Loading…

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Breakers [clear filter]
Monday, November 18
 

8:00pm EST

Bug Bounty - Group Hack
The Great OWASP Bug Bash of 2013

CALLING ALL SECURITY NINJAS… Whether you’re attending Appsec in person or in spirit, you’re invited to join Bugcrowd and the OWASP team as we unite hackers across the world for the first everInternet-wide bug bash.

This collaborative hack-a-thon will feature testers and providers of public bug bounty programs finding bugs in the world’s largest Internet companies! Companies contributing to bounty programs, including Prezi, Facebook, Google and Yandex will be present to meet and greet those responsible for improving global application and internet security. No need to worry about protecting your identity, masks will be provided!

Featuring…
The Inaugural Wall of Bugz, music, drinks, hacking contests, special prizes, the world’s largest gummy bug and more!

Bug Bounty programs have been getting a lot of press lately, and for good reason. They work. Bugcrowd will be running this event live from 8-12 every night during Appsec USA 2013 and we actively encourage OWASP members around the world to participate.

Just some of the targets to pick from: https://bugcrowd.com/list-of-bug-bounty-programs/


Speakers
avatar for Dinis Cruz

Dinis Cruz

AppSec, OWASP
Dinis Cruz is a Developer and Application Security Engineer focused on how to develop secure applications. A key drive is on 'Automating Application Security Knowledge and Workflows' which is the main concept behind the OWASP O2 Platform. After many years (and multiple roles) Dinis... Read More →


Monday November 18, 2013 8:00pm - 11:59pm EST
Sky Lounge (16th Floor) NY Marriott Marquis
 
Tuesday, November 19
 

8:00pm EST

Bug Bounty - Group Hack
The Great OWASP Bug Bash of 2013

CALLING ALL SECURITY NINJAS… Whether you’re attending Appsec in person or in spirit, you’re invited to join Bugcrowd and the OWASP team as we unite hackers across the world for the first everInternet-wide bug bash.

This collaborative hack-a-thon will feature testers and providers of public bug bounty programs finding bugs in the world’s largest Internet companies! Companies contributing to bounty programs, including Prezi, Facebook, Google and Yandex will be present to meet and greet those responsible for improving global application and internet security. No need to worry about protecting your identity, masks will be provided!

Featuring…
The Inaugural Wall of Bugz, music, drinks, hacking contests, special prizes, the world’s largest gummy bug and more!

Bug Bounty programs have been getting a lot of press lately, and for good reason. They work. Bugcrowd will be running this event live from 8-12 every night during Appsec USA 2013 and we actively encourage OWASP members around the world to participate.

Just some of the targets to pick from: https://bugcrowd.com/list-of-bug-bounty-programs/


Speakers
avatar for Dinis Cruz

Dinis Cruz

AppSec, OWASP
Dinis Cruz is a Developer and Application Security Engineer focused on how to develop secure applications. A key drive is on 'Automating Application Security Knowledge and Workflows' which is the main concept behind the OWASP O2 Platform. After many years (and multiple roles) Dinis... Read More →


Tuesday November 19, 2013 8:00pm - 11:59pm EST
Sky Lounge (16th Floor) NY Marriott Marquis
 
Wednesday, November 20
 

12:00pm EST

All the network is a stage, and the APKs merely players: Scripting Android Applications
Video of session:
https://www.youtube.com/watch?v=yh4-F90XONI&list=PLpr-xdpM8wG8ODR2zWs06JkMmlRiLyBXU&index=7

The existance of open well defined APIs for many popular websites has been a boon to spammers, but as they have grown in popularity the operators have begun to care more about the integrity of the network. 3rd party access to these APIs is becoming increasingly restricted, while at the same time desires for a frictionless mobile experience have led to much looser restriction in their own applications.
We'll leverage this, along with the ability to load and execute Android APKs within JRuby sessions to create and control a social botnet.
Beginning with a brief overview of tools for disassembling, understanding, modifying, and rebuilding APKs. We will then move onto scripting portions of the application in a JRuby session, along the way covering key recovery, bypassing custom cryptographic routines, and general exploration of the code in a dynamic environment.
We'll conclude with leveraging what we've discovered to create and control thousands of accounts. Building on available information sources, such as the US census, and streams provided by the targetted network itself these accounts will have realistic characteristics and interact with the network in believable ways.

