Archived OWASP London Events

Friday, October 1st 2010
Location: Barclays Capital, 5 North Colonnade, Canary Wharf, London E14 4BB


 * How I Met Your Girlfriend - Samy Kamkar
 * The discovery and execution of entirely new classes of attacks executed from the Web in order to meet your girlfriend. This includes newly discovered attacks including HTML5 client-side XSS (without XSS hitting the server!), PHP session hijacking and weak random numbers (accurately guessing PHP session cookies), browser protocol confusion (turning a browser into an SMTP server), firewall and NAT penetration via Javascript (turning your router against you), remote iPhone Google Maps hijacking (iPhone penetration combined with HTTP man-in-the-middle), extracting extremely accurate geolocation information from a Web browser (not using IP geolocation), and more


 * Padding Oracle attacks (and ASP.NET 0-day) - Justin Clarke ([[Media:Fun with Padding Oracles.pdf|PDF]])
 * Change of plan from the previous announcement - I'm going to go through Padding Oracle attacks (as recently re-popularised by Thai Duong and Juliano Rizzo), as well as demoing the 0-day Padding Oracle attack on ASP.NET (time permitting)

Thursday, September 9th 2010
Location: Deloitte, 2 New Street Square, London, EC4A 3BZ


 * CAT - Michael Jordon ([[Media:Cat-OWASP Sept 2010.pdf|PDF]])
 * Context Application Tool (CAT) is a tool for performing manual web application penetration testing. The presentation will show the main features of CAT with demonstrations of where CAT can perform tests that other tools currently available cannot and how CAT empowers the user to create more complex test cases to further explore the boundaries of the application. The focus of CAT is on manual penetration testing and not on automated web VA scanning.  Also a sneak preview of the current features that are currently in development an due to be release late this year.


 * Security in the SDLC: IT Doesn't Have To Be Painful! - Matt Bartoldus ([[Media:SSDLC painful - owasp.pdf|PDF]])
 * Why do organizations fail so miserably at Application Security? Even after investing millions into Information Security programs? Organizations are addressing application security through initiatives from hiring their first 'Security Person' to investing in large time and resource intensive projects. Great! So how come security breaches through applications are still on the rise and showing no signs of abatement? Is the security industry failing? This talk will focus on what the speaker has experienced over the past few years while working with his clients to integrate information security practices into IT processes. This includes large Global Top 100 to medium domestic UK companies. The focus will be around some of the different approaches that were taken and the things that worked and the things that failed miserably. In the end, the audience will be able to take away real world experiences for consideration. The talk will start by discussing some of the more interesting angles the speaker has seen when presenting the business case for a security integration project investment. This includes stepping outside of the traditional security professional arguments and adopting the viewpoint from other parts of an organization. The speaker will then discuss the age old IT consultant's mantra of People, Process and Technology and where security practices fits in. The focus will be on process and people rather than technology. Building upon a business case and the theories around people and processes, we will discuss how to move forward with integrating information security practices into the SDLC. Lastly, we'll talk about the 'gotchas', the pitfalls, traps, and other 'bad things' from perceptions to internal politics. These are discussed in a light-hearted manner through example experiences and 'war stories.' The speaker hopes they will be considered at the beginning of a security initiative or project part of project risk and critical success Factors!

Thursday, July 15th 2010
Location: Commerzbank AG, Gaumont Suite, 6th floor, 30 Gresham Street, London, EC2V 7PG


 * Auditing WebObjects Applications - Ilja van Sprundel ([[Media:WebObjects.pdf|PDF]])
 * WebObjects is Apple's application server and web application framework. To date very little is known about how secure applications are written for the WebObjects application server. This presentation tries to shed some light on this question. It'll discuss what WebObjects applications look like, what their entrypoints are, and where the weak spots are in the API's and usage.


