OWASP Israel 2009 05

The meeting was held on May 7th 2009 and was hosted by IBM in Park Azorim in Petach-Tikva

(Hebrew Version)

Web-Based Man-in-the-Middle Attack
Adi Sharabani, IBM

We've all known for a long time that using a public wireless network is risky. We all think twice before logging into our bank account or accessing any kind of sensitive information. But what about simply reading the news on our favorite news site? In this presentation, we will show how using a public network can expose you to practically any web-related client-side security issue on any domain, no matter how careful you think you're being. These issues range from XSS on any domain, through CSRF, to leaking of browser data and more.

We will show how the currently known best practices, which are supposed to keep you from harm when reading a blog in the neighborhood coffee shop, may be overcome. We'll demonstrate how such best practices, like those listed in http://www.microsoft.com/protect/yourself/mobile/publicwireless.mspx, are only useful against what we call "passive" attacks, which are passively gathering data from the network. We will introduce a new type of attack coined "Active attacks", and see how they easily work around a careful user's attempt to browse responsibly in a public network. We will demonstrate how these attacks can steal information from past browsing activities. and how they can monitor your future browsing, inside the safety of your home and your organization's networks.

Further Information: Presentation | White Paper | Blog

Automation Attacks and Counter Measures
Ofer Shezaf, Xiom

Abuse of web applications using automated program is becoming a major threat to web sites. Some attacks such as brute force and denial of service are clearly illegal, while others fall in the grey area of the law but harm the business of the web site owner. Example of grey area automation attacks are robots that play online gambling or automatic participation in online tenders.

The presentation will show several interesting automation incident and discuss the cat and mouse game between attackers and site owners in which the later are creating new defenses while the former are making the attacks more sophisticated. Lastly we will present novel ideas as to how to make sites mitigate automation attacks better.

Further Information: Presentation