Speakers
avatar for Daniel Peck

Daniel Peck

Principle Research Scientist, Barracuda Networks
Peck is principle research scientist at Barracuda Networks, he is currently focused on studying uses of social networks as a medium for attacks. Previous research includes comparing content and non content based systems to identify malicious accounts on Twitter/Facebook, exploiting... Read More →


Wednesday November 20, 2013 12:00pm - 12:50pm EST
Salon 3 (5th Floor Ballroom) NY Marriott Marquis

12:00pm EST

BASHing iOS Applications: dirty, s*xy, cmdline tools for mobile auditors
Video of session:
https://www.youtube.com/watch?v=Ef_YeULnw1k&list=PLpr-xdpM8wG8ODR2zWs06JkMmlRiLyBXU&index=8

The toolchain for (binary) iOS application assessment is weak BUT, like an island of misfit toys, there can be stregnth in numbers. Join us as we explore what actually needs to be done in a mobile assessment and how we can do it right from our SSH prompt on our iOS device. Our tool is simple yet effective and as you learn to do mobile assessments you'll also teach yourself the fundamentals of the OWASP Mobile Top 10. Topics explored will be binary analysis, app decryption, data storage, endpoint parsing, class inspection, file monitoring, and more! Heck we might even release some sort of ghetto BASH Obj-c source parser!

Speakers
avatar for Jason Haddix

Jason Haddix

Head of Penetration Testing, Fortify
I currently facilitate information security consulting at HP which includes developing test plans for Fortune 100 companies and competing in "bake-offs" against other top tier consulting vendors. My strengths are web, network, and mobile assessments. I write for my own infosec website... Read More →
avatar for Dawn Isabel

Dawn Isabel

HP ShadowLabs
Dawn Isabel is currently a Mobile Security Consultant at HP ShadowLabs, where she tests iOS and Android applications and develops in-house tools for static and dynamic analysis of mobile apps. Prior to that, she designed and ran a penetration testing service at the University of Michigan... Read More →


Wednesday November 20, 2013 12:00pm - 12:50pm EST
Salon 1 (5th Floor Ballroom) NY Marriott Marquis

1:00pm EST

Mantra OS: Because The World is Cruel
Video of session:
https://www.youtube.com/watch?v=aWByCj8qfFE&list=PLpr-xdpM8wG8ODR2zWs06JkMmlRiLyBXU&index=28

OWASP Mantra OS was developed under the mantra of “OWASP because the world is cruel”;
The reason this mantra is used for a underlying principle for the development of Mantra OS is because simply it is better for the pen tester to find the exploit then the hacker. The tool-set of Mantra OS v13 contains the same tools many hackers use to exploit web applications such ddos, SQL injection, man in the middle attacks, and poisoning attacks. The purpose of this presentation is to show practical testing methodologies using Mantra OS and how to run these test in a controlled environment. In this talk we will discuss and demo:

• Demo of tool-set of Mantra OS
• Maltego and Intelligence collection.
• DDoS using LOIC, Slow HTTP poisoning and ping of death with scampy.
• SQL injection with burp and sqlmap.
• Man in the Middle with SSL stripping.
• Arp Poisoning, ICMP poisoning and Smurf attacks.
• How to deploy these attacks in controlled environment.

In addition we will discuss why and how hackers use these tools, methods of mitigation these style attacks by hackers, and how to turn pen testing into a risk mitigation plan.

Speakers
avatar for Greg Disney-Leugers

Greg Disney-Leugers

Platform Security Engineer, Hytrust


Wednesday November 20, 2013 1:00pm - 1:50pm EST
Salon 4 (5th Floor Ballroom) NY Marriott Marquis

1:00pm EST

Open Mic - Birds of a Feather --> Cavalry

Question: I noticed on the schedule there are "OPEN-MIC" sessions, what exactly are they and how do I present during those time slots?

Answer: During the morning hours of Wednesday, Nov. 20  badge-holding conference attendees interested in presenting an AppSec related topic may sign up for the Open Mic slots. There will be large voting boards near registration where you can post your submission proposal (session title, mini abstract and name) on a post-it note. Depending on the amount of submissions, we may be hosting 2-3 "speed talks" during each Open Mic session. All badge-holding conference attendees will use little sticky dots, included in their conference registration bag, to vote on the talks they'd be interested in attending. Voting will be open until Noon on each day, at that time the conference organizers will post the accepted submissions on the AppSec USA Schedule webpage.


