OWASP AppSec 2012 Conference Review

I just attended the OWASP AppSec DC 2012 conference last week.  As always, it was a good conference with informative talks and great people.  It seemed a little smaller than in past years, perhaps because this was just a regional conference and not the national conference.  In any event, the conference focused on Web application security, but also offered tracks on mobile and industrial control systems (ICSs).  I found it interesting that they did not check IDs at registration.  The keynote address was given by Dan Geer, who is very knowledgeable and had some insightful points.  Although I found his presentation style somewhat dry as he just read from a prepared speech, he did have plenty of good points.  Some of them were:•    “Remember that security is about control. Governments around the world want more of it.” •    “The Internet is not designed for security. If it were, we wouldn't be here as innovation would not have come.” •    “Why application security matters? Applications are critical.”

He also made the point that as applications move to the cloud, their size increases because the developers no longer have constraints, which of course impact security. After the keynote and an update from the OWASP Board, it was on to the talks.  I tried to attend as many as I could on different topics.  The sessions that I attended are summarized below. •    DOM-Jacking – Attack, Exploit and Defense:  This talk focused on Document Object Model (DOM)-based Cross-site Scripting (XSS) and other attacks.  Shreeraj Shah gave an overview of what DOM attacks are, as well as the different attack vectors.  He stated that there are more DOM threats in HTML5, that HTML5 is on the rise, and that we will see more of these types of attacks.  Also, the API is becoming an integral part of the DOM (DOM=Node+APIs).  Shreeraj was very knowledgeable on this subject. However, I found the presentation a little difficult to follow at times. The other talk on DOM XSS (later in the day) was a little better, in my opinion, mainly because I enjoyed his presentation style more.  I did learn some tricks that I will try on my next Web application penetration test. •    OWASP GoatDroid:  Jack Mannino filled in for a presenter who could not attend.  Jack’s talk focused on a project call GoatDroid.  This is similar to WebGoat; however, its focus is Android vulnerabilities and not Web applications.  It has applications that have been designed unsecurely on purpose.  It is a training tool for mobile developers, testers, and defenders.  It offers lessons that cover the OWASP top 10 mobile risks across multiple applications.  While it may not have the prettiest GUI, I think it is a great tool to expand your knowledge in mobile security, and I plan to check it out once it is updated next week. •    Anatomy of a Logic Flaw:  This was an interesting talk with examples of how business logic flaws can be exploited.  These logic flaws are incredibly diverse and often unique to the specific application or business organization.  I see this whenever we are performing Web application assessments.  Yes, SQLi and XSS get a lot of press and attention, but in most cases, these are easy to find and mitigate.  What is difficult is finding the business logic flaws.  The primary reason for this is that it takes a manual approach to find these problems.  You can’t just run a Web application scanner to discover logic flaws.  It takes time, and that is something that we always don’t have during a testing exercise.  Some of the logic flaws are caused by: o    Failure to anticipate threats; o    Lack of documentation of business rules; o    Poor design; o    Poor understanding of underlying technology; and o    Bad production management. The presenter gave some good ‘real world’ examples to illustrate this problem. •    Old Web Shells, New Tricks – How Persistent Threats Have Revived an Old Idea, and How You Can Detect Them:  I had seen Ryan Kazanciyan present before and I knew this would be a good talk because he has a good presentation style.  I was interested in this topic because I remember using Web shells when exploiting IIS servers with the unicode/decode vulnerability back in the early 2000s.  To be honest, it is not something that I have thought about recently, but I probably should.  His talk focused on the incident-response perspective and how these Web shells are deployed laterally in the post-exploitation phase to avoid defender mitigation efforts.  He then used a case study to illustrate how attackers are using these shells (primarily as backup), how to detect them, and how to remove them. •    Unraveling Some of the Mysteries Around DOM-based XSS: Dave Wichers gave the second talk of the day on DOM-based XSS.  It was nice to have two talks on this subject, because I had not seen it presented before.  Dave covered some of the same material as in his earlier presentation, but I found his style easier to follow here.  He gave clear examples and also discussed the confusion in terminology around DOM-based XSS.  OWASP is going to work on defining this better so that everybody is on the same page.  Dave also went over several different tools that can help detect DOM-based XSS. •    Smart Bombs: Mobile Vulnerability and Exploitation:  This was the first talk that I attended on Day Two and it focused on mobile security.  There were three presenters, but it flowed well and was informative and entertaining.  There are three areas for mobile testing: file system, application layer, and transport layer.  Another issue to be concerned about is privacy.  The presenters went over tools and techniques for performing testing in each of these areas.  I definitely learned some tricks here and I can’t wait to run tests on some mobile applications. •    Software Security Goes Mobile:  This was another talk on mobile security that was more high-level and less technical, but still informative.  It started with an overview of the mobile market and where it is going.  The biggest question regarding mobile security in 2012 is, “Who cares?”  The speaker then went over seven types of vulnerabilities in Android and gave examples of each.  He finished with the questions that we should be asking when it comes to mobile: 1.    What do your apps do and for whom? 2.    What platforms will you support? 3.    Who develops apps and where? 4.    Is there an existing SDLC? 5.    Do you rely on a platform provider or application distributer for security assurance? 6.    Are mobile apps prompting back-end changes? 7.    Are you apps permissions set correctly? •    SharePoint Security 101:  Since I encounter SharePoint frequently in applications during testing, I decided that it made sense to attend this talk.  There are three different types of SharePoint installations: internal portal, external portal, and Internet Web site.  SharePoint is the fastest-growing footprint in Microsoft’s history.  The presenter stated, “SharePoint is built for collaboration, not security.”  Some of SharePoint’s features may provide security, but they are not inherently security tools.  The presenter then gave five areas that must be taken into account when using SharePoint: 1.    Getting permissions right. 2.    Automating compliance reporting. 3.    Responding to suspicious activity. 4.    Protecting Web applications. 5.    Taking control when migrating data. He then concluded with a SharePoint checklist that should be followed to make sure that security is properly implemented.

Gus Fritschie