Last week I attended the OWASP AppSecUSA conference in New York City. OWASP AppSecUSA as the name implies focused on application security. I only had the opportunity to attend the last two days of the conference, but there was training and other events earlier in the week. Overall I came away from the conference with a positive experience. I had the opportunity to see some good talks, participate in the CTF contest, touch base with current colleagues, and meet some new friends. Below I will give a summary of the talks I attended. I believe the majority were recorded so you should be able to find them online if they sound interesting. Why is SCADA Security an Uphill Battle by Amol Sarwate – Now while I don’t do a lot of SCADA security work we do have a few clients that utilize SCADA systems and I am always looking to learn something new. I felt this presentation was one of the weakest I attended. The presenter clearly knew the subject well, but the presentation style was dry and primarily just reading off of the slides. He tried to tie the vulnerabilities into web application security but for the most part it did not connect for me. The majority of the presentation was going over the various SCADA components and then listing vulnerabilities that had been discovered and disclosed in the past. Nothing terribly exciting or interesting in my opinion.
BASHing iOS Applications: dirty, s*xy, cmdline tools for mobile auditors by Jason Haddix and Dawn Isabel – I enjoyed this presentation as mobile application assessments are something we are doing more and more of. Their talk focused on binary analysis with the premise that reverse engineering has a steep learning curve and their goal was to simplify the process. They gave an overview of the various command-line tools that can be used such as otool, clutch, rasticrac, classdump-z, and others when analyzing an iOS application. Throughout the process they hinted on how nice it would be if this process could be automated. It seemed like they were leading to the release of a tool for the community, and they did in a way. The developed a tool called riskier that takes a binary application and does runs a number of different tasks on the app, which previously would need to be done manually. Unfortunately, at this time they are not releasing the tool to the public. However, you can submit apps from the app store and they will run the tool against them and provide a report. This functionality can be accessed at hprisker.com.
Revenge of the Geeks: Hacking Fantasy Sports Sites by Dan Kuykendall – This was another good talk and I am not just saying that because I am in Dan’s fantasy football league. It was a good overview on what not to do in mobile application security. He went over the vulnerability he discovered in Yahoo’s fantasy football app, but the talk was more of security best practices and how to secure applications, both mobile and traditional. Other mobile talks focused more on the security of the application on the device, but Dan’s focused on attacking the web services that the mobile application interfaces with.
OWASP Zed Attack Proxy by Simon Bennetts – Simon is the project lead for ZAP, an attack proxy similar to Burp. I actually used ZAP and its predecessor Paros prior to using Burp. Burp is my go-to tool of choice when examining web applications, but I also like to use ZAP as a secondary tool. Simon did a great job presenting, he did not spend much time going over ZAP as much of the audience was already familiar. Rather he described the new features and did several live demos, all of which worked. I learned about several features I was not as familiar with, especially the ZEST scripting language. I am looking forward to getting an opportunity to play around with ZAP some more on future projects.
') UNION SELECT `This_Talk` AS ('New Exploitation and Obfuscation Techniques’)%00 by Roberto Salgado – This was a fairly technical talk that focused on SQL injection techniques for bypassing IDS and web application firewalls. He showed different approaches, including his own which makes the process much quicker. Overall a good presentation that kept my attention at 9:00 in the morning.
The State Of Website Security And The Truth About Accountability and “Best-Practices by Jeremiah Grossman – This talk was standing room only to see Jeremiah Grossman speak about the current state of the web application security. Although throughout the talk he mentioned White Hat Security it was definitely not a vendor pitch. Rather he went over a number of statistics that had managed to collect over the past year and some of the trends were surprising. As always he is an entertaining speaker and I recommend watching it on video when it is released.
Hacking Web Server Apps for iOS by Bruno Gonçalves de Oliveira – Not really sure what to make of this talk. The speaker was from Brazil and English was not his first language, that said he was pretty entertaining and was easy to follow. The talk focused on vulnerabilities he discovered on file sharing web applications for mobile devices. These ranged from no encryption, file upload, and almost no authentication. He showed several videos demoing the findings, but at the end of the day it seemed below the quality you would expect from a major security conference. At the end of his presentation he proposed to his girlfriend (she said yes) so that was pretty exciting!