[Owasp-ireland] OWASP Ireland News - July 16th, 2010

fabio.e.cerullo at aib.ie fabio.e.cerullo at aib.ie
Fri Jul 16 08:46:41 EDT 2010


*****************************************************
OWASP Ireland News                      July 16th, 2010
*****************************************************

1. OWASP Ireland 2010 Conference: Register Early to win an Ipod Touch!

2. OWASP Ireland August Event: Security Implications for Web Applications 
based on SOA

3. Facebook Vulnerability: Like Clickjacking

4. Struts2/XWork remote command execution

5. HTML5, Local Storage, and XSS

6. Spring Framework execution of arbitrary code

------------------------------------------------------------------------

1. OWASP Ireland 2010 Conference: Register Early to win an Ipod Touch!

We are approaching fast to the biggest Application Security Conference in 
Ireland.

And just to make it more exciting we are going to raffle TWO Ipod Touch 
among those who register for the conference before our next chapter 
meeting on 11th August (more details below).

So grab your ticket in the URL below and be in a chance to win one of 
these great gadgets!

https://guest.cvent.com/EVENTS/Register/IdentityConfirmation.aspx?e=679c382d-35c2-4815-a399-c2c3a95ebfd7


You could get all the details about this event including updated agenda, 
keynote speakers, training available, etc in the URL below:

http://www.owasp.org/index.php/OWASP_IRELAND_2010

2. OWASP Ireland August Event: Security Implications for Web Applications 
based on SOA

This is a reminder for the forthcoming OWASP Ireland chapter meeting to be 
held on August 11th at 6:30pm-7:30pm (show up at venue between 
6:00pm-6:30pm).

As usual our location are the Ernst & Young offices in Dublin who kindly 
agreed to host our event:

- Ernst & Young, Harcourt Street, Dublin 2, Opposite the Odeon Pub, 
Dublin, Ireland

As last time, we should have plenty of time to have a talk and a few 
drinks afterwards.

If you are planning to attend you must RSVP at

http://owasp-ireland-august.eventbrite.com.

Note, please enter your real name, as this will be given to Ernst & Young 
building security.

If you don't RSVP, you may not be let into the building.

A certificate of participation will be provided to those attending the 
event.

== Talk == 

Title: Security Implications and Solutions for Web Applications based on 
SOA

Abstract:

The main point of SOA (in this context) is combining systems and 
applications to make new applications, or a big 'overall' application.

This higher inter-operability does (by default) lower security. For a 
start, a request originating from a web user might end up at several back 
end systems, which do not know who or what the request came from.

Each back end system might have no access to the customer data, have a 
different security models, and serve serveral front end. Each of the above 
systems could be under different ownership, thus the owners have different 
concerns and priorities. Also, the basic solution at a technical level 
include single sign on, or security as a service. This can be costly, give 
limited coverage and have a performance hit. But is pretty much the only 
way to do it. The other thing to do (probably in tandem) is strict 
management, and delegation of authority.

== Presenters ==

John Marmelstein has about 13 years in IT. Most of this in distributed 
systems and 'Middleware' integration software. Including BEA (now owned by 
Oracle). Mainly working on Enterprise Java and more recently on Microsoft 
BizTalk. Various industries, incuding financials, public services, and a 
fish farm.

Further details and schedule for the night will be available on the 
chapter page:

https://www.owasp.org/index.php/Ireland.


3. Facebook Vulnerability: Like Clickjacking 

The Facebook Open Graph Like Button is susceptible to a type of attack 
known as clickjacking. Basically, if the like button is embedded on the 
page you’re on, made completely transparent, then an attacker could trick 
you into Liking something without your discretion.

More information about this vulnerability here: 
http://erickerr.com/like-clickjacking

4. Struts2/XWork remote command execution

Apache Struts team has announced uploaded but has not released, due to an 
unreasonably prolonged voting process, the 2.2.0 release of the Struts2 
web framework which fixes vulnerability reported back on May 31st 2010.

http://blog.o0o.nu/2010/07/cve-2010-1870-struts2xwork-remote.html

5. HTML5, Local Storage, and XSS 

A nice new feature of HTML 5 is local storage. Briefly, this is a client 
side storage option that can be easily accessed via JavaScript. The 
benefit of local storage over other client side storage options is that 
local storage allows more storage space than other options (cookies, flash 
obj, etc). However, there are a few security considerations that should be 
evaluated before completely jumping on board with local storage.

The complete article here:

http://michael-coates.blogspot.com/2010/07/html5-local-storage-and-xss.html

6. Spring Framework execution of arbitrary code

The Spring Framework provides a mechanism to use client provided data to 
update the properties of an object. This mechanism allows an attacker to 
modify the properties of the class loader used to load the object (via 
'class.classloader'). This can lead to arbitrary command execution since, 
for example, an attacker can modify the URLs used by the class loader to 
point to locations controlled by the attacker.

http://www.springsource.com/security/cve-2010-1622

**************************************************************************************************************************************************
The professional association of OWASP Foundation Inc., is always free and 
open to anyone interested in learning more about application security. 
Prior to participating with OWASP please review the Chapter Rules and the 
OWASP overview for some background. As a 501(3)c non-profit professional 
association your support and sponsorship of a meeting venue and/or 
refreshments is tax-deductible and all financial contributions can be made 
online using the online chapter donation button. We encourage organization 
and individual supporters of our ethics & principals to become a voting 
MEMBER. More information on how to become a member could be found here: 
http://www.owasp.org/Membership
**************************************************************************************************************************************************


******************************************************
This document is strictly confidential and is intended for use by the addressee unless otherwise indicated.

This email has been scanned by an external email security system.

Allied Irish Banks

AIB and AIB Group are registered business names of Allied Irish Banks p.l.c. Allied Irish Banks, p.l.c. is regulated by the Financial Regulator.  Registered Office: Bankcentre, Ballsbridge, Dublin 4. Tel: + 353 1 6600311; Registered in Ireland: Registered No. 24173

Please consider the environment before printing this e-mail. 
******************************************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-ireland/attachments/20100716/3c24f5d3/attachment.html 


More information about the Owasp-ireland mailing list