Speakers
avatar for Josh Corman

Josh Corman

Director of Security Intelligence, Akamai Technologies
Joshua Corman is the Director of Security Intelligence for Akamai. Most recently he served as Research Director for Enterprise Security at The 451 Group. Mr. Corman’s cross-domain research highlights adversaries, game theory and motivational structures. His analysis cuts across... Read More →
avatar for Nicholas J. Percoco

Nicholas J. Percoco

Director, Information Protection, KPMG
With more than 16 years of information security experience, Nicholas is a Director in KPMG's Information Protection practice. Prior to KPMG, Percoco led the global SpiderLabs organization for more than a decade that performed more than 2000 computer incident response and forensic... Read More →


Wednesday November 20, 2013 1:00pm - 1:50pm EST
Booth (5th Floor) NY Marriott Marquis

2:00pm EST

Javascript libraries (in)security: A showcase of reckless uses and unwitting misuses.
Client side code is a growing part of the modern web and those common
patterns or libraries, that are supposed to help developer's life,
have the drawbacks to add complexity to the code exposing unexpected
features with no or little warning.
We will focus on the most popular JavaScript libraries such as jQuery,
YUI etc and common design pattern, describing how happens
that wrong assumptions can lead to unexpected, unsafe behavior.
Several code example and live demos during the talk will try to clear both
exploitation techniques and positive coding strategies.
The presentation will also show some interesting case study, collected
and identified during two years of real world applications analysis.

Speakers
avatar for Stefano Di Paola

Stefano Di Paola

CTO and Co-Founder, Minded Security
Security since 2000, application security since 2004, when I made http://www.wisec.it and published several advisories. Stefano Di Paola is the CTO and a cofounder of Minded Security, where he is responsible for the Research and Development Lab. Prior to founding MindedSecurity, Stefano... Read More →


Wednesday November 20, 2013 2:00pm - 2:50pm EST
Belasco & Broadhurst (5th Floor) NY Marriott Marquis

2:00pm EST

Revenge of the Geeks: Hacking Fantasy Sports Sites
Video of session:
https://www.youtube.com/watch?v=a7asG7rbsHo&list=PLpr-xdpM8wG8ODR2zWs06JkMmlRiLyBXU&index=37

In this talk, I’ll show how all my IT security geek friends in the OWASP community can win the Super Bowl! I’ll walk through the anatomy of a hack against popular Fantasy Football and Baseball mobile applications showing every “sneak play” required to control the application. The tools and techniques used in this hack can be applied against any mobile application. These applications leverage rich new formats like JSON and REST to deliver a rich user experience, and are not surprisingly exposing the same familiar vulnerabilities like SQL and command injection, yet are not being effectively tested.
In this particular application, mistakes with the application’s session management enable me to break down the nested communication formats and finally inject targeted payloads to manipulate both team lineups, to make sure my players were on top and to cause my opponents to lose. I also found that I could post false comments on the message board from the victims account.
After we walk through the sack, I mean hack, we’ll abstract these techniques, tie them directly to OWASP best practices, and apply them to other mobile applications so participants will walk away with specific tools and techniques to better understand mobile back-end hacking. Are you ready for some football?
This presentation will:
--Provide overview and details about each of the various formats (JSON, REST, SOAP, GWTk, and AMF) in popular use today
--Provide clear examples of basic mobile app insecurityRevenge of the Geeks: Hacking Fantasy Sports Sites In this talk, I’ll show how all my IT security geek friends in the OWASP community can win the Super Bowl! I’ll walk through the anatomy of a hack against popular Fantasy Football and Baseball mobile applications showing every “sneak play” required to control the application. The tools and techniques used in this hack can be applied against any mobile application. These applications leverage rich new formats like JSON and REST to deliver a rich user experience, and are not surprisingly exposing the same familiar vulnerabilities like SQL and command injection, yet are not being effectively tested. In this particular application, mistakes with the application’s session management enable me to break down the nested communication formats and finally inject targeted payloads to manipulate both team lineups, to make sure my players were on top and to cause my opponents to lose. I also found that I could post false comments on the message board from the victims account. After we walk through the sack, I mean hack, we’ll abstract these techniques, tie them directly to OWASP best practices, and apply them to other mobile applications so participants will walk away with specific tools and techniques to better understand mobile back-end hacking. Are you ready for some football?
This presentation will:
--Provide overview and details about each of the various formats (JSON, REST, SOAP, GWTk, and AMF) in popular use today --Provide clear examples of basic mobile app insecurity
--Demonstrate how to setup an environment to start watching mobile traffic, including how to leverage Wifi Pineapple hardware to set up a local access point
--Demonstrate how to inject malicious characters into these services to find vulnerabilities
--Discuss what tools are available to automate this process and make it a little easier
--Show examples of real vulnerabilities in mobile apps in use today
Attendees will be given a whitepaper with the details of the complete setup demonstrated in the talk.

