Saturday, 18 June 2011

OWASP AppSec EU, slides, pictures and experience

Update 02/07/2011: Arian Evans recently clarified he is really "Arian Evans" and not "Adrian Lane", so I fixed that in the post below. Arian Evans gave the talk on the Six Application Security Metrics. Apologies for confusing the names :).

Update 23/06/2011: Dreyer just clarified to me that int3pids were really third and not first at the Codegate 2010 (still a great achievement but not a first place) so this has been fixed in the blog post. They were truly first at the Swiss Cyber Storm with 1 digit more of points than the second team :)

So the time came and OWASP AppSec EU just happened. 7th-10th of June 2011 in Dublin, Ireland.

Some of the slides have already been published here and here.

There are also a lot of pictures here I will use many of those in this blog post (thank you to the OWASP crew for making those available).

I missed the KartCon and Training parts of the event but apparently they had a very good time!

There is a short write up on the KartCon experience by Tom McEnzie here.

The first day started at the hostel I stayed, I laughed a lot when I saw this (sorry for the poor quality, at least it is still readable and that's the point):

Let's get started: Day 1!

So after a brief intro from the OWASP crew Day 1 started with a keynote by Brad Arkin from Adobe. Slides here.

This talk was about the security program Adobe has in place, how they have to defend their products in many platforms:

How some people hack for the Lulz:

And how government agencies have slowly been replacing traditional weapons by zero day sponsoring and hacking (see blurred mouse pointer to the right of the picture):

Finally he went into some detail regarding how Adobe handles its security program and how ninja levels are used to motivate developers!

Because we always see Adobe in the news with new patches for Flash, Reader, etc I found it somewhat surprising that Brad Arkin said something along the lines of "that is for the old versions, we are putting a lot of work into hardening new versions and in fact there has only been 1 exploit for Adobe Reader X so far".

The recent news this week seem to confirm this, the sandbox architecture seems to stop most vulnerabilities from being exploited:

In the Q+A Thomas MacEnzie asked a very interesting question regarding Adobe's disclosure timelines, Brad Arkin's summarised answer was that:
- Vulnerabilities take on average 90 days to fix, they try to fix them before that time.
- A member of the PSIRT (their incident rensponse team) is in contact within 8 hours when a vulnerability is disclosed to Adobe

You can see Tom's notes on this talk on his blog.

After that there was a quick update on the OWASP board election and organisational aim:

ok, a picture from the audience :)

As usual, it is a conference, a lot of interesting talks going on at the same time and I have to make a choice. This blog post focuses on the talks I attended, however all other reviews I found are linked to at the bottom of this blog post and may comment on talks I missed.

I chose to go to "Practical Browser Sandboxing on Windows with Chromium" by Tom Keetch from Verizon Business. Slides here.

The confidence guys have a better picture from a similar talk (more attack-oriented) he gave last month at CONFidence Kraków 2011 (I missed his talk that time but not this time!):

The sandboxing talk was very interesting, it went into detail on the architectural strengths and weaknesses of different sandbox approaches. I found it surprising that Google and Adobe (Reader X) are using a similar sandbox but this made sense since Brad Arkin had mentioned Adobe Reader X had very little successful exploits against it so far (so, like Chrome, the sandbox seems a pain to break out from). In Chrome however, the softer attack avenue are of course the plugins (like Flash!), which by definition are outside of the sandbox.

Although I said I refused to go to any talk that had "APT" in the title, Instead of the sandboxes talk Tom went to "APT in a nutshell" by David Stubley and there is a write up about this talk here.

Then I went to "How to become Twitter's admin: An introduction to Modern Web Services Attacks" by Andreas Falkenberg

The talk went into detail on a Web Service specific attack called "Signature Wrapping" which took advantage of the XML message being only partially signed which allowed his team to change the XML structure, present a valid signature to the application but put the data in another part of the document so that the business logic used that instead. Basically a business logic flaw (the application should only take the value of the data that was signed!).

He was clear to state that "Signature Wrapping" is only one of many Web Service specific attacks, the point of the talk can perhaps be summarised as follows:

1 - Web Services can be vulnerable to everything Web Applications can be vulnerable to:

2 - In addition to above, Web Services can also be vulnerable to a big list of new attacks:

Although the picture above is a bit blurred (sorry), Andreas told us of a new website dedicated to web service security, that details how to perform each identified Web Service specific attack and also how to defend against it. That site, which he mentioned is a new OWASP project also, is called:

In the Q+A many people where in arms about the signature wrapping attack: "everything should be signed!" :).

