Cenzic 232 Patent
Paid Advertising
web application security lab

OWASP Pelting

I’m already back in the airport after a long day over at the world OWASP conference in New York. Among other things that were noteworthy was some extremely tacky marketing schwag from the ISC2 folks that says, “I fill the holes in your SLC”. I feel dirty having even typed that. I wish I were kidding. Ridiculous pictures of Dave Aitel wearing said schwag may or may not end up online in the near future. In the meantime, I wanted to do a brief overview on where we are and how things are progressing.

Jeremiah and I gave a brief talk yesterday outlining the timeline of events, and high level concepts of what was going on. We didn’t talk specifics other than some personal remediation advice - yes Lynx is your friend. I felt really lame giving a speech saying I wasn’t giving a speech, trust me. This was not a career highlight, by any stretch. Hence the self flagellation of telling everyone to loose a volley of squishy OWASP balls at me. I missed most of the volley in the picture I took of it, but you can still clearly see several of the OWASP balls in flight:


Click to enlarge

Jeremiah and I answered quite a few questions from the audience before, during and after the speech, and I’m sure a number of people are already working on their own versions of what they think we’re up to, given that a number of people were quick to tell us they were working on some demo code of some aspects of their interpretation of what we were talking about. I’m sorry to be vague, I really am.

Lastly, we did tell the audience that we will most likely be releasing a whitepaper on the informer’s website of Hackers for Charity prior to doing our full announcement (maybe a week or so before). It’s just a nice thing to do for kids, and we totally support Johnny Long’s efforts. Please sign up. It’s a good cause. If you must know the details and are too cheap to help kids in third world countries or you happen to be a kid in a third world country, I’m sure it will leak out in other ways and we’ll also post the whitepaper publicly later as well.

So, no time line still as of yet, but we are getting regular updates from Adobe and we’re confident they are being as expeditious as they can without risking introducing other issues in the process of issuing their fix. We’ll keep you updated.

16 Responses to “OWASP Pelting”

  1. Andre Gironda Says:

    Wow, I had no idea that one blog post could have such a dramatic effect on ISC2

    http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1332041,00.html

    I’m, of course, referring to my blog post on R.I.P. CISSP, but TechTarget and the rest of the world assume it was all about JG’s survey. I wonder where they get these ideas from…

  2. Chris Shiflett Says:

    It was nice meeting you. I never did get that photo of you strangling Ivan. Maybe next time. :-)

  3. Israel Bryski Says:

    Does the code have to be in Javascript?

    Had to ask again. Nice speaking with you at the “fill the holes” convention.

  4. Ory Says:

    Airport?! WTF - weren’t you supposed to be giving a presentation right about….hmmm….now?!

  5. rvdh Says:

    Your audience scares me :) should I be concerned? ;)

  6. Jeremiah Grossman Says:

    @Israel, JS could certainly help, but its not strictly required for a good Clickjacking exploit.

    @rvdh, it was a really good crowd. They were very understanding of the given situation and we appreciated it immensely! I’m hoping the details will get out there soon, by us or other researchers. See here…

    http://lists.whatwg.org/pipermail/whatwg-whatwg.org/2008-September/016284.html

  7. Jim Manico Says:

    From Slahsdot:

    “Well, the point about the attack is the user doesn’t know their being phished. They think they’re just pressing play on a video box, or following a link, or some other innocuous action on a perfectly reasonable, anonymous website on the web.

    It’s a bit like CSRF, except the browser has no way of telling whether or not the click through the iframe was legitimate or not, whereas with CSRF you could at least detect whether or not the form submission came from the same website. A clickjack is functionally equivalent to the user going to that website and making the action of their own accord.

    It is most certainly fixable, but it is not, which is why it’s a zero-day.”

  8. Jim Manico Says:

    Ah, seems like Google appSec has been researching this for quite a while, too: For an in-depth analysis of clickjacking, see:

    http://lists.whatwg.org/pipermail/whatwg-whatwg.org/2008-September/016284.html

  9. Spyware Says:

    “or you happy to be a kid in a third world country”, did you mean “happen to be” here? Anyway, time to mow some lawns for those fifty bucks…

  10. Gareth Heyes Says:

    I posted about this stuff back in 2007:-
    http://www.thespanner.co.uk/2007/09/28/openid-security-css-overlays/

    Uses two iframes offset to get the desired area and fool the user into adding a trusted site to a OpenID provider.

  11. robert Says:

    @Gareth
    I think what they have discovered is different but related to this. CSS/DIV overlays are widely known and have been for years, what they are discussing is something new.

  12. thornmaker Says:

    Sorry I missed you this year. It was a shame you didn’t have time to prepare a different talk. The 20 questions game was rather pointless but certainly not your fault.

  13. Rafal Says:

    Hey Rob… love that picture, by the way. Glad to see you made it back home OK… there was some very serious heavy drinking involved. Who’s idea was it to give a bunch of starved geeks booze before dinner again? Or, right, ISC2… whoops!

    Certainly fun was had by many… minus the weather on Friday which sucked.

    Cheers!

  14. Rafal Says:

    Dude… I just realized as I was staring at that picture… You got pelted with blue balls. D’oh!

  15. Benson Says:

    I just saw myself in orange enjoying the blue balls flying toward the answerer of the 20 questions game XD

    PS. We feel dirty reading CSSLP in Taiwan dialect.

  16. Yemek Tarifleri Says:

    Ah, seems like Google appSec has been researching this for quite a while, too: For an in-depth analysis