Speakers
avatar for Dan Kuykendall

Dan Kuykendall

co-CEO and CTO, NT OBJECTives
Dan has been with NTO for more than 10 years and is responsible for the strategic direction and development of products and services. He also works closely with technology partners to make sure our integrations are both deep and valuable. As a result of Dan’s dedication to security... Read More →


Wednesday November 20, 2013 2:00pm - 2:50pm EST
Salon 4 (5th Floor Ballroom) NY Marriott Marquis

2:00pm EST

What You Didn't Know About XML External Entities Attacks
Video of session:
https://www.youtube.com/watch?v=eHSNT8vWLfc&list=PLpr-xdpM8wG8ODR2zWs06JkMmlRiLyBXU&index=9

The eXtensible Markup Language (XML) is an extremely pervasive technology used in countless software projects.  Certain features built into the design of XML, namely inline schemas and document type definitions (DTDs) are a well-known source of potential security problems.  Despite being a publicly discussed for more than a decade, a significant percentage of software using XML remains vulnerable to malicious schemas and DTDs.  This talk will describe a collection of techniques for exploiting XML external entities (XXE) vulnerabilities, some of which we believe are novel.  These techniques can allow for more convenient file content theft, sending of arbitrary data to arbitrary internal TCP services, uploads of arbitrary files to known locations on a vulnerable system, as well as several possible denial of service attacks. We hope this talk will raise awareness about the overall risk associated with XXE attacks and will provide recommendations that developers and XML library implementors can use to help prevent these attacks.

Speakers
avatar for Timothy Morgan

Timothy Morgan

Tim is credited with the discovery and responsible disclosure of several security vulnerabilities in commercial off-the-shelf and open source software including: IBM Tivoli Access Manager, Real Networks Real Player, Sun Java Runtime Environment, Google Chrome Web Browser, OpenOffice... Read More →


Wednesday November 20, 2013 2:00pm - 2:50pm EST
Salon 3 (5th Floor Ballroom) NY Marriott Marquis

3:00pm EST

Advanced Mobile Application Code Review Techniques
Advanced Mobile Application Code Review Techniques
 
Abstract:
Learn how Mobile experts blend their techniques in order to accelerate code reviews. While reviewing Windows Phone 8, Hybrid or HTML 5 applications, you will love these handy tricks that help in detecting famous and a few not-so-famous flaws. Using demonstrations and code snippets, we will highlight the benefits of blended techniques in comparison with those of simple scanning or manual testing. You will also learn how to reduce the time taken for review and obtain a ready-to-use checklist.
Objectives: • To give live demonstrations of the most common insecurities found in Windows Phone 8, HTML5 or Hybrid applications.
• To share tested and proven methods of discovering insecurities via code reviews.
• To learn how to efficiently conduct source code reviews for mobile applications.
• To develop a checklist for Mobile Code Reviews.

Outline:
An emerging trend is the use of smart phones for financial transactions. As usage of mobile devices grow, concerns on security for mobile transactions also grow. With the demand for M-Commerce and M-Banking applications rising, Mobile application developers should be aware of what flaws they may inadvertently introduce.
This presentation is intended to provide an insight into coding-related flaws present in mobile applications. It is aimed at providing you with a targeted and efficient approach towards the discovery of these flaws in your mobile application code. As Windows Phone 8, HTML 5 and Hybrid mobile technology are the latest popular mobile platforms or technology, we would focus on these areas during this presentation. The content of the talk is outlined below: • Introduction to Mobile Applications • Threats to mobile applications
• Advantages of "Mobile Code Reviews"

• Windows Phone Insecurities (with demonstrations using vulnerable code as well as secure code) • Attacks on data stored in the device 
• Malwares present in the application, which send unauthorized SMSs or make unauthorized calls.
• Incorrectly implemented application encoding and encryption.
• Tapjaking
• Other hacks

• HTML5 Insecurities (with demonstrations using vulnerable code as well as secure code) • Insecure Data validations and injection based attacks
• Client side data caching and storage
• Client side reflection based attacks
• Insecure Network Connections
• Other hacks

• Hybrid Technology Mobile Insecurities • A gist of the insecurities with respective discovery techniques and solutions.