I was thinking the same and asked the question: "This signature wrapping attack only works because of the partial signing so that you can manipulate the XML structure. This could be prevented by signing the whole XML message: What is the business reason for not doing so?".

Andreas answered something along the lines of "I did not develop the system so I do not know, but it could be due to more processing power needed to sign all the message: this might make the application slower".

After thinking a little bit (nothing serious ;)) about this today I think that the processing power difference between signing the whole message and only a small part is probably negligible: The asymmetric encryption operation (slower) is only performed on the hash (fixed length), therefore the only performance difference from signing the whole message to only a small part in the message must be the difference in hashing the message only and that difference is probably not noticeable (hashes are very fast).

My reasoning is that if the output hash that must be signed is of the same length then the signature of the hash must take exactly the same time.

Bottom line: There must be a better reason for using partial XML signing, if anybody knows what it is I would be interested to know! :)

Tom also attended this talk, his notes are here.

In addition to this, Andreas Falkenberg also gave this presentation recently at OWASP Belgium: Xavier Mertens has a nice write up in his blog here.

After that it was lunch time, unfortunately I had to skip it to take care of some business and also skip the lunchtime keynote, but it looks like you had a nice time!

Although I missed the lunch keynote by Giles Hogben from ENISA, Tom went to it, here are his notes.

After this Tom got engaged in the CTF which he led during the first day of the conference to eventually end up third by time even though he was drawing with the 1st and 2nd positions by points! Unfortunately this meant he missed most talks after this.

I think the CTF should happen before the conference so that people that go to the conference can also attend the talks, there is no way you can win the CTF while attending all talks -on average! ;)-.

Although you can argue that the talks can be watched later when video is available it is not the same :), at a minimum you lose the chance to make questions and discuss about the topics with the colleagues in the audience before and after talks.

During the break, right before the next talk we saw this vendor with the surprising words "Microsoft+Linux", we were in shock! :)

Right after that it was time for another talk, I chose "Intranet Footprinting: Discovering Resources from outside" by Javier Marcos de Prado and Juan Galiana Lara from IBM. These Spanish lads rock! ;). Slides here.

The whole talk was based at identifying resources from the browser: once the user clicks a link how to determine the network internal address blocks, live hosts and open ports! In one picture:

They did all of this writing their own BeEF modules, which is very nice, hopefully they will release the code soon so that the community can take that research to the next level.

I asked how long it takes to scan each port from the browser and they said that "on average, 2 seconds".

A guy beside me followed up on that and asked something along the lines of "when you use BeEF in practice, it is hard to do anything useful because you loose your foothold as soon as the user closes the browser", Javier answered something along the lines of "Well, you can send them to watch a video so that you have enough time to do some basic recon, something like 10 minutes is enough". This also reminded me about how long I have certain tabs open :P.

After that talk I attended "Python Basics for Web App Pentesters" by Justin Searle from InGuardians Inc.:

This talk was a true eye-opener to me and really showed how to customise your own scripts so that you can automate small things that tools cannot do. He even provided a few of his templates for fee in an open source project dedicated to this:

This talk is a guarantee that I will hit Python hard in the future :).

After that talk I went to "CTF: Bringing back more than sexy!" by Mark Hillick.

Mark is the organiser of the HackEire hacking competition which will run for the third time this year.

This talk was about encouraging attendees to participate in hacking competitions, to the slide above Mark said something along the lines of "you do not have to be HD Moore or a l33t hacker like in this movie, just come and learn, it does not matter if you do not know anything, just come and learn". I also like sentences like "you truly learn by doing", "how much of what you have listened to today will you apply in practice?".

This talk was not very technical but was very motivational to me.

Hacking challenges are truly a unique experience. As he was talking this talk made me strongly remember the passion, courage and emotion of:
- The 24 hour challenge to get the Offensive Security Certified Professional (OSCP) certification
- The "try harder" and "there is no spoon" OSCP mottoes
- The late nights and crazy hours when hunting something in my pen tests (i.e. "I am not sleeping until I get it" attitude).
- The good old times with jaxp and dreyer (interview in Spanish) at university: I would not be in security today if it wasn't for the inspiration these guys gave to me.
- The continuous inspiration from dreyer and his hacking teams like previously Sexy Pandas and now int3pids, doing so well at Defcon several times (even to qualify is amazing!), and more recently ending up third at the Codegate 2010 and winning a car at the Swiss Cyber Storm competition! (they also qualified for DefCON this year .. good luck guys!)

These guys just rock and their achievements are truly inspirational, they are the pride of the Spanish security community and for that reason and this talk I may consider participating in upcoming CTFs, like for example HackEire and probably also try to become more active in the different online hacking competitions ;).

