Thursday, February 08, 2007

Reflection on Amit Klein


For those who are in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 web application security field need no introduction to his name. He is an expert and by far one of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 best in web application security space. He is one of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 early starters of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 field and has played a major role in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 awareness of webappsec. His contribution ranges from not only identifying vulnerabilities and publishing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m but also contributing towards standards like OWASP guide, WASC threat classification or web application firewall criteria. And those who are not aware should know he was cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 one who also contributed towards cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 solution for UXSS (pdf xss vulnerability). He is also a WASC (Web Application Security Consortium) officer and a board member and co-leads cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 WASC articles project.

Based out of Israel, he started back in 1997 with Perfecto Technologies (which later became Sanctum), mostly heading security research activities. Sanctum was later acquired by Watchfire in 2004 which is when he left Sanctum / Watchfire. He is currently a CTO of a security company.

Below you will find a list of his articles, contributions, presentations and ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r details.

Articles:-

A Refreshing Look at Redirection
http://www.securityfocus.com/archive/1/450418

Sending arbitrary HTTP requests with Flash 7/8 (+IE 6.0)
http://www.securityfocus.com/archive/1/443391

Under some conditions, it's possible to steal HTTP credentials using Flash
http://www.securityfocus.com/archive/1/443191

Forging HTTP request headers with Flash
http://www.securityfocus.com/archive/1/441014

IE + some popular forward proxy servers = XSS, defacement (browser cache
poisoning)
http://www.securityfocus.com/archive/1/434931

Path Insecurity
http://www.webappsec.org/lists/websecurity/archive/2006-03/msg00000.html

HTTP Response Smuggling
http://www.securityfocus.com/archive/1/425593

Domain Contamination
http://www.webappsec.org/projects/articles/020606.txt

XST Strikes Back
http://www.securityfocus.com/archive/1/423028

Exploiting cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 XmlHttpRequest object in IE - Referrer spoofing, and a
lot more...
http://www.securityfocus.com/archive/1/411585

Detecting and Preventing HTTP Response Splitting and HTTP Request
Smuggling Attacks at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 TCP Level
http://www.securityfocus.com/archive/1/408135

NTLM HTTP Aucá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ntication is Insecure by Design
http://www.securityfocus.com/archive/1/405541

Can HTTP Request Smuggling be blocked by Web Application Firewalls
http://www.webappsec.org/lists/websecurity/archive/2005-06/msg00123.html

DOM Based Cross Site Scripting
http://www.webappsec.org/projects/articles/071105.html

Meanwhile, on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r side of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 web server
http://www.itsecurity.com/security.htm?s=3957

HTTP Request Smuggling (with Chaim Linhart, Ronen Heled and Steve Orrin)
http://www.cgisecurity.com/lib/HTTP-Request-Smuggling.pdf

The Insecure Indexing Vulnerability - Attacks Against Local Search Engines
http://www.webappsec.org/projects/articles/022805-clean.html

Detecting and Testing HTTP Response Splitting Using a Browser
http://www.securityfocus.com/archive/107/378523

Blind XPath Injection
http://www.packetstormsecurity.org/papers/bypass/Blind_XPath_Injection_20040518.pdf

Divide and Conquer - HTTP Response Splitting, Web Cache Poisoning
Attacks, and Ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r Topics
http://www.packetstormsecurity.org/papers/general/whitepaper_httpresponse.pdf

Secure Coding Practices for Microsoft ASP.NET
http://www.cgisecurity.com/lib/WhitePaper_Secure_Coding_Practices_VSdotNET.pdf

XS(T) attack variants which can, in some cases, eliminate cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 need for TRACE
http://www.securityfocus.com/archive/107/308433

Cross Site Scripting Explained
http://crypto.stanford.edu/cs155/CSS.pdf

Hacking Web Applications Using Cookie Poisoning
http://www.cgisecurity.com/lib/CookiePoisoningByline.pdf

Contributions:-

OWASP guide to building secure web application
http://internap.dl.sourceforge.net/sourceforge/owasp/OWASPGuide2.0.1.pdf

WAFEC
http://www.webappsec.org/projects/wafec/

WASC's Threat Categorization (TC)
http://www.webappsec.org/projects/threat/

Co-lead cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 WASC articles project
http://www.webappsec.org/projects/articles/guidelines.shtml

Presentations:-

OWASP AppSec Europe Conference 2006 – “HTTP Message Splitting, Smuggling and Ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r Animals”

CERT 2002 Conference, August 2002 - "WWW Forensics"

FM'99 Congress, September 1999 - "A Perfect Verification: Combining Model Checking with Deductive Analysis to Verify Real-Life Software"

Memberships:-

Amit is WASC officer and board member.

Companies worked for:-

Sanctum, Cyota (RSA security)

Education:-

B. Sc. Macá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365matics and Physics

Email:-

aksecurity__at__gmail_dot_com

And this just doesn't end here, you will see a lot more coming from him. He is a must follow figure of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 webappsec field.

Next Friday – Reflection on RSnake

2 comments:

Andrew van der Stock said...

Hi cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re,

The 1.1.1 edition of OWASP Guide is old and should not be referenced.

Amit's work was updated and referenced in OWASP Guide 2.0:

http://www.owasp.org/index.php/Interpreter_Injection#DOM-based_XSS_Injection

and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Testing Guide:

http://www.owasp.org/index.php/Testing_for_XPath_Injection

Amit is a really nice guy and one of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 smartest cookies in webappsec today. I'm glad we invited him to speak at last year's OWASP EU.

thanks,
Andrew van der Stock
Executive Director, OWASP

Anurag Agarwal said...

Andrew -

Thanks for pointing that out. I have updated cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 link to point to OWASP Guide 2.0

--Anurag