Cenzic 232 Patent
Paid Advertising
web application security lab

OWASP/WASC Appsec 2007 Wrap-up

Whelp, I’m finally back from the OWASP conference. I feel completely beat up (like I felt after DefCon this year). In a good way, of course, just too much stuff going on. Let’s focus on some highlights, shall we? There were tons of big names in the webappsec space there in full force. Not the least of which, that I had wanted to meet up with were Samy (a la Samy worm), pdp, Jeremiah Grossman, Dinis Cruz, Stefano Di Paola, Ryan Barnett, Shreeraj Shah, Tom Brennan and many more…

One noteworthy speech was from the work by Tom Stripling, where he was able to turn the gmodules.com XSS exploit into a Google.com exploit. I guess perhaps Google should read their own definition of cross site scripting that they quoted to me about this very same issue. Not to gloat too much but I really hope Google enjoys that slice of humble pie. I don’t consider myself to be Google’s enemy, but when companies don’t listen, they have no one to blame but themselves. That said, I did talk to Google while I was there, and they expressed an interest to work more closely together going forward. As always, I’m a sucker for level headed thinking, so hopefully something good will come of that (more on that in a minute). Hopefully Tom will send me some technical detail that I can publish to go into more detail about how it worked.

Ryan Barnett had a really interesting speech on how OWASP has set up a fairly large network of honeypot proxies to watch and log bad guys attacking others. It wasn’t that that part was interesting (we’ve known for a long time that you shouldn’t consider proxies to be a good way to anonymize yourself) but the data that he logged was really interesting - specifically the use of these networks for click fraud.

My speech went well - I thought it was supposed to be a 40 minute speech (all the others were scheduled for 40 minutes, but mine was scheduled for over an hour). So I had looots of time for Q&A. Whoops! My speech was about how browsers had been insecure in the past and how that evolved into what we know. I also gave some long term suggestions (which probably deserves a separate post, to be honest). There were some good questions asked, and I managed to convince everyone that I knew what I was talking about. What stuck me was that not that many people in the webappsec space really knew much about browsers. It’s the other half of what we work on, so I think it’s critical that we keep a close eye on what browsers are doing and how they are evolving to help us be secure.

While I was there several people asked me to head up a browser security group, probably with six or seven members (to keep it lean, mean and potent). But the likely people involved will be a representative from two or three browser manufacturers (IE, FF and maybe Safari if we can find someone who’s interested over there) as well as a few large companies with web presence (like eBay and Google - both of whom have expressed interest). Perhaps we can push forward some of the changes I have been talking about for three or more years.

Samy’s speech was by far the best one I attended - not for the technical meat, because I think we are all pretty educated on the technical details by now, but because the story was just hilarious. Jeremiah and I got a picture with him wearing “Samy is my hero” shirts. I haven’t laughed that hard in a long time! But to quote a sanitized version of what one guy said, “Samy knew nothing about webappsec and one day he walked in, dropped his pants and took a huge dump on our industry and then left again. And we just looked around at one another and said, ‘What just happened?’” Yup, he completely changed our industry in ways that will probably never be completely understood. He may have caused a lot of trouble, but he really did come out with a lot of friends (myself included). One funny quote was that at some time some police officer pulled him over and mentioned that he had been convicted of theft and something else, and Samy said, “The theft charge is BS - I didn’t steal a million friends!” Cracked me up. Samy was not allowed to touch the computer during the speech, which required some coordination so that other people write the power point deck and operated it during his speech. What a life!

The panel I was on (about vulnerability disclosure) was mostly uneventful although one comment made by Oracle set me off a little. They said they don’t work with people who do irresponsible vulnerability disclosure. I think that’s so backwards and something Microsoft has really gotten right. Companies need to understand that the only way they are going to get hackers on their side is to reach out to them and figure out what they know, what makes them tick and get the hackers to start working with them instead of against them. Not to pick on Oracle on that one, but I’ve seen that attitude a lot and I think it’s a dangerous route (one that I’ve seen fail countless times now).

Anyway, it was a great time, punctuated by lots of laughs, and I’m really looking forward to the next one in New York/New Jersey lead up by Tom Brennan. Having been to just a normal meeting there, I have high expectations for the next one. For everyone I met while I was there, thanks for taking the time to talk to me! It’s always nice to put faces to the names and have some interesting conversations with smart people.

In other quick news, there is an interview with me in (in)secure magazine and if you haven’t already seen it on Jeremiah’s blog, the WhiteHat roundtable was posted online. Also, there is a rumor that Fortify is releasing a 22 minute movie about hackers that I am in. Okay, maybe it’s not a rumor, but I’m not sure what the timelines are on that one or how they’re going to release it. I have gotten a sneak preview and it had a pretty interesting cast of characters in it. Lastly, id and I are doing a system migration this weekend, so if you notice(d) some downtime that’s what’s going on. Anyway, that is all for now!

