[Owasp-kansascity] OWASP Newsletter #2 - January 8th 2006 to January 15th 2006

Tom Stripling tstripling at securityps.com
Tue Jan 16 11:29:27 EST 2007


I imagine everyone on this list received the OWASP newsletter.  If not,
you'll find it below.  One of the links points to a write-up of a
possible solution to the Adobe Reader XSS issue we've been hearing about
recently.  OWASP has published a way to prevent the attack by forcing
any requests to PDF files to go through a Java filter.  The details are
here:
 
https://www.owasp.org/index.php/PDF_Attack_Filter_for_Java_EE
 
Obviously, this only works if you're on a server running a Java
application.  I managed to find some code for .NET as well:
 
http://www.techplay.net/
 
 
But what if you're trying to prevent the attack on a server with only
static content or applications written in something other than Java or
.NET?  There are other ways to reduce your risk.  You can instruct the
browser to download the file instead of opening it in the vulnerable
Adobe plug-in by adding HTTP headers to the response (for PDF documents
only):
 
Content-Type: application/octet
Content-Disposition: Attachment
 
These headers both tell the browser that the file is a download and
should not be opened in the plug-in.  There is still a risk that the
browser will ignore these headers and open the file in the Adobe plug-in
anyway, but this should prevent the attack in all modern and/or
mainstream browsers.  I haven't tested some of the older ones, so let me
know if you do.  This approach isn't foolproof, but it's a quick way to
drastically reduce the risk of the attack.
 
Hope this helps,
Tom

________________________________

From: owasp-all-bounces at lists.owasp.org
[mailto:owasp-all-bounces at lists.owasp.org] On Behalf Of Dinis Cruz
Sent: Tuesday, January 16, 2007 6:37 AM
To: owasp-all at lists.owasp.org
Subject: OWASP Newsletter #2 - January 8th 2006 to January 15th 2006



Hello, here is another newsletter with tons of links and information
about what is happening at OWASP (you can also read it online:
https://www.owasp.org/index.php/OWASP_Newsletter_2 ). 

If you want something to appear in the next version, fell free to add it
to OWASP Newsletter 3
<https://www.owasp.org/index.php/OWASP_Newsletter_3>  

Dinis Cruz Chief OWASP Evangelist London, UK


OWASP Newsletter #2 - January 8th 2006 to January 15th 2006



Contents


*	1 OWASP News
<https://www.owasp.org/index.php/OWASP_Newsletter_2#OWASP_News>  
*	2 Featured Projects
<https://www.owasp.org/index.php/OWASP_Newsletter_2#Featured_Projects>  
*	3 Featured Story: Two free Java EE filters for CSRF, Reflected
XSS, and Adobe XSS
<https://www.owasp.org/index.php/OWASP_Newsletter_2#Featured_Story:_Two_
free_Java_EE_filters_for_CSRF.2C_Reflected_XSS.2C_and_Adobe_XSS> 
*	4 Featured Story: "Automated Scanner vs. The OWASP Top Ten"
<https://www.owasp.org/index.php/OWASP_Newsletter_2#Featured_Story:_.22A
utomated_Scanner_vs._The_OWASP_Top_Ten.22>  
*	5 Latest Blog Entries from blogs.owasp.org
<https://www.owasp.org/index.php/OWASP_Newsletter_2#Latest_Blog_Entries_
from_blogs.owasp.org>  
*	6 Latest additions to the WIKI
<https://www.owasp.org/index.php/OWASP_Newsletter_2#Latest_additions_to_
the_WIKI>  
*	7 OWASP Community
<https://www.owasp.org/index.php/OWASP_Newsletter_2#OWASP_Community>  
*	8 Application Security News (from Owasp.org)
<https://www.owasp.org/index.php/OWASP_Newsletter_2#Application_Security
_News_.28from_Owasp.org.29>  
*	9 OWASP references in the Media
<https://www.owasp.org/index.php/OWASP_Newsletter_2#OWASP_references_in_
the_Media> 


