So I’m back from the OWASP New Jersey meeting at Verizon. One word - wow. It was a lot different than I thought it would be. I’ve been to dozens of OWASP meetings, and they really vary. I think the smallest meeting I’ve been to was 10 people and now the biggest was the OWASP New Jersey meeting, run by Tom Brennan. The crowd was filled with suits (for once I felt like one of the least well dressed people in the room). Lots of people from local industry (telcom, healthcare, etc…) as well as various three letter agencies.
One thing that came up (that I had known about for a while, but for some reason it’s just not been made super public yet) was some of the work Arian Evans has been doing with HTTP Response splitting. When he started working with it he realized that he was inadvertantly taking out huge chunks of the site with his own content. After some debugging he realized he was hitting caching servers (a la Amit Klein’s work). But there are two nasty things about that that go above and beyond what we knew before.
The first is that it can re-write the caching headers, so that instead of a 5 minute time-out like you intended for your caching server to use, it can be upped to months or years, causing a much larger problem. The second is that is not a one to one, but a one to many relationship. That is, you can take over pages that are well beyond the reach that you normally have - including pages you don’t technically have access to, which can potentially give you access to anything under any user (ultimate persistent XSS). Super nasty! So yah, I wasn’t sure how quiet that was, but Arian finally let the cat out of the bag, so there it is.
So it was a really good conference all in all and definitely worth the hellish travel schedule to get out there. It’ll probably be smaller than the global OWASP meeting in November, of course, but for a simple regional meeting it was really impressive. I also hear rumors of a World CON in New York City next year. I for one, am looking forward to it.