• Advanced Mobile Code Reviews • The checklist compiled so far during the presentation
• Handy tricks for Mobile Code Reviews
• A quick demonstration of the discovery of vulnerabilities in a vulnerable application

• Conclusion

Speakers
avatar for sreenarayan a

sreenarayan a

Security Product Lead, Capital One
Sreenarayan is currently working as an Independant Information Security Consultant. He was the principal researcher in the Mobile Application Security Team at Paladion, having developed Paladion's Android, iOS, Windows Mobile, BlackBerry Gray Box and Code Review checklists, and has... Read More →


Wednesday November 20, 2013 3:00pm - 3:50pm EST
Belasco & Broadhurst (5th Floor) NY Marriott Marquis

3:00pm EST

OWASP Zed Attack Proxy
Video of session: https://www.youtube.com/watch?v=pYFtLA2yTR8&list=PLpr-xdpM8wG8ODR2zWs06JkMmlRiLyBXU&index=1

The Zed Attack Proxy (ZAP)  is now one of the most popular OWASP projects.
It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing as well as being a useful addition to an experienced pen tester's toolbox.

After giving a quick introduction for people new to ZAP, Simon will focus on the latest features, including those developed as part of the Google Summer of Code as well as Plug-n-Hack and the Zest scripting language.

Simon will also demonstrate soon to be released features that have not been seen before and are believed to be not currently possible using equivalent tools.

Speakers
avatar for Simon Bennetts

Simon Bennetts

Security, Mozilla
Simon Bennetts has been developing web applications since 1997, and strongly believes that you cannot build secure web applications without knowing how to attack them. He is the OWASP Zed Attack Proxy Project Leader and works for Mozilla as part of the Cloud Security Team.


Wednesday November 20, 2013 3:00pm - 3:50pm EST
Salon 3 (5th Floor Ballroom) NY Marriott Marquis

3:00pm EST

Open Mic: FERPAcolypse NOW! - Lessons Learned from an inBloom Assessment

Question: I noticed on the schedule there are "OPEN-MIC" sessions, what exactly are they and how do I present during those time slots?

Answer: During the morning hours of Wednesday, Nov. 20 badge-holding conference attendees interested in presenting an AppSec related topic may sign up for the Open Mic slots. There will be large voting boards near registration where you can post your submission proposal (session title, mini abstract and name) on a post-it note. Depending on the amount of submissions, we may be hosting 2-3 "speed talks" during each Open Mic session. All badge-holding conference attendees will use little sticky dots, included in their conference registration bag, to vote on the talks they'd be interested in attending. Voting will be open until Noon on each day, at that time the conference organizers will post the accepted submissions on the AppSec USA Schedule webpage.


Speakers
avatar for Mark Major

Mark Major

Cybersecurity Engineer, Aerstone
By day Mark works as a cybersecurity engineer at Aerstone. By nights and weekends he organizes the Boulder OWASP chapter.Mark directs the annual Front Range OWASP Conference (SnowFROC) in Denver, CO. In 2014 he took a break from SnowFROC in order to chair AppSec USA. In these roles, Mark was integral in all areas of planning, including budgeting, venue negotiation, sponsorship, vendor management, catering, speaker and volunteer coordination, scheduling, marketing, and registration.In his free time, Mark brews beer, strums guitar, picks up toys, and reads bed... Read More →


Wednesday November 20, 2013 3:00pm - 3:50pm EST
Booth (5th Floor) NY Marriott Marquis

6:00pm EST

Silk, Webservers, Exploits and RATz by M4v3r1ck
Limited Capacity seats available

Disclaimer: If you have trigger issues -- please do not attend this talk.

Now that the statute or limitations has run out on walk with me as I discuss the industry, the people and the events.

From warelords, to the conference that was meant to be a one-time party to say good-bye to BBSs OG.   Todays web applications still provide the perfect place for logic bombs. We will talk about current news events including carderprofit.cc and the newest threat to turning a profit.