OWASP News 


*	ORG (OWASP Report Generator)
<https://www.owasp.org/index.php/ORG_%28OWASP_Report_Generator%29>  -
New release of ORG Installer
<http://sourceforge.net/project/downloading.php?group_id=64424&use_mirro
r=osdn&filename=ORG_v0.88.msi%7C>  (1/15/2007) 
*	OWASP Live CD
<http://www.owasp.org/index.php/OWASP_Autumn_of_Code_2006_-_Projects:_Li
ve_CD> Beta Release - Download it from http://www.packetfocus.com/hackos
<http://www.packetfocus.com/hackos%7C>  





Featured Projects 


*	OWASP WebScarab NG Project
<https://www.owasp.org/index.php/OWASP_WebScarab_NG_Project>  - Rogan
has been very busy on the new version of WebScarab, which is not
complete, but is already in a very usable state (I already prefer it to
the current version). Rogan needs your help in testing this version and
sending in your comments. Quote from OWASP WebScarab NG Project
<https://www.owasp.org/index.php/OWASP_WebScarab_NG_Project> :
WebScarab-NG is a complete rewrite of the old WebScarab application,
with a special focus on making the application more user-friendly. To
this end, WebScarab-NG makes use of the Spring Rich Client Platform to
provide the user interface features. By using the Spring Rich Client
Platform, WebScarab-NG automatically gains things like default buttons,
keyboard shortcuts, support for internationalisation, etc. 

*	Category:OWASP Testing Project
<https://www.owasp.org/index.php/Category:OWASP_Testing_Project>  - As
per my last email to you, we have started a review process for new
version of the OWASP Testing Guide v2 (which you can you can read it on
line Testing Guide v2 wiki - 'Release Candidate 1'
<http://www.owasp.org/index.php/OWASP_Testing_Guide_v2_Table_of_Contents
> or view it in in Adobe PDF format
<http://www.owasp.org/index.php/Image:OWASP_Testing_Guide_v2_RC1_pdf.zip
>  or Ms Doc format
<http://www.owasp.org/index.php/Image:OWASP_Testing_Guide_v2_RC1_doc.zip
> ). If you want to participate in this review see the
OWASP_Testing_Project_v2.0_-_Review_Guidelines
<https://www.owasp.org/index.php/OWASP_Testing_Project_v2.0_-_Review_Gui
delines> page. 

*	Category:OWASP CAL9000 Project
<https://www.owasp.org/index.php/Category:OWASP_CAL9000_Project>  - This
project is a great resource to (amongst other things) understand and
exploit XSS. Quote: CAL9000 is a collection of web application security
testing tools that complement the feature set of current web proxies and
automated scanners. CAL9000 gives you the flexibility and functionality
you need for more effective manual testing efforts. Works best when used
with Firefox or Internet Explorer. 






Featured Story: Two free Java EE filters for CSRF, Reflected XSS, and
Adobe XSS


OWASP contributors from Aspect Security <http://www.aspectsecurity.com/>
have developed two new Java EE filters to protect against common web
attacks. Just add a few lines to your web.xml file and enjoy the
protection. 

	CSRF and Reflected XSS Filter for Java EE
<https://www.owasp.org/index.php/CSRF_Guard>  
	This filter adds a random token to forms and URLs that prevent
an attacker from executing both CSRF
<https://www.owasp.org/index.php/CSRF>  and reflected XSS
<https://www.owasp.org/index.php/XSS>  attacks. 

	Adobe XSS Filter for Java EE
<https://www.owasp.org/index.php/PDF_Attack_Filter_for_Java_EE>  
	This filter protects against the recent XSS attacks on PDF
files. By using a redirect and an encrypted token, this filter ensures
that dangerous attacks are not passed into the Adobe reader plugin. 