After this talk there was the After-party, which was pretty cool:

In the after party I met a lot of people and eventually learned that my surname despite finishing in "en" does not seem German to German people, thanks to the German guy who clarified that, I had been wondering about it for a few years :).

But most importantly I met Mario Ballano again (interview in Spanish), and he taught me a couple of lessons on heap overflows :). He participated with int3pids in the Codegate CTF were int3pids ended up third, by the way.

Time for Day 2!

The day started with the keynote by Janne Uusilehto from Nokia.

He talked about how complex it is to truly secure products so that they are secure enough even for years after they have been produced. This is a picture of his slide on "secure enough":

The basic idea is that you cannot just spend all your funds in making your product perfectly secure because then it will be so expensive that you will be out of business. You need to find a balance: "secure enough" strives to find that magic balance where the company remains competitive but vulnerabilities in their products are mitigated or not serious enough for brand damage, etc.

I asked him the question I could not ask Brad Arkin from Adobe (time ran out), roughly: "All these processes you have to ensure software security seem comprehensive and are great but .. how can a big company like Nokia make sure that no developer is being bribed to install a back-door in a product? What processes do you have to stop that?". Janne basically answered that "It is not possible to completely stop that but we do our best through code reviews".

After that I went to "An Introduction to the OWASP Zed Attack Proxy" by Simon Bennetts

The talk showed how much progress has been made from the good old Paros:

Around the end of the talk he estimated that 55% of the code is new in ZAP, there are a lot more features in ZAP than there were in Paros and many bugs have been fixed. Stability, which was a problem for me with version 1.2.0 seems much better at version 1.3.0.

The development team or at least Simon seem very enthusiastic and devoted to the project and I think this will make a difference.

When I asked Simon re stability he mentioned that "stability is a top priority" and I was very happy about that. Cool tools like ZAP and w3af should be built in a way that CANNOT crash through proper exception handling or process/resources monitoring.

If ZAP keeps growing like this it may well end up surpassing Burp ... eventually :).

I truly have to thank Simon for being very open minded, extremely open to suggestions and very supportive and enthusiastic about the ZAP project, that is truly awesome and I hope that enthusiasm does not end! :)

After that talk I went to "Testing Security Testing: Evaluating Quality of Security Testing" by Ofer Maor.

One of the main issues with testing is the obvious: Coverage

He talked about how in some pen test, things came out clean but then the client was hacked because a vulnerable piece of functionality was only available after the pen test!

He also talked about how we have to be careful when testing (rough quote from notes+memory): "So when I started pen testing I did like everybody and typed in OR 1=1 on all login pages but then one client had a million records and the system has unavailable for 1 hour so I learned my lesson and now I test using OR 1=2". All the audience laughed a lot when he mentioned this but it is of course true! :)

I found interesting the statement that false positives are worse than false negatives because they teach the client you are "crying wolf when there is no wolf so your findings can be ignored".

The Arian Evans talk was moved as a keynote because Ivan Ristic from Qualys could not make it. I had to skip the lunch keynote again to take care of some business so the next talk was then "Putting the Smart into Smartphones: Security Testing Mobile Applications" by Dan Cornell.

This guy was truly energetic not only at the party but at the talk as well, the hole conference was organised incorrectly! This guy should have talked first time in the morning in a keynote to wake everybody up! :)

He taught a good lesson: Mobile Security has little to do with Web Application Testing and a lot to do with Forensics and Reverse Engineering. There are some Web Application components in that applications typically also interface with the web using web services and other means but the point remains that reverse engineering is critical for assessing mobile applications.

I liked this quote during from Dan during the talk: "If someone can control the queries that run on your database it is no longer your database" :).

Basically the Mobile Security threat model is dramatically different because applications must also try to defend against other malicious applications attacking them from the filesystem. It was also interesting to know that both iPhone and Android apps tend to use SQLLite for storing data.

Instead of butchering further his talk it is best to refer to Dan Cornell himself on his talk and slides :).

After this I went to "PCI DSS v2.0: A new challenge for web application security testing?" by Laurent Benameur Sauvaire from Espion Ltd.

This talk was a very interesting view in how PCI works, what the changes have been and a very graphical representation of the different components and how they tie together.

Basically if an application or server transmits, stores or processes credit card data it is subject to PCI DSS.

Literal quote from the PCI DSS documentation:
Page 7: "PCI DSS Applies to all entities that store, process and/or transmits cardholder data"

Some applications think they do not have to be PCI compliant if they use a payment provider but if the credit card details are retrieved from the application and then forwarded from the application to the payment provider then the application is transmitting cardholder data and should be PCI compliant!. The redirect method is the only current way to avoid the compliance requirement (then you do not store, transmit or process cardholder data).

