[Owasp-denver] SNOWFROC conference on 2/18 and Meeting this Wed on 2/3

Steve Kosten steve.kosten at owasp.org
Tue Feb 2 01:22:24 UTC 2016


First, Feb 18th, come to our *own security conference, SNOWFROC* (see
<http://snowfroc.com/>* for info and registration).  Featuring Jeremiah
Grossman as our keynote speaker and other great speakers lined up.  We have
two presentation tracks, a hands-on track, lunch and coffee, all for a mere
$30.  Sign your whole team up before we fill up as we are limited to 200

On Feb 3rd, we will be having our normal OWASP meeting at Chinook Tavern.
Please RSVP at http://www.meetup.com/Denver-OWASP/events/228365435/.

We will hear a great presentation on* XPath Injection* by Luis Torres.

XPath is a language that has been designed and developed to operate on data
that is described with XML. The XPath injection allows an attacker to
inject XPath elements in a query that uses XML. Threat agent goals are
often aim to circumvent authentication and/or access information in an
unauthorized manner.

Developers today use XPaths to perform actions over XML based documents,
however insecure coding practices could lead allow for injection issues to
surface in web applications. Blind XPath Injection retrieves information by
making true/false interrogations with web applications, however they mostly
focus on retrieving current query information, skipping sensitive
information on XML nodes outside of current query requests. This
presentation will extend beyond these blind injection attacks and discuss
how to retrieve the entire XML document, using Blind XPath Injection

*Luis Torres Bio:*

Luis Torres is a security consultant with VerSprite. An avid pen tester,
researcher, CTF participant, and bug bounty winner - Luis is a key
consultant for VerSprite's AppSec Consulting practice where he focuses his
time on client-server, cloud, web services, and fat client security
testing. His recent research has been around more damaging exploits around
XPath injection which he seeks to share with you today.As Senior Security
Engineer at Bugcrowd, Leif Dreizler works to customize and support security
testing solutions for Bugcrowd clients. Prior to Bugcrowd, Leif spent over
two years as the Senior Application Security Engineer at Redspin,
performing application security assessments. He also served as the
Application Security Team Lead, liaising with clients at the engineering
and sales level
Steve Kosten
OWASP Denver Chapter Leader
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-denver/attachments/20160201/bae59959/attachment.html>

More information about the OWASP-DENVER mailing list