[Owasp-germany] CFP for OWASP Conference at IT-SA Nürnberg

Cyrill Brunschwiler cbrunsch at gmail.com
Wed Jul 28 16:11:22 EDT 2010

Hi Guys

Compass Security is hosting a commercial Application Security Training
at IT-SA. Since we are already there I could offer to give a free talk
on the OWASP conference on some topic. We would provide you with free
access to hands-on labs on the topic.

I'm actually an active and recognized member of the OWASP Switzerland
chapter and have already spoken on some topics there.

I suggest to give a talk on either of the following topics

XML Security
- Brief introduction in the use of web service In B2B environments
  and backend integration
- Brief introduction into XML, DTD and XML Schema
- Show attacks against XML generators and XML parsers.
- Presents how the xerces parsers can be hardened to prevent of attacks
- I will talk about XEE xml external entity attacks and flavors of it
- You will get an idea of XML DoS attacks
- Free Hands-on labs include excercises for...
  - XML Injection
  - XML URL enumeration
  - XML directore traversal
  - XML port scanning
  - All of'em are XXE
- I will not talk about XML security standards and protocols (e.g. SAML)

JSON Hijacking and Cross-site Request Forgery a.k.a. XSRF
- Brief introduction to XHR/JSON/AJAX
- Brief introduction to the Same Origin Policy
- Demonstration on how to exploit the vulnerabilities
- Discussion on the mitigation
- Free Hands-on labs include excercises for...
  - JSON hijacking
  - XSRF
- I will not talk about the JSON Standard
- I will not talk about the HTTP RFC

For those who are keen on the hands-on. As already mentioned I'll
provide access to the Compass learning environment for those who are
interested in practical exploitation of the issues.

Let me know what you think, guys. 


More information about the Owasp-germany mailing list