[Owasp-london] Next meeting: December 4th, KPMG, Canary Wharf

Ivan Ristic ivanr at webkreator.com
Wed Nov 12 09:35:26 EST 2008


We have only three weeks to go until our next meeting, which is going to 
be held on December 4th (Thursday).

This meeting is not to be missed: not only we have two excellent talks, 
which were originally presented at Black Hat US earlier this year (see 
below for details), but we are going to have Dinis tell us everything 
about the first OWASP Summit, which was held last week in Portugal. I am 
sure he is going to make all of us who didn't attend very, very sorry 
for not being there.

On top of this, this next meeting is going to be the last one I will be 
organising, so please come to make me feel worm and fuzzy!

The location is the same as for the previous meeting:

     KPMG, 39th Floor, One Canada Sq, E14 5AG

We are going to start the meeting slightly earlier this time, at 6.30pm.

As previously mentioned, on this next meeting we are also going to have 
more time to talk and network.

If you are planning to attend please send an email to Hayley Green from 
KPMG (hayley.green at kpmg.co.uk) and CC me (ivanr at webkreator.com).

Thanks!


Schedule
--------

Justin Clarke: SQL Injection Worms for Fun and Profit

Earlier this year the first (publicly known) SQL Injection worm
appeared. This worm used SQL Injection to insert malicious scripting
tags into the pages of over 90,000 sites that were vulnerable to SQL
injection.

Yet the exploit vector was fairly innocuous, easy to clean up, and easy
to block. In other words, very much version 0.1 of what a SQL Injection
worm can achieve.

This talk is going to discuss how far the rabbit hole can go with SQL
injection based worms, including full compromise of the server OS, and
why we should be worried by what is going to be coming next out of
Russia/China/wherever, including a live demo of a proof of concept SQL
injection worm, "weaponized".

Dinis Cruz: OWASP Summit 2008 Report

The OWASP Summit 2008 has been a great success. Dinis, also known as 
Chief OWASP Evangelist, is going to tell us what we've missed.

Justin Clarke: Protecting Vulnerable Applications with IIS7

With the advent of IIS7 and its modular design, Microsoft has provided
the ability to easily integrate custom ASP.NET HttpModules into the IIS7
request-handling pipeline. This session will present an IIS7 module
designed to leverage this architecture to actively and dynamically
protect web applications from attack. With minimal configuration, the
module can be used to protect virtually any application running on the
web server, including non-ASP.NET applications (such as those written in
PHP, Cold Fusion, or classic ASP).

This presentation will outline the overall design and architecture of
the module, including a detailed explanation of available features and
attack defense techniques. The session will focus on live demonstrations
of how the module can easily be installed to protect already-deployed
applications and how it can block both traditional web application
attacks, such as SQL injection and Cross-Site Scripting, and
application-specific vulnerabilities like parameter manipulation and
authorization attacks.


About Justin:

Justin is a Principal Consultant with Gotham Digital Science. He is the
co-author of "Network Security Tools" (O'Reilly, 2005), a contributing
author to "Network Security Assessment" (O'Reilly, 2007), and has spoken
at Blackhat, EuSecWest, RSA, and OSCON in the past. He has over 10 years
of security testing and consulting experience in network, application,
source code and wireless testing work for some of the largest commercial
and government organizations in the United States, United Kingdom, and
New Zealand. Justin is active in developing security tools for
penetrating and defending applications, servers, and wireless networks
(e.g. SQLBrute), and as a compulsive tinkerer he can't leave anything
alone without at least trying to see how it works.

-- 
Ivan Ristic




More information about the Owasp-london mailing list