Featured Story: "Automated Scanner vs. The OWASP Top Ten"


Apart from some shameless marketing plus and its real intention with
this paper
<http://www.prnewswire.com/cgi-bin/stories.pl?ACCT=104&STORY=/www/story/
01-09-2007/0004502553&EDATE=> , WhiteHat Security has published a good
paper on the limitations of Web Application Security Scanners
capabilities to detect the [OWASP_Top_Ten_Project OWASP Top 10]
vulnerabilities (which btw, all vendors claim they do). I actually think
that the examples are quite basic, but they are good enough for the
argument presented. 

You can download this paper from [1]
<http://www.whitehatsec.com/home/assets/OWASPTop10ScannersF.pdf>  

Quote: "The OWASP Top Ten is a list of the most critical web application
security flaws - a list also often used as a minimum standard for web
application vulnerability assessment (VA) and compliance. There is an
ongoing industry dialog about the possibility of identifying the OWASP
Top Ten in a purely automated fashion (scanning). People frequently ask
what can and can't be found using either white box or black box
scanners. This is important because a single missed vulnerability, or
more accurately exploited vulnerability, can cause an organization
significant financial harm. Proper expectations must be set when it
comes to the various vulnerability assessment solutions." 

Note: I haven't seen any Web App Scannor vendor responses, so if you
spot it let me know. 






Latest Blog Entries from blogs.owasp.org 


*	from Eoin Keary <http://blogs.owasp.org/eoinkeary/>  blog 

	*	OWASP Testing Guide v2.0
<http://blogs.owasp.org/eoinkeary/2007/01/11/owasp-testing-guide-v20/> ,
January 11th, 2007 
	*	OWASP Code review Guide
<http://blogs.owasp.org/eoinkeary/2007/01/03/owasp-code-review-guide/> ,
January 3rd 
	*	innerHTML and eval - Javascript/Ajax attacks - 101
<http://blogs.owasp.org/eoinkeary/2007/01/03/innerhtml-and-eval-javascri
ptajax-attacks-101/> , January 3rd, 2007 
	*	What Next for App Sec (Contd) - Gmail exploit
<http://blogs.owasp.org/eoinkeary/2007/01/02/what-next-for-app-sec-contd
-gmail-exploit/> , January 2nd, 2007 
	*	OWASP Live CD
<http://blogs.owasp.org/eoinkeary/2007/01/02/owasp-live-cd/> , January
2nd, 2007 
	*	What next for app Sec
<http://blogs.owasp.org/eoinkeary/2007/01/02/what-next-for-app-sec/> ,
January 2nd, 2007 

*	from Life of an OWASP Chapter Leader
<http://blogs.owasp.org/seba/>  blog 

	*	The OWASP Chapter Leader Handbook
<http://blogs.owasp.org/seba/2007/01/06/the-owasp-chapter-leader-handboo
k/> , January 6th, 2007 by 
	*	PHP (in)security
<http://blogs.owasp.org/seba/2006/12/15/php-insecurity/> , December 15th

	*	Poll results of last year
<http://blogs.owasp.org/seba/2006/12/15/poll-results-of-last-year/> ,
December 15th 
	*	So you want to become a chapter leader?
<http://blogs.owasp.org/seba/2006/12/14/so-you-want-to-become-a-chapter-
leader/> , December 14th 

*	from On Security <http://blogs.owasp.org/mike/>  blog 

	*	Good Development Leads to Good Security
<http://blogs.owasp.org/mike/2007/01/09/good-development-leads-to-good-s
ecurity/> , January 9th, 2007 

*	from HTTP SOAP Pen Testing <http://blogs.owasp.org/webservices/>
blog 

	*	Pen Testing Web Services
<http://blogs.owasp.org/webservices/2006/12/13/hello-world/> , December
13th 