 * O2 1.0 Launch - Dinis Cruz
 * Short session - awaiting talk outline


 * Real Time Application Attack Detection and Response with OWASP AppSensor - Colin Watson (PDF)
 * The AppSensor project defines a conceptual framework and methodology that offers prescriptive guidance to implement intrusion detection and automated response into an existing application. The talk will provide an overview why conventional defences do not work, and how application intrusion detection can be used to identify, and respond to, attackers before they are able to find a flaw to exploit. Implementations will be described that have been tested against security scanning tools, manual attackers and how the technique could be used to defend against an application worm.

London/Training/OWASP projects and resources you can use TODAY

 * Overview & Goal
 * Apart from OWASP's Top 10, most OWASP Projects are not widely used and understood. In most cases this is not due to lack of quality and usefulness of those Document & Tool projects, but due to a lack of understanding of where they fit in an Enterprise's security ecosystem or in the Web Application Development Life-cycle.
 * This course aims to change that by providing a selection of mature and enterprise ready projects together with practical examples of how to use them.
 * The course will be very practical where demonstration and hands-on exercises will be provided for the tools covered.
 * If you are interested in participating in the hands on portion of the course, please bring a laptop.
 * Dates
 * April, 16th, 2010
 * May, 28th, 2010
 * Course Main Content and Registration
 * Click here

Thursday, March 4th 2010
Location: Nomura, Nomura House, 1 St Martins-le-Grand, London EC1A 4NP


 * OWASP Top Ten 2010 - Fabio Cerrulo ([[Media:OWASP Top 10 - 2010 rc1.pdf|PDF]])
 * The primary aim of the OWASP Top 10 is to educate developers, designers, architects and organisations about the consequences of the most important web application security weaknesses. The Top 10 provides basic methods to protect against these high risk problem areas and provides guidance on where to go from there. The Top 10 project is referenced by many standards, books, tools, and organisations, including MITRE, PCI DSS, DISA, FTC, and many more. The OWASP Top 10 was initially released in 2003 and minor updates were made in 2004, 2007, and this 2010 release. We encourage you to use the Top 10 to get your organisation started with application security so developers can learn from the mistakes of other organisations. Executives can start thinking about how to manage the risk that software applications create in their enterprise.
 * This significant update presents a more concise, risk focused list of the Top 10 Most Critical Web Application Security Risks. The OWASP Top 10 has always been about risk, but this update makes this much more clear than previous editions, and provides additional information on how to assess these risks for your applications. For each Top 10 item, this release discusses the general likelihood and consequence factors that are used to categorise the typical severity of the risk, and then presents guidance on how to verify whether you have problems in this area, how to avoid them, some example flaws in that area, and pointers to links with more information.

Thursday, January 14th 2010
Location: Nomura, Nomura House, 1 St Martins-le-Grand, London EC1A 4NP


 * Top Ten Deployment Mistakes That Render SSL Useless - Ivan Ristic (PDF)
 * SSL is the technology that secures the Internet, but it only works when properly configured. Unfortunately, because SSL is assumed to be easy to use (and it genuinely is), there is a lack of information how to use it properly. As a result, too many web sites use insecure deployment practices that render SSL completely useless. In this talk I will present a list of top ten (or thereabout) deployment mistakes, based on my work on the SSL Labs assessment platform.


 * Using Selenium to hold state for web application penetration testing - Yiannis Pavlosoglou ([[Media:OWASP_London_14-Jan-2009_Penetration_Testing_with_Selenium-Yiannis_Pavlosoglou_v2.pdf|PDF]])
 * Selenium is a web application testing framework often used for unit testing and functional testing during the later parts of web application development. This presentation examines how this tool, in particular the Selenium IDE, can be used for creating security unit tests. By emulating a systematic logon, logoff or browse to a particular location, web application penetration tests can be performed using Selenium. Furthermore, fuzzing payloads can be scripted as inputs for security tests. As a result, issues of holding state, or having valid authentication credentials to test a particular input for, say, Cross Site Scripting (XSS) or SQL Injection can be performed in a much shorter time duration. This presentation will take the audience through the process of setting up, scripting and running Selenium against a vulnerable web application. It's aim is to relay back one successful approach that has been used in the field in order to discover vulnerabilities through stateful fuzzing.