Face it..  the computer security industry is a JOKE, Vă veţi bucura acest talk.

pssssss buddy you want to buy a shell... what'ca want what'ca need?








Speakers
avatar for Yuri

Yuri

sysop
Hacker for Profit


Wednesday November 20, 2013 6:00pm - 6:50pm EST
Salon 4 (5th Floor Ballroom) NY Marriott Marquis

8:00pm EST

Bug Bounty - Group Hack
The Great OWASP Bug Bash of 2013

CALLING ALL SECURITY NINJAS… Whether you’re attending Appsec in person or in spirit, you’re invited to join Bugcrowd and the OWASP team as we unite hackers across the world for the first everInternet-wide bug bash.

This collaborative hack-a-thon will feature testers and providers of public bug bounty programs finding bugs in the world’s largest Internet companies! Companies contributing to bounty programs, including Prezi, Facebook, Google and Yandex will be present to meet and greet those responsible for improving global application and internet security. No need to worry about protecting your identity, masks will be provided!

Featuring…
The Inaugural Wall of Bugz, music, drinks, hacking contests, special prizes, the world’s largest gummy bug and more!

Bug Bounty programs have been getting a lot of press lately, and for good reason. They work. Bugcrowd will be running this event live from 8-12 every night during Appsec USA 2013 and we actively encourage OWASP members around the world to participate.

Just some of the targets to pick from: https://bugcrowd.com/list-of-bug-bounty-programs/



Moderators
avatar for Serg Belokamen

Serg Belokamen

Founder and CTO, Bugcrowd, Inc., Bugcrowd
Serg is a co-founder and a CTO of Bugcrowd. Bugcrowd delivers ad-hoc, ongoing and objective-based bug bounties. Our clients can elect to engage the full crowd, or run a private bounty with just the top ranked testers. Our service let's you test web, mobile and client-side applications... Read More →
avatar for Tom Brennan

Tom Brennan

Founder, Security Architect, ProactiveRISK
Tom Brennan is a mage at Proactive Risk with two decades of hands on the keyboard building, breaking and defending data for clients worldwide. He is a an alumni of McAfee, Intel Security, SafeCode, Trustwave, WhiteHat, ADP, Datek Online and the United States Marines. As a volunteer... Read More →
avatar for Dinis Cruz

Dinis Cruz

AppSec, OWASP
Dinis Cruz is a Developer and Application Security Engineer focused on how to develop secure applications. A key drive is on 'Automating Application Security Knowledge and Workflows' which is the main concept behind the OWASP O2 Platform. After many years (and multiple roles) Dinis... Read More →
avatar for Casey Ellis

Casey Ellis

Founder, Bugcrowd
As Founder of Bugcrowd, Casey Ellis brings over 14 years of information security experience to lead the company’s technology vision and strategic operation. Prior to Bugcrowd, he served as chief security officer at ScriptRock and as an information security specialist and account... Read More →
avatar for Simon Roses Femerling

Simon Roses Femerling

Simon Roses holds a B.S. from Suffolk University (Boston), Postgraduate in E-Commerce from Harvard University (Boston) and Executive MBA from IE Business School (IE, Madrid). Frequent speaker at security industry events including BLACK HAT, RSA, OWASP, SOURCE. DeepSec and Microsoft... Read More →
avatar for Jeremiah Grossman

Jeremiah Grossman

Founder, WhiteHat Security
Jeremiah Grossman is the Founder and iCEO of WhiteHat Security, where he sets overall company vision and oversees day to day operations. Over the last decade, Mr. Grossman has written dozens of articles, white papers, and is a published author. His work has been featured in the... Read More →

Wednesday November 20, 2013 8:00pm - 11:59pm EST
Salon 2 (5th Floor Ballroom) NY Marriott Marquis
 
Thursday, November 21
 

9:00am EST

') UNION SELECT `This_Talk` AS ('New Exploitation and Obfuscation Techniques’)%00
This talk will present some of the newest and most advanced optimization and obfuscation techniques available in the field of SQL Injections. These techniques can be used to bypass web application firewalls and intrusion detection systems at an alarming speed. This talk will also present the ALPHA version of an open-source framework called Leapfrog which Roberto is developing; Leapfrog is designed to assist security professionals, IT administrators, firewall vendors and companies in testing their firewall rules and implementation to determine if they are an adequate enough defense measure to stop a real cyber-attack.