15 Responses to “OWASP/WASC Appsec 2007 Wrap-up”

  1. Arshan Dabirsiaghi Says:

    Ack - no mention of AntiSamy! Did everyone bounce after Samy’s talk? It was great, but come on - I think I solved a problem the web has needed solved for some time! At least the people clamoring o integrate it after my talk seemed to think so.

    I had a blast at OWASP and I encourage people to come out to the next con, wherever it might be.

  2. thornmaker Says:

    Yeah, it was nice being able to put some faces with the names. For those who didn’t attend, all the talks were videotaped and should be available online in the next couple of weeks, or so I heard…

  3. hackathology Says:

    am reading the insecure magazine.

  4. roberta Says:

    The proxy project is wasc not owasp. Check out webappsec.org for more details.

  5. ntp Says:

    if samy had no prior knowledge of web application hacking, how did he write screamingCobra - http://samy.pl/scobra/ - which was released before both mielietools and nikto (which were both based on similar concepts)?

    timeline:
    nov-1999 whisker jul-2001 libwhisker jan-2002 screamingCobra aug-2002 mielietools aug-2002 nikto
    http://packetstormsecurity.nl/UNIX/cgi-scanners/indexdate.html

    samy had written these for the caezar’s 5b challenge at defcon 9 (2001) as you can see in his code:
    http://lucidx.com/crawl5b.pl
    http://lucidx.com/5balgo1.html
    http://lucidx.com/5balgo2.html

  6. RSnake Says:

    @arshan - sorry, I missed your speech. I was bouncing around from person to person almost the entire time I was there. I only hit four or five talks the entire time I was there.

    @roberta - sorry, I didn’t realize it was WASC and not OWASP. My bad.

    @ntp - It wasn’t my quote, it was someone else’s, but obviously he had some knowledge, he just wasn’t “into” it in the same way we all are. He had some knowledge, obviously, because he’s a very smart guy, but I think his interest in webappsec was in passing at the time. He’s far more interested in VOIP. But who knows? He could get back into webappsec in the future.

  7. tester Says:

    What is a good resource to start learning about browsers and their evolution (besides your talk)?

  8. Tom Stripling Says:

    @arshan - I saw your talk and it was great! I’m interested to try out your framework. I’m curious if it could be used to solve the Google gadget problem I have been looking into.

  9. Arshan Dabirsiaghi Says:

    Ah, no biggie. I realize now the comment came off kind of bitchy. It was funny - after I gave the talk a lot of people started coming up to talk to me.

    So I went to shake the first person’s hand, and he just walked right past me to talk to Samy and get him to sign his shirt.

    Bastard.

  10. Jeremiah Grossman Says:

    Arshan, let us know when you get the code posted to a website for public testing. I’m sure a lot of people wouldn’t mind bombarding it with stuff to try and bypass the filters. Would be could to have several different policy types as well to compare.

  11. Arshan Dabirsiaghi Says:

    Jeremiah & Tom and anything one else interested,

    The code is currently hosted on OWASP but I am moving the test application to an old domain of mine so I can do just what Jeremiah suggested. The code should be on the google code project by late tonight or tomorrow.

    I’m caught up in doing a lot of last minute QA work just to make sure it’s ready for public consumption. I’ve got a host of early adopters in the queue and I don’t want to let them down.

    Also - I’m not just looking for ways to bypass the filters (which is priority #1) - I’m also looking for reasons why the filter is too restrictive. I can prevent XSS 100% by simply whitelisting all tags and attribute values to absurdly tight settings - but I want it to be useful, too. If someone is getting caught that shouldn’t, any you can show me why, that’s almost as important as a security bypass.

    Anyway, I think I’ve hijacked the thread enough. RSnake gave a great talk, and the conference was a blast, thanks again to OWASP and WASC.

  12. Jeremiah Grossman Says:

    Arshan, I think you got the business usage expectations set exactly right, so thats really encouraging. And just so ya know, when/if the filter is bypassed in some way, you are not going to be letting anyone down. Everyone knows building what you are is extremely difficult, which is of course why no one has done it before and released it. Over time it’ll get better and better I’m sure, especially with more people using it for production websites.

  13. Arshan Dabirsiaghi Says:

    Thanks Jeremiah. I feel inclined to apologize for help keeping you up late all those nights at Yahoo.

  14. Jeremiah Grossman Says:

    AHAHA. It wasn’t just you… unless you lived in multiple timezones and global geographic locations in a 24 window. :)

  15. dre Says:

    When will you post your slideset from OWASP AppSec 2007?