Thursday, November 5th 2009
Location: Lloyds TSB, 5th Floor Seminar Room, Red Lion Court, 46-48 Park Street, London SE1 9EQ.


 * SQL Injection - How far does the rabbit hole go? - Justin Clarke ([[Media:OWASP-SQLInjection5nov09.pdf|PDF]])
 * SQL Injection has been around for over 10 years, and yet it is still to this day not truly understood by many security professionals and developers. With the recent mass attacks against sites across the world it has again come to the fore of vulnerabilities under the spotlight, however many consider it to only be a data access issue, or parameterized queries to be a panacea. This talk starts from what was demonstrated last year at Black Hat in Las Vegas, where a self propagating SQL Injection worm was demonstrated live on stage. Explore some of the deeper, darker areas of SQL Injection, hybrid attacks, and exploiting obscure database functionality.


 * The London OWASP Chapter: Where to next? - Justin Clarke
 * We have a enormous amount of web application security experience and knowhow in the London area, but the question is how can we tap that at OWASP? And what can we, or what should we do with that? This session will be an open discussion (to be continued later over a beer no doubt) to discuss where we want to go with OWASP London, with you (the participants) being able to share what you would like to get out of, and what you'd be willing to put into the OWASP London chapter. Justin will be facilitating the discussion, but planned topics include growth and outreach, management of the chapter (i.e. a chapter board?), and what we want to do with our meetings.

Thursday, September 3rd 2009
Location: Lloyds TSB, 5th Floor Seminar Room, Red Lion Court, 46-48 Park Street, London SE1 9EQ.


 * OWASP O2 Platform - Open Platform for automating application security knowledge and workflows - Dinis Cruz ([[Media:OWASP O2 Platform - London Chapter - 3rd Sep 2009.pdf|PDF]])
 * In this talk Dinis Cruz will show the open source toolkit O2 (Ounce Open) which is specifically designed for developers and security consultants to be able to perform quick, effective and thorough source code security reviews. The O2 toolkit (http://www.o2-ounceopen.com) uses the scanning engines from Ounce Labs, Microsoft's CAT.NET tool and FindBugs (with more engines to be added soon) and allows advanced filtering, manipulation and visualization of its findings. In the past, there has been a very healthy skepticism on the usability of Source Code analysis engines to find commonly found vulnerablities in real world applications. This presentation will show that with some creative and powerful tools, it IS possible to use O2 to discover those issues.


 * Using Surrogates to Protect from Application Data Breach - Dave Marsh ([[Media:Dave Marsh Tokenisation.pdf|PDF]])
 * Companies are being challenged to store Personal Identifiable Information (PII) data in increasingly more secure environments, and also to comply with increasing standards of data security, for instance Payment Card Industry’s Data Security Standard (PCI DSS). Because all systems that accept or use PII/CC data are considered “in scope” for compliance, there are very few ways to “cut corners” when seeking compliance, and at the same time maintain your current business model.
 * This session will present a concept and use of a new data security model, tokenization, which substitutes “data surrogates” for PII/CC numbers in systems throughout the enterprise, thus reducing scope for compliance and annual audits, as well as lowering the risk of a data breach. This session will cover:
 * The value of a centralized data vault for PII/CC data
 * How tokens act as data surrogates
 * Using surrogates for masked data
 * The importance of a one-to-one token/data relationship
 * How tokens are generated, and
 * The security benefits of centralized key management

Thursday, July 9th 2009
Location: Barclays, Rooms 42/43, One Churchill Place, London E14 5HP


 * Auditing C# Code - Ilja van Sprundel ([[Media:IOActive-OWASP-London-200907.pdf|PDF]])
 * In this presentation, Ilja van Sprundel, Principal Consultant at IOActive, will discuss reviewing C# code, specifically C# code used for ASP.NET. He will cover entrypoints, exit points, .NET input validators, corner cases of API's, integer rules, managed vs unmanaged code, the garbage collector, exception handling issues, XSS cases, SQL Injection bugs, XML handling issues and usage of Anti-XSS.