I raised the point that because PCI DSS is "a lot of hassle" many companies choose to use a payment provider (for example, Realex in Ireland) so that they do not technically "transmit, store or process" credit card data. However, payments through payment providers work through HTTP redirects: if a company avoids PCI compliance by using a payment provider and is hacked, there is nothing stopping the attacker from modifying the payment mechanism so that a hidden or 1 pixel iframe remains on the server and the redirect is done in an iframe so that the credit card data can be retrieved via JavaScript.

Therefore, a standard (PCI) that is meant to protect credit card data does not work because it allows companies to avoid compliance through payment provider usage, despite the fact that the redirect system can be hacked and credit card details stolen anyway (i.e. via JavaScript and iframe tricks) -if the non-compliant server is compromised and code is modified-.

A quick overview of the PCI standards was presented in this slide:

I thought that the PA DSS (Payment Application Data Security Standard) would cover companies that avoid PCI compliance so that at least they have to do something about security but that normally does not apply to them either! this is ridiculous! :P

I am not even getting into whether the standard itself is good or not, the applicability is flawed!

When talking to Laurent about this he basically said that "All that is true but compliance is not security" and "yes, credit cards could be stolen in the scenario you describe" (rough quotes from memory). I would really like to see a revamp of PCI so that the standard itself or a new side standard from it applies to the companies that think they can avoid security completely through the usage of a payment provider. Thanks to that mentality credit card data is at risk (can be stolen via iframe/JavaScript tricks) and PCI is doing nothing to somehow force these companies to at least do something.

The only thing for companies like this at the moment are some "Visa guidelines", but guidelines are not mandatory so you know what happens :P.

It was also a shocker to hear that to be compliant a company needs to either "perform periodical vulnerability assessments" OR run a WAF .... all I can say is ... wtf! ... Laurent said "he recommends to do both" but the fact is you can be compliant if you do only one. Big Fail here PCI ... jeez.

Nice related write up regarding Compliance != Security and PCI here (there are some interesting metrics on WAF effectiveness there too).

I must say that the slides from this presentation were probably the coolest of the whole conference :).

The final talk was "Six Application Security Program Metrics" by Adrian Lane.

This talk was about metrics, white-hat real statistics from their customers and the different threats applications face.

He talked about 3 main threats they see in the field:
- Opportunistic: Goes for the easy to find "low hanging fruit"
- Directed opportunistic: They go for the easy stuff too but they try a bit harder
- Fully targeted: These are really going after you and will do almost anything to get in (he put there "APT" as a joke ;)).

An interesting statistic he showed is that 54% of breaches happened through a web application (I suppose another high percentage would be "user clicked the link" :)).

But perhaps most importantly, he made the case for OWASP metric projects to help infosec practitioners, providing them with solid data to present to their managers so that they can get executive commitment for security programs.

At this point, Tom came back from the CTF and wrote some notes about this talk here :).

Right after the talk, the new location for OWASP AppSec EU 2012 was presented: Greece in summer! :).

Then there was a raffle and guess what? I did not take any tickets! (was distracted and missed that part) That is a guarantee for getting nothing LOL

Some winners:

Although it does not seem to be in the pictures, Tom Keetch won some Drums too ... I was joking with him saying that "What will Ryanair say about that?" :).

I did not attend to "Practical Crypto Attacks Against Web Applications" by Justin Clarke because I already attended that talk at BSides London (there are some notes on that talk in that blog post). But Justin is a gifted speaker and he told me he had more demos working this time:

When he saw me the first thing he said was "don't talk to me about counter mode, ok?" :). On a brief conversation he also mentioned that counter mode is used by the Yubikey and because it works by increments of 1 they can trivially mark all previous tokens as "invalid", I liked that and he said that "It is simple and I like simple". Good security can be simple and I like simple too Justin :)

I wanted to go to Steve Lord's talk but will have to wait for the video, I really enjoyed his two talks at BSides London and Defcon London in April:

This guy was very nice and engaged throughout the conference, thanks also to all others that made this possible:

This blog post would be incomplete if I did not post a little bit of FAIL from Dublin Airport as I was leaving Ireland ;)

Other reviews (in no particular order):
- Partial reviews (notes on the talks mostly) by Tom MacEnzie are linked to on the relevant sections of my own review above.

- Review by Psiinon (ZAP lead developer, also a speaker at the conference)

- Review by Clerkendweller