Latest additions to the WIKI 


New pages 

*	OWASP Testing Project v2.0 - Review Guidelines
<https://www.owasp.org/index.php/OWASP_Testing_Project_v2.0_-_Review_Gui
delines>  - Support page for the OWASP Testing Project V2.0 Review
effortw where you will find more details on how to participate in this
collaborative review process. 
*	Chapter Leader Handbook
<https://www.owasp.org/index.php/Chapter_Leader_Handbook>  - Handbook
for new and experienced chapter leaders on leading an active chapter
community. 
*	OWASP WebScarab NG Project
<https://www.owasp.org/index.php/OWASP_WebScarab_NG_Project>  - Rogan
details his work on the new version of WebScarab 
*	Phoenix/Tools <https://www.owasp.org/index.php/Phoenix/Tools>  -
Good list of Web App Sec tools 
*	Eoin has been quite busy this week working on the new version of
theCategory: OWASP Code Review Project
<https://www.owasp.org/index.php/Category:OWASP_Code_Review_Project> 

	*	Logging issues
<https://www.owasp.org/index.php/Logging_issues>  
	*	Reviewing Code for Buffer Overruns and Overflows
<https://www.owasp.org/index.php/Reviewing_Code_for_Buffer_Overruns_and_
Overflows>  
	*	Reviewing Code for OS Injection
<https://www.owasp.org/index.php/Reviewing_Code_for_OS_Injection>  
	*	Reviewing Code for Data Validation
<https://www.owasp.org/index.php/Reviewing_Code_for_Data_Validation>  
	*	Reviewing Code for Logging Issues
<https://www.owasp.org/index.php/Reviewing_Code_for_Logging_Issues>  
	*	Reviewing The Secure Code Environment
<https://www.owasp.org/index.php/Reviewing_The_Secure_Code_Environment>

	*	Chapters Assigned
<https://www.owasp.org/index.php/Chapters_Assigned>  
	*	just starting SQL Injection Cookbook template
<https://www.owasp.org/index.php/SQL_Injection_Cookbook_template> , SQL
Injection Cookbook - Oracle
<https://www.owasp.org/index.php/SQL_Injection_Cookbook_-_Oracle> ,
Preface <https://www.owasp.org/index.php/Preface>  , Reasons for using
automated tools
<https://www.owasp.org/index.php/Reasons_for_using_automated_tools>
,Education and cultural change
<https://www.owasp.org/index.php/Education_and_cultural_change> , Tool
Deployment Model <https://www.owasp.org/index.php/Tool_Deployment_Model>


Edited Pages 

*	OWASP_AppSec_Conference_Sponsors
<https://www.owasp.org/index.php/OWASP_AppSec_Conference_Sponsors>  -
for you if you want to sponsor one of the next OWASP conferences
<https://www.owasp.org/index.php/Category:OWASP_AppSec_Conference> .
Quote from page: "OWASP is accepting sponsorships for the 2007 OWASP
Conferences. Financial sponsorship for a conference will help defray the
non-profit OWASP Foundation's expenses to prepare for and hold this
conference." 
*	Chapter updates: New_Zealand
<https://www.owasp.org/index.php/New_Zealand>  , Denver
<https://www.owasp.org/index.php/Denver> , Washington DC
<https://www.owasp.org/index.php/Washington_DC>  
*	Membership <https://www.owasp.org/index.php/Membership>  
*	Securing tomcat
<https://www.owasp.org/index.php/Securing_tomcat>  
*	Cross-Site Request Forgery
<https://www.owasp.org/index.php/Cross-Site_Request_Forgery>  
*	Chapter Rules <https://www.owasp.org/index.php/Chapter_Rules>  
*	OWASP Autumn of Code 2006 - Projects: Web Goat
<https://www.owasp.org/index.php/OWASP_Autumn_of_Code_2006_-_Projects:_W
eb_Goat>  






OWASP Community 


*	Feb 13 (18:00h) - Ireland chapter meeting
<https://www.owasp.org/index.php/Ireland>  