 * The Ultimate IDS Smackdown - How red vs. blue situations can influence more than one might assume - Mario Heiderich and Gareth Heyes ([[Media:The Ultimate IDS Smackdown.pdf|PDF]])
 * The talk is a vector and coding showdown between the lead dev of the PHPIDS and one of its most determined challengers trying and managing to break it wherever possible. Expect a bloody battle between security researchers and developers without limits, regular expression magic against code obfuscation excellence leading to an interesting result about vs-situations in software development and IT security.

Thursday, May 21st 2009
Location: Barclays, Presentation Suite 2, One Churchill Place, London E14 5HP


 * Hash Cookies - A simple recipe - John Fitzpatrick ([[Media:Hash-cookies 2009-05-21.pdf|PDF]])
 * Hash cookies is a concept devised in concert with a couple of other guys whilst discussing an application test we were working on. The goal of hash cookies being to make session hijacking attempts infeasible through re-hashing the session cookie on future requests to the server.
 * The aim of this talk is to put across the concept of hash cookies and then have the audience don their ninja suits and break it. That way we can work towards a robust secure mechanism for securing sessions which, hopefully, hash cookies is a good solid step towards.


 * OWASP Google Hacking Project - Christian Heinrich ([[Media:Cmlh - OWASP Google Hacking Project - OWASP EU 2009 and OWASP London Chapter May 2009 Meeting - Post Update 22 May 2009.zip|PDF (zipped)]])
 * Two Proof of Concepts (PoC) used during the reconnaissance phase of a penetration test will be demonstrated:
 * "TCP Input Text" extracts TCP Ports and Fully Qualified Domain Names (FQDN) from Google Search Results into a .csv file and individual shell scripts for nmap and netcat to provide assurance of a listening TCP service since the last crawl performed by the "GoogleBot".
 * "Download Indexed Cache" retrieves content indexed within the Google Cache and supports the "Search Engine Reconnaissance" section of the recently released OWASP Testing Guide v3. During the demonstration of "Download Indexed Cache", the superiority of this approach will be proven over lesser methodologies, such as "Google Hacking" and the associated Google Hacking Database (GHDB).
 * The impact of mitigating controls, such as  Tags and robots.txt, based on the recommendations within the "Spiders/Robots/Crawlers" section of the recently released OWASP Testing Guide v3, will be explained.

Thursday, March 12th 2009
Location: KPMG, 39th Floor, One Canada Sq, E14 5AG


 * OWASP Global Industry Committee - Colin Watson ([[Media:Owasp-london-industry-committee-march-2009.pdf|PDF]])
 * The Global Industry Committee was one of six new OWASP committees created during the EU Summit in Portugal last year. Colin Watson will talk about the committee's aims, plan, how to get involved, who it has been engaging with and what else it has been doing in the first few months.


 * The Software Assurance Maturity Model - Introduction and a Use Case - Matt Bartoldus ([[Media:OpenSAMM.pdf|PDF]])
 * The OWASP CLASP Project has been going through modification to move more towards a maturity model. As a result, the Software Assurance Maturity Model (SAMM) project has been released in a beta version. The goal is to "define a usable security framework with sequential, measurable goals that can be used by small, medium, and large organisations in any line of business that involves software development".  This talk will introduce SAMM and give a brief overview of its contents. We will then discuss how SAMM is currently being used to measure the level of information security activities within an EU based financial organisation's development methodology and providing the framework for implementing such activities into their everyday development activities (SDLC).


 * SQL injection: Not only AND 1=1 - Bernardo Damele A. G. ([[Media:SQLinjectionNotOnly.pdf|PDF]])
 * The presentation will cover a quick preamble on SQL injection definition, sqlmap and its key features. It will then illustrate the details of common and uncommon problems and respective solutions with examples that a penetration tester or a SQL injection tool developer faces when he wants to take advantage of any kind of web application SQL injection flaw on real world web applications, for instance SQL injection in ORDER BY and LIMIT clauses, single entry UNION query SQL injection, blind SQL injection algorithm speed enhancements, specific web application technologies IDS bypasses and more.


