed over 480 domains, showing that 9,6% of the examined sites carry at least one DOM- based XSS problem.

Speakers
avatar for Martin Johns

Martin Johns

Research Expert, SAP SE
Dr. Martin Johns is a Research Expert in the Product Security Research unit within SAP SE, where he leads the Web application security team. Furthermore, he serves on the board of the German OWASP chapter. Before joining SAP, Martin studied Mathematics and Computer Science at the... Read More →
SL

Sebastian Lekies

Sebastian Lekies is a PhD candidate at SAP and the University of Bochum. His main field of research is Web application security.  Thereby, he mainly focuses on client-side Web attacks such as Cross-Site Scripting, ClickJacking, DNS-Rebinding, Cross-Site Request Forgery, etc.  He... Read More →


Thursday June 26, 2014 12:05 - 12:50
LAB002
  • Company 58

12:05

ActiveScan++: Augmenting manual testing with attack proxy plugins
This presentation will introduce ActiveScan++ and demonstrate how it can be used to easily identify complex vulnerabilities in real world applications. ActiveScan++ is an open source Python plugin that builds upon Burp Suite's basic active scanning functionality. This talk will cover the classic and exotic vulnerabilities it can detect, as well as the pros and pitfalls that can be found with the proxy-plugin approach to automated vulnerability hunting.

ActiveScan++ uses heuristic probes to efficiently assess the susceptibility of the target to a range of cutting edge attack techniques, such as host header poisoning and relative path overwrites. In addition, ActiveScan++ provides robust identification of blind attack issues, helping to locate rare but critical vulnerabilities such as code injection that pentesters can't afford to miss. Demonstrations of the underlying mechanics of these attacks, how they can be automatically detected, and how we can actively exploit them once they have been identified will be performed throughout the presentation.

The presentation will finish with a discussion of current research into automated detection of 'suspicious' behaviour, in a manner similar to the initial stages of manual testing. These new techniques allow generic detection of entire vulnerability classes by combining platform-independent payload sets with fuzzy pattern matching.

This presentation will host the first public release of this open source tool.


Speakers
JK

James Kettle

Context Information Security
James Kettle has  extensive experience vulnerability bounty hunting across Mozilla's and Google's heavily secured infrastructure, resulting in being ranked 6th in Google's 0x0A list for 2012/13. As part of this he has  performed security research culminating in novel attack techniques... Read More →


Thursday June 26, 2014 12:05 - 12:50
LAB003
  • Company 29

13:50

Metro down the Tube. Security Testing Windows Store Apps
This presentation will cover “Metro”, “Modern” or (more correctly) “Windows Store” Apps and how to perform security reviews on them. Like it or not, this is the direction Microsoft are going in, and it seems likely that this style of centrally controlled, sandboxed application is the future for at least some types of Windows programs. The focus of the talk will be Store Apps developed in HTML and JavaScript (although other types of app will be mentioned). I will explain what a Store App is, and how it differs from a normal Windows application, and also from a web site. 

In the first section I cover the architecture and theory of Store apps. I go over the different types of development frameworks which can be used to create them, and how they get from a developer’s PC to the Windows Store, including what Microsoft do (and don’t do) as far as security testing is concerned. I’ll also compare and contrast this type of apps with ones from other architectures (Win32 and mobile). 

The second section of the presentation then explains (and shows) how to set up an environment (Windows 8.1, a web proxy of choice and Visual Studio) to test a Store application – there are some tricks to this which are not well publicised. I’ll point out where apps are stored, how you get access to them, and how to go about testing them including code review examples (focusing on secure and insecure JavaScript). I’ll show the use of a web service in an app and how this technology can present a security hole in the app sandbox. 

In conclusion I will make some comments on where the move to a Store based system in the Windows environment (over 90% of PC class devices) is taking us from a security perspective, and how this fits (in my opinion) with the future development of Windows Phone and RT. 

The presentation as a whole gives an introduction to an area of application testing which is not well known but is likely to become more critical as time advances and the Store system becomes more mature. 

Speakers
avatar for Marion Mccune

Marion Mccune

Director, ScotSTS Ltd
I'm a director of a small security consultancy specializing in testing Web Applications. | My specific fields of interest are ASP.NET, Store Apps and WP8. | | I live in rural Argyll with my partner Rory, two cats, three Surfaces and a visiting pine marten.


Thursday June 26, 2014 13:50 - 14:40
LAB002
  • Company 28

14:40

Can Application Security Training Make Developers Build Less Vulnerable Code?
This presentation shares the results of a yearlong survey of nearly 600 software developers that captures their knowledge of application security before and after formal training. The survey queries developers from various backgrounds and industries, to better understand their exposure to secure development concepts and to capture a baseline for post-training improvements.

The session also includes the results of a "retest" of a subset of respondents, to identify how much security knowledge they retained after a specific length of time. The results were surprising, and include information every application risk manager should know, particularly those who rely on training as part of an application security strategy.

Speakers
avatar for John Dickson

John Dickson

Principal, Denim Group
John Dickson is an internationally recognized security leader, entrepreneur and Principal at Denim Group, Ltd. He has nearly 20 years hands-on experience in intrusion detection, network security and application security in the commercial, public and military sectors. Dickson is a... Read More →


Thursday June 26, 2014 14:40 - 15:30
LAB002
  • Company 85

16:00

Automatic Detection of Inadequate Authorization Checks in Web Applications
Gaps in the enforcement of access control policy of a software system can lead to privilege escalation, allowing unauthorized access to sensitive resources and operations. We describe a novel technique to automatically detect missing and inconsistent authorization checks in web applications with static analysis and conclude with empirical results of using our approach on real-world applications. 

The concept of granting different users different privileges dates back to early software systems. Gaps in the enforcement of access control policies can lead to privilege escalation, allowing unauthorized access to sensitive resources and operations. As software becomes more ubiquitous and is used for tasks ranging from shopping to scheduling doctor’s appointments, providing bulletproof access control remains an imperative. 

Correct placement of authorization checks is a non-trivial task for developers that requires intimate knowledge of the system, its users, and their roles. These challenges are evidenced by the fact that missing authorization checks—like the one that allowed Bloomberg News to leak NetApps’s earnings results in 2010—are still among the most widespread and impactful vulnerabilities. Manually weeding out access control violations is cumbersome and requires a lot of expertise. Existing automated techniques are also inadequate and require either substantial human intervention or are effective only on very targeted code bases, such as operating systems. 

This talk focuses on ensuring well-placed authorization checks in web applications. We discuss different ways access control requirements are specified in web applications, including configuration- and annotation-based approaches. Next, we describe a novel technique to automatically detect missing and inconsistent authorization checks. Our approach lets us detect missing checks statically rather than at runtime and allows us to provide remediation suggestions that allow developers to fix code before it goes to production. 

We conclude with empirical results of our successful application of this approach to a number of real-world web applications. We discuss the classes of issues we found and review specific examples to shed light on the kinds of authorization mistakes developers are making today. 

Speakers
avatar for Alvaro Muñoz

Alvaro Muñoz

Software Security Researcher, HP


Thursday June 26, 2014 16:00 - 16:50
LAB002
  • Company 60