Speakers
avatar for ROBERTO SALGADO

ROBERTO SALGADO

Co-Founder and CTO, Websec
Roberto is the co-founder and CTO of Websec, an Information Security company. He was born in Harlingen, Texas in 1986, but was raised on the island of Cozumel, Mexico. At the age of 17 Roberto moved to Vancouver Island and has lived there ever since. In 2010 Roberto founded Websec... Read More →


Thursday November 21, 2013 9:00am - 9:50am EST
Salon 4 (5th Floor Ballroom) NY Marriott Marquis

10:00am EST

Open Mic: OpenStack Swift - Cloud Security

Question: I noticed on the schedule there are "OPEN-MIC" sessions, what exactly are they and how do I present during those time slots?

Answer: During the morning hours of Wednesday, Nov. 20 badge-holding conference attendees interested in presenting an AppSec related topic may sign up for the Open Mic slots. There will be large voting boards near registration where you can post your submission proposal (session title, mini abstract and name) on a post-it note. Depending on the amount of submissions, we may be hosting 2-3 "speed talks" during each Open Mic session. All badge-holding conference attendees will use little sticky dots, included in their conference registration bag, to vote on the talks they'd be interested in attending. Voting will be open until Noon on each day, at that time the conference organizers will post the accepted submissions on the AppSec USA Schedule webpage.


Speakers

Thursday November 21, 2013 10:00am - 10:50am EST
Belasco & Broadhurst (5th Floor) NY Marriott Marquis

11:00am EST

OWASP Hackademic: a practical environment for teaching application security
Video of session:
https://www.youtube.com/watch?v=OxDDzpJLClA&list=PLpr-xdpM8wG8ODR2zWs06JkMmlRiLyBXU&index=10

Teachers of Application Security in higher education institutions and universities are presented with some unique challenges, especially when compared to other scientific or even computer science fields. This is mainly because students have to learn how to design, implement and protect applications against both known and unknown attacks. Moreover, the so far established stereotypes present the potential intruders as being ingenious and able to penetrate almost every system. 
The OWASP Hackademic Challenges Project introduces the "attacker's perspective" in higher education by implementing realistic scenarios with known vulnerabilities in a safe, controllable environment. Students can attempt to discover and exploit these vulnerabilities in order to learn important concepts of information security through the attacker's perspective. 
Its main difference from other projects that implement vulnerable applications for educational purposes, is that it is has been created mainly for use in a classroom environment, while most other solutions take a more self-learning approach. The OWASP Hackademic Challenges are currently used by more than a dozen universities around the world and are also part of the "Hacking Lab" and "OWASP University Challenge". In addition, we have received contributions to the project by several researchers, including the New Jersey Institute of Technology. 
The OWASP Hackademic Challenges simulate real-world scenarios that application security consultants and penetration testers encounter during their day-to-day engagements, combined with the academic requirements of a related module. These exercises can be used to complement the respective theoretical lectures. Statistical analysis of the feedback we received from students through questionnaires, shows that the students embraced this approach and have benefited significantly from going through these exercises. In practice, the OWASP Hackademic Challenges help students become more enthusiastic about application security by gaining a realistic, hands-on experience on some real-world vulnerabilities. 
In this presentation we will give an overview of the Hackademic Challenges and analyze its scientific background. In addition, we will present new features introduced to the interface that was developed during the Google Summer of Code 2012 and more importantly security improvements that were made possible by using OWASP ESAPI. The new interface introduces significant capabilities and features mainly for teachers and administrators. Moreover, as the project is still under development, we expect a bunch of new features to be ready by the conference dates. For example we are expanding the use cases of Hackademic in order for it to be used in a corporate environment to either train, assess or raise awareness among employees.
Moreover, we will introduce a new scoring mechanism. CTF-type challenges usually follow a binary scoring system (solved/not solved), which is not sufficient for university classes. We have implemented a much more complex scoring system, that takes into account various parameters in order to depict how easy it was for the student to solve the challenge and how much time was required. Using this system, students can be graded according to their performance. Furthermore, we have introduced a randomization algorithm that produces slightly different answers for each try. Thus, it is much more difficult for students to cheat.
A demo of the new Hackademic portal and challenges will also be delivered, emphasizing on how it can be used in a real classroom and giving the chance to attendees to get their hands on it.