 * Thursday, December 4th


 * Location: KPMG, 39th Floor, One Canada Sq, E14 5AG

Justin Clarke: SQL Injection Worms for Fun and Profit ([[Media:SPF.pdf|PDF]])

Earlier this year the first (publicly known) SQL Injection worm appeared. This worm used SQL Injection to insert malicious scripting tags into the pages of over 90,000 sites that were vulnerable to SQL injection.

Yet the exploit vector was fairly innocuous, easy to clean up, and easy to block. In other words, very much version 0.1 of what a SQL Injection worm can achieve.

This talk is going to discuss how far the rabbit hole can go with SQL injection based worms, including full compromise of the server OS, and why we should be worried by what is going to be coming next out of Russia/China/wherever, including a live demo of a proof of concept SQL injection worm, "weaponized".

Dinis Cruz: OWASP Summit 2008 Report

The OWASP Summit 2008 has been a great success. Dinis, also known as Chief OWASP Evangelist, is going to tell us what we've missed.

Andrew Nairn: Protecting Vulnerable Applications with IIS7 ([[Media:SQL_Injection_for_Fun_&_Profit.pdf‎ |PDF]])

With the advent of IIS7 and its modular design, Microsoft has provided the ability to easily integrate custom ASP.NET HttpModules into the IIS7 request-handling pipeline. This session will present an IIS7 module designed to leverage this architecture to actively and dynamically protect web applications from attack. With minimal configuration, the module can be used to protect virtually any application running on the web server, including non-ASP.NET applications (such as those written in PHP, Cold Fusion, or classic ASP).

This presentation will outline the overall design and architecture of the module, including a detailed explanation of available features and attack defense techniques. The session will focus on live demonstrations of how the module can easily be installed to protect already-deployed applications and how it can block both traditional web application attacks, such as SQL injection and Cross-Site Scripting, and application-specific vulnerabilities like parameter manipulation and authorization attacks.


 * Thursday, September 4th


 * Location: KPMG 39th Floor, One Canada Sq, E14 5AG, starting at 7pm (arrive between 6.30pm and 7pm), ending by 9pm. KMPG are sponsoring the meeting. Complementary drinks and snacks will be provided.

James Fisher: DirBuster & Beyond (PDF)

An introduction to the DirBuster project, detailing how it works, what it can do for you, and the direction it will be taking in the future. Followed by an introduction to my unreleased project FuzzBuster, showing why it's different to other HTTP fuzzes out there.

Yiannis Pavlosoglou: JBroFuzz

[Summary will be updated if I get it from Yiannis, but you can always go to the JBroFuzz project homepage for more information.


 * Thursday, July 24th


 * Location: Auriol Kensington Rowing Club (map), starting at 7pm (arrive between 6.30pm and 7pm). Breach Security is sponsoring the meeting by paying for the costs of the venue.


 * Programme
 * 18:30 Arrive and make yourselves comfortable.
 * 19:00 Dinis Cruz: What is going on at OWASP?
 * 19:20 Colin Watson: Nominet Best Practices Award briefing (PDF)
 * 19:45 Dennis Hurst: AJAX / Web 2.0 / WebServices security concerns (PDF)
 * 20:30 Dinis Cruz: Building a tool for Security consultants: A story of a customized source code scanner
 * 21:15 Ivan Ristic: Evaluation Criteria for Web Application Firewalls (PDF) (talk from the recent OWASP AppSec Europe conference in Ghent).


 * Thursday, April 3rd


 * Location: Auriol Kensington Rowing Club (map), starting at 7pm (arrive between 6.30pm and 7pm). Breach Security is sponsoring the meeting by paying for the costs of the venue.


