[Owasp-sanfran] OWASP San Francisco Meeting September 21st

Brian Christian bchristian at spidynamics.com
Fri Sep 1 03:27:36 EDT 2006

On September 21st, 2006 we will hold our first formal meeting. Time and
coordinates for the meeting are below.
WHAT: The re-inaugural San Francisco OWASP Chapter Meeting. 

WHEN: September 21st, 2006
	5:30-6:00           Social- Food and Drinks
	6:00-6:15		  Chapter Announcements
	6:15-7:15           Presentation I- Alex Stamos
	7:15-7:30           Q and A/Stretch Break
	7:30-8:30		  Presentation II- Jeremiah Grossman
	8:30-8:45		  Q and A/Wrap Up

WHERE: iSEC Partners offices located @ 115 Sansome Street Suite 1005
(10th Floor),
San Francisco, CA (http://www.isecpartners.com)

WHY: To network, socialize and learn more about Web Application Security

WHO: Brian Christian the Chapter president will give chapter details and
Alex Stamos founding partner of iSEC Partners and Jeremiah Grossman
founder and Chief Technology Officer of WhiteHat Security will both
speak about AJAX Security and Javascript Malware. These are the same
presentations that they gave in Las Vegas at BlackHat so if you missed
them there, here's your second chance! Refreshments and horderves will
be provided. Parking, of course will NOT be validated. See below for the
speakers details. 


Breaking AJAX Web Applications: Vulns 2.0 in Web 2.0
Alex Stamos, Principal Partner, iSEC Partners

The Internet industry is currently riding a new wave of investor and
consumer excitement, much of which is built upon the promise of "Web
2.0" technologies giving us faster, more exciting, and more useful web
applications. One of the fundamentals of "Web 2.0" is known as
Asynchronous JavaScript and XML (AJAX), which is an amalgam of
techniques developers can use to give their applications the level of
interactivity of client-side software with the platform-independence of

Unfortunately, there is a dark side to this new technology that has not
been properly explored. The tighter integration of client and server
code, as well as the invention of much richer downstream protocols that
are parsed by the web browser has created new attacks as well as made
classic web application attacks more difficult to prevent.

We will discuss XSS, Cross-Site Request Forgery (XSRF), parameter
tampering and object serialization attacks in AJAX applications, and
will publicly release an AJAX-based XSRF attack framework. We will also
be releasing a security analysis of several popular AJAX frameworks,
including Microsoft Atlas, JSON-RPC and SAJAX. The talk will include
live demos against vulnerable web applications, and will be appropriate
for attendees with a basic understanding of HTML and JavaScript.


Alex Stamos is a founding partner of iSEC Partners, LLC, a strategic
digital security organization. Alex is an experienced security engineer
and consultant specializing in application security and securing large
infrastructures, and has taught multiple classes in network and
application security. He is a leading researcher in the field of web
application and web services security and has been a featured speaker at
top industry conferences such as Black Hat, CanSecWest, DefCon, SyScan,
Microsoft BlueHat and OWASP App Sec. He holds a BSEE from the University
of California, Berkeley.


Hacking Intranet Websites from the Outside "JavaScript malware just got
a lot more dangerous"
Jeremiah Grossman, Founder and CTO of WhiteHat Security, Inc.

Imagine you're visiting a popular website and invisible JavaScript
exploit code steals your cookies, captures your keystrokes, and monitors
every web page that you visit. Then, without your knowledge or consent,
your web browser is silently hijacked to transfer out bank funds, hack
other websites, or post derogatory comments in a public forum. No
traces, no tracks, no warning sirens. In 2005's "Phishing with
Superbait" presentation we demonstrated that all these things were in
fact possible using nothing more than some clever JavaScript. And as bad
as things are already, further web application security research is
revealing that outsiders can also use these hijacked browsers to exploit
intranet websites.

Most of us assume while surfing the Web that we are protected by
firewalls and isolated through private NAT'ed IP addresses. We assume
the soft security of intranet websites and that the Web-based interfaces
of routers, firewalls, printers, IP phones, payroll systems, etc. even
if left unpatched, remain safe inside the protected zone. We believe
nothing is capable of directly connecting in from the outside world.
Right? Well, not quite.

Web browsers can be completely controlled by any web page, enabling them
to become launching points to attack internal network resources. The web
browser of every user on an enterprise network becomes a stepping stone
for intruders. Now, imagine visiting a web page that contains JavaScript
malware that automatically reconfigures your company's routers or
firewalls, from the inside, opening the internal network up to the whole
world. Even worse, common Cross-Site Scripting vulnerabilities make it
possible for these attacks to be launched from just about any website we
visit and especially those we trust. The age of web application security
malware has begun and it's critical that understand what it is and how
to defend against it.

During this presentation we'll demonstrate a wide variety of
cutting-edge web application security attack techniques and describe
best practices for securing websites and users against these threats.

You'll see:

Port scanning and attacking intranet devices using JavaScript 
Blind web server fingerprinting using unique URLs 
Discovery NAT'ed IP addresses with Java Applets 
Stealing web browser history with Cascading Style Sheets

Best-practice defense measures for securing websites 
Essential habits for safe web surfing 

Jeremiah Grossman is the founder and Chief Technology Officer of
WhiteHat Security (http://www.whitehatsec.com), where he is responsible
for web application security R&D and industry evangelism. As an
well-known and internationally recognized security expert, Mr. Grossman
is a frequent speaker at the Black Hat Briefings, ISSA, ISACA, NASA, and
many other industry events. Mr. Grossman's research, writing, and
interviews have been published in dozens of publications including USA
Today, VAR Business, NBC, ABC News (AU), ZDNet, eWeek, Computerworld and
BetaNews. Mr. Grossman is also a founder of the Web Application Security
Consortium (WASC), as well as a contributing member of the Center for
Internet Security Apache Benchmark Group. Prior to WhiteHat, Mr.
Grossman was an information security officer at Yahoo!, responsible for
performing security reviews on the company's hundreds of websites.

More information about the Owasp-sanfran mailing list