Cenzic 232 Patent
Paid Advertising
web application security lab

OWASP New Jersey

So I’m back from the OWASP New Jersey meeting at Verizon. One word - wow. It was a lot different than I thought it would be. I’ve been to dozens of OWASP meetings, and they really vary. I think the smallest meeting I’ve been to was 10 people and now the biggest was the OWASP New Jersey meeting, run by Tom Brennan. The crowd was filled with suits (for once I felt like one of the least well dressed people in the room). Lots of people from local industry (telcom, healthcare, etc…) as well as various three letter agencies.

One thing that came up (that I had known about for a while, but for some reason it’s just not been made super public yet) was some of the work Arian Evans has been doing with HTTP Response splitting. When he started working with it he realized that he was inadvertantly taking out huge chunks of the site with his own content. After some debugging he realized he was hitting caching servers (a la Amit Klein’s work). But there are two nasty things about that that go above and beyond what we knew before.

The first is that it can re-write the caching headers, so that instead of a 5 minute time-out like you intended for your caching server to use, it can be upped to months or years, causing a much larger problem. The second is that is not a one to one, but a one to many relationship. That is, you can take over pages that are well beyond the reach that you normally have - including pages you don’t technically have access to, which can potentially give you access to anything under any user (ultimate persistent XSS). Super nasty! So yah, I wasn’t sure how quiet that was, but Arian finally let the cat out of the bag, so there it is.

So it was a really good conference all in all and definitely worth the hellish travel schedule to get out there. It’ll probably be smaller than the global OWASP meeting in November, of course, but for a simple regional meeting it was really impressive. I also hear rumors of a World CON in New York City next year. I for one, am looking forward to it.

Update: I should go back and read all the old Amit papers. He came up with all of this stuff years ago. Is there anything that guy hasn’t done? His two papers are here and here.

7 Responses to “OWASP New Jersey”

  1. kuza55 Says:

    I posted some stuff about poisoning the browser cache on pages you don’t actually have an XSS on last year….only to get an email from Amit saying that he’d written about how to attack even trickier situations in the original paper he released in 2004: http://www.packetstormsecurity.org/papers/general/whitepaper_httpresponse.pdf

    Which contains what you described and much more…..

  2. hackathology Says:

    Rsnake, where is that paper Arian published? Is it out on the internet yet?

    Kuza55, i have read that paper last year, it was well informative.

  3. jinxpuppy Says:

    Glad you enjoyed our event! Thanks for being a speaker - see ya in WASC/OWASP San Jose event at eBay!

  4. Cathy Says:

    RSnake, is your presentation at the meeting published? can you post the link? Thanks!

  5. Mark Meyer Says:

    Quick Question - you had a slide at OWASP describing a “Contextual Density Matrix” on click points/mouse overs on a website. Who provides such a product or service? Thanks.

  6. Arian Says:

    Nothing too formal yet. I put a snippet in the WhiteHat Sentinel Newsletter. The page isn’t indexed so simply search or scroll down to:

    “WhiteHat Sentinel Update - July 2007″

    http://www.whitehatsec.com/home/resources/newletters/update.html

    There are just high-level notes about this, sans technical details. The whole important point of this is that Amit and I had debated this topic for some time, and I thought he was out to lunch about cache poisoning and it turns out I was wrong. It’s out there and the effects can be huge.

    I’m working on a major script-injection paper for 2008 release. I’ve pretty much dropped other research projects for this. It will get dropped at a BH next year, or if I don’t get into BH, I’ll drop it at RSA 2008.

  7. RSnake Says:

    @Mark - that photo was from clickdensity.com but unless they own a patent on the technology, it’s pretty easy to do that with JavaScript (you can just pull the JS from their site to see how they do it). The only vaguely tough part would be the backend. It’s a cool technology, just very simple to build.