 * Programme
 * 18h30 Arrive and make yourselves comfortable.
 * 19h00 PHP Code Analysis: Real World Examples (David Kierznowski)
 * 20h00 Abusing PHP sockets for fun and profit (Rodrigo Marcos; also available: source code, Flash demo)
 * 20h45 Web Application Security Badges (Colin Watson) - [[Media:owasp-london-security-badges.pdf|PDF]]
 * 21h00 Discussion: OWASP Best Practice Challenge 2008 nomination.
 * 21h30 End.


 * Thursday, December 6th


 * Location: Auriol Kensington Rowing Club (map), starting at 7pm (arrive between 6.30pm and 7pm). Breach Security sponsoring the meeting by paying for the costs of the venue.


 * Programme
 * 18h30 Arrive and make yourselves comfortable.
 * 19h00 Adrian Pastor: Cracking into embedded devices and beyond! ([[Media:Cracking-into-embedded-devices-and-beyond.pdf]])
 * 19h45 Rodrigo Marcos: Blind SQL Injection: Optimization Techniques (PPT).
 * 20h15 OWASP London Chapter (discussion).
 * 20h45 PDP: Client-Side Security (discussion).
 * 21h30 End.


 * Wednesday, September 5th (participating in the OWASP Day event). Read meeting notes here.
 * Location: Auriol Kensington Rowing Club (map), starting at 7pm (arrive between 6.30pm and 7pm). Breach Security sponsored the meeting by paying for the costs of the venue.


 * Programme:
 * 18h30 Arrive and make yourselves comfortable.
 * 19h00 Petko D. Petkov, a.k.a pdp (architect), founder of the GNUCITIZEN group: For my next trick... hacking Web2.0.
 * 20h00 Discussion: "Privacy in the 21st Century?", moderator: Ivan Ristic.
 * 21h00 Discussion: "Future of the OWASP London Chapter".
 * 21h30 End


 * Thursday 22nd March
 * Location: The Water Poet Pub, Liverpool St, London map, description
 * We are going to use the downstairs room which you can access from the back of the pub
 * Presentations:
 * Mark O'Neill "Security Vulnerabilities in AJAX and Web 2.0" - 60 m
 * Dinis Cruz "OWASP Spring of Code and Owasp world update " - 30 m


 * Thursday 22nd February
 * Location: The Water Poet Pub, Liverpool St, London map, description
 * We are going to use the downstairs room which you can access from the back of the pub
 * Presentations:
 * by Dinis Cruz (Chief OWASP Evangelist) :
 * OWASP, the Open Web Application Security Project 30m - The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted. All of the OWASP tools, documents, blogs, and chapters are free and open to anyone interested in improving application security. In this presentation Dinis will show the latest guides and tools from OWASP which should be part of every company's security efforts.
 * Buffer Overflows on .Net and Asp.Net 30m - One of the common myths about the .Net Framework is that it is immune to Buffer Overflows. Although this might be correct in pure managed and verifiable .Net code, large percentage of .Net and Asp.Net applications code is unmanaged code. In this talk Dinis will show the areas in .Net and Asp.Net applications that are vulnerable to Buffer Overflows (including the demo of a .Net Buffer Overflow Fuzzer).
 * 0wning Vista's userland - The CAS / UAC missed opportunity, and what I think MS should had done - In this presentation Dinis will explore the missed opportunity by Microsoft to use technologies like .Net's CAS (Code Access Security) and Vista's UAC (User Access Control) to create secure and trustworthy userland environments that protect the user's assets. In the hope that might make a small difference, ideas and solutions for the future will also be presented.
 * by Ivan Ristic:
 * ModSecurity - 30m


 * Schedule:
 * 6pm - 7pm arrive and grab a drink
 * 7:00 - OWASP, the Open Web Application Security Project, Dinis Cruz
 * 7:45 - ModSecurity, Ivan Ristic
 * 8:15 - Buffer Overflows on .Net and Asp.Net, Dinis Cruz
 * 8:50 - 0wning Vista's userland - The CAS / UAC missed opportunity, and what I think MS should had done, Dinis Cruz
 * 9:00 - Dinner