[Owasp-cincinnati] Last OWASP Meeting Presentation, My comments and Call for Participation

Marco M. Morana marco.m.morana at gmail.com
Wed Aug 27 21:40:32 EDT 2008


OWASP Cincy enthusiasts

 

First of all thanks for the participant to the latest meeting.  ESAPI
presentation is available on the chapter site

https://www.owasp.org/images/4/44/OWASP_Cincy_ESAPI.pdf

 

I personally enjoyed Joe Combs presentation on ESAPI and the examples.
Thanks Joe!.  More in depth liking is herein (*)

 

Moving forward, the next meeting topic has been changed from CAPTCHA to
encoding attack vectors: threats and countermeasures. 

There have been some presentations at DEFCON on CAPTCHA that really defeat
the purpose to present them again at the local chapter.

If you are still interested on CAPTCHA I can provide you the references and
even copies of the Defcon or Blackhat conference CDs to the next meeting.

 

Another topic I would like to stress local involvement. I am actually happy
on what we have accomplished with the chapter so far as level of
participation.

Moving forward I suggest to do not miss opportunity to spread the voice of
OWASP with your work colleague and associates. 

If you need me to give a talk about OWASP to your company, provide you CDs
etc please just ask or just invite them to subscribe the list and look at
the projects and resources that OWASP has to offer.

 

If you are interested on a career in application security, OWASP is a great
organization to be part of and attending to the local OWASP meeting a great
way to learn.

 

Please feel free to use this email to communicate on how we can improve
OWASP Cincy chapter participation moving forward.

 

Again thanks for your participation and interest. 

 

Cheers

 

Marco

 

 

(*)

One think I really like of the ESAPI is that is not try to re-invent the
wheel pretending to rewrite security APIs such as JCE, Structs, bouncycastle
etc but rather implement an abstraction on top of these libraries making
sure developer implement it properly.

 

ESAPI provides security controls to address basic vulnerabilities like the
OWASP T10. Like Joe said, is not a silver bullet. Some features can be
better addressed by ESAPI some others you can probably just implement them
in the framework of choice. 

 

Some features that I thought were pretty cool where the double encoding
filtering for input validation and the hashing of URL parameters besides
CSRF mitigation. Double encoding addressed threats for the next new wave of
input validation attack vectors. In the old days it was enough to filter
<script>Alert("XSS')</script>  for mitigate XSS. Now the serve you already
UTF-7 encoded XSS to bypass blacklisting.  In the future is going to be
encoded <iframes> in white paces, double and triple encoded attack vectors.

 

The other feature that I liked was indirected object references to deter
from parameter tampering attacks and CSRF using the hashing and server
validation of the URL parameters. URL parameters can be tampered with to
bypass authorization controls and business logic.  A roleID=1 (user) changed
on client side as roleID= 2 (admin) and suddenly allows for elevation of
privileges.

 

 

 

 

 

 

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-cincinnati/attachments/20080827/da3c9067/attachment.html 


More information about the Owasp-cincinnati mailing list