*	Feb 6 (18:00h) - Melbourne chapter meeting
<https://www.owasp.org/index.php/Melbourne>  

*	Jan 31 (15:00h) - Mumbai chapter meeting
<https://www.owasp.org/index.php/Mumbai>  

*	Jan 30 (11:30h) - Austin chapter meeting
<https://www.owasp.org/index.php/Austin>  

*	Jan 25 (14:30h) - Italy at ISACA Rome
<https://www.owasp.org/index.php/Italy#October_25th.2C_2007_-_Isaca_Rome
>  

*	Jan 23 (18:00h) - Belgium chapter meeting
<https://www.owasp.org/index.php/Belgium>  

*	Jan 22 (18:00h) - Rochester chapter meeting
<https://www.owasp.org/index.php/Rochester>  

*	Jan 17 (18:30h) - Denver chapter meeting
<https://www.owasp.org/index.php/Denver>  

*	Jan 16 (17:45h) - Edmonton chapter meeting
<https://www.owasp.org/index.php/Edmonton>  





Application Security News (from Owasp.org) 


	Jan 10 - Vulnerability Disclosure: The Good, the Bad and the
Ugly <http://www2.csoonline.com/exclusives/column.html?CID=28072> 
	More than a decade into the practice of vulnerability
disclosure, where do we stand? Are we more secure? Or less?, three good
articles: Microsoft: Responsible Vulnerability Disclosure Protects Users
<http://www2.csoonline.com/exclusives/column.html?CID=28071>  ,
Schneier: Full Disclosure of Security Vulnerabilities a 'Damned Good
Idea' <http://www2.csoonline.com/exclusives/column.html?CID=28073> , The
Vulnerability Disclosure Game: Are We More Secure?
<http://www2.csoonline.com/exclusives/column.html?CID=28072>  and The
Chilling Effect <http://www.csoonline.com/read/010107/fea_vuln.html> 





OWASP references in the Media 


*	Automated Scanning vs. The OWASP Top Ten
<http://www.net-security.org/article.php?id=970> , Help Net Security,
Croatia - Jan 11, 2007 
*	AJAX, Design, and Mobile Devices
<http://br.sys-con.com/read/264922.htm> , SYS-CON Media, NJ - Jan 10,
2007 
*	Hot or Not: Web application vulnerabilities
<http://scmagazine.com/us/news/article/623765/hot-not-web-application-vu
lnerabilities> , SC Magazine, UK - Dec 28, 2006 
*	Sprajax Author - AJAX Security Tool - To Speak at AJAXWorld 2007
<http://au.sys-con.com/read/322897.htm> , SYS-CON Media, NJ - Jan 13,
2007 
*	Web application security vulnerabilities by the numbers
<http://www.computerweekly.com/Articles/2007/01/11/221120/web-applicatio
n-security-vulnerabilities-by-the-numbers.htm> , ComputerWeekly.com, UK
- Jan 11, 2007 
*	This one is actual an mistake from PSC Group LLC , since there
is currently no relationship with them an OWASP (note: I email them and
they corrected this on their website) Fujitsu's GlobalSTORE Software
Completes Visa's Payment ...
<http://home.businesswire.com/portal/site/google/index.jsp?ndmViewId=new
s_view&newsId=20070109005299&newsLang=en> , Business Wire (press
release), CA - Jan 9, 2007 (there is a major typo in this article (OWASP
related), see if you can spot it :) ) 
*	WhiteHat Security Announces Risk-Free Competitive Trade-Up
Program
<http://www.prnewswire.com/cgi-bin/stories.pl?ACCT=104&STORY=/www/story/
01-09-2007/0004502553&EDATE=> , PR Newswire (press release), NY - Jan 9,
2007 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.owasp.org/pipermail/owasp-kansascity/attachments/20070116/cd7c8e2b/attachment-0001.html 


More information about the Owasp-kansascity mailing list