Speakers
avatar for Konstantinos Papapanagiotou, Spryros Gastreratos

Konstantinos Papapanagiotou, Spryros Gastreratos

Information Security Services Team Lead, OTE
Both trainers are Hackademic project leaders, long time OWASP members and application security professionals


Thursday November 21, 2013 11:00am - 11:50am EST
Salon 2 (5th Floor Ballroom) NY Marriott Marquis

12:00pm EST

Open Mic: What Makes OWASP Japan Special

Question: I noticed on the schedule there are "OPEN-MIC" sessions, what exactly are they and how do I present during those time slots?

Answer: During the morning hours of Wednesday, Nov. 20 badge-holding conference attendees interested in presenting an AppSec related topic may sign up for the Open Mic slots. There will be large voting boards near registration where you can post your submission proposal (session title, mini abstract and name) on a post-it note. Depending on the amount of submissions, we may be hosting 2-3 "speed talks" during each Open Mic session. All badge-holding conference attendees will use little sticky dots, included in their conference registration bag, to vote on the talks they'd be interested in attending. Voting will be open until Noon on each day, at that time the conference organizers will post the accepted submissions on the AppSec USA Schedule webpage.


Speakers
avatar for Riotaro OKADA

Riotaro OKADA

founder, Executive Director, Asterisk Research, Inc.
future and risk researcher. OWASP Japan chapter leader @okdt http://www.facebook.com/riotaro.okada.pv http://www.linkedin.com/in/riotaroResearcher. Born in Kobe, Hyogo Prefecture, Japan, Mr. Okada has over 20 years of experience in software development and network construction. He... Read More →


Thursday November 21, 2013 12:00pm - 12:50pm EST
Belasco & Broadhurst (5th Floor) NY Marriott Marquis

1:00pm EST

Hack.me: a new way to learn web application security
Video of session:
https://www.youtube.com/watch?v=hbd_QBJJLhw&list=PLpr-xdpM8wG8ODR2zWs06JkMmlRiLyBXU&index=38

The Hack.me (https://hack.me) project is a worldwide, FREE for all platform where to build, host and share simple and complex vulnerable web applications. It's completely online and doesn’t require any software to be installed, just a web browser.
Users will be able to run and practice offensive techniques against always new vulnerable web applications provided by the community. Users will be able to practice the OWASP Top 10, testing CMS vulnerabilities,verifying the latest exploits. The vulnerable web applications, referred as hackmes, are run in a sandboxed and user-isolated environment provided by the Coliseum Framework.
We will show a typical use of the platform and some of the challenges, both technical and legal, faced by the project.

Speakers
avatar for Armando Romeo

Armando Romeo

eLearnSecurity
I'm the founder of eLearnSecurity and Hack.me. Passionate about anything web application security related. Connect with me on Linkedin If you are interested in trying one of our web app security training courses click here... Read More →


Thursday November 21, 2013 1:00pm - 1:50pm EST
Salon 3 (5th Floor Ballroom) NY Marriott Marquis

1:00pm EST

Hacking Web Server Apps for iOS
Video of session:
https://www.youtube.com/watch?v=1oCRagEk31A&list=PLpr-xdpM8wG8ODR2zWs06JkMmlRiLyBXU&index=21

Since the iPhone has been released, people have been trying to figure out different ways to turn it  into a common data storage device. Many applications have been released in the iTunes Store in order to add this capability, some using USB transport (via iTunes), others Bluetooth.
However, another way found by most of these software vendors is to share the disk space in the cellphone using not only using WiFi capabilities but also the data cellphone connections (GSM/CDMA).
All of this by implementing a simple web server with file upload feature.
Web file servers are now very common applications available in the iTunes Store with both free and paid versions that satisfies the users need to “share” the phone as being a file storage unit using the (... yes) HTTP protocol.
Most (if not all) of these applications are not so well-designed with usually poor features. Yet, these apps are still very popular amongst those users that have no intention in jailbreaking their reliable mobile devices but really want file sharing capabilities.
As previously mentioned, these apps are mainly developed using just HTML (which also brings some limitations to our testing) with no encryption (SSL) and mostly no authentication (and those supporting it are turned off by default??).
This research covers these applications described above, both free and paid versions, how they work and what problems they bring to non-jailbroken devices, on top of describing the flaws, there will be a live demo on how risky these apps are.
Despite of not being the highlight of the talk, it will be also demonstrated how worse things can be in jailbroken devices, once the sandbox security feature is lost.
This talk will present current unpatched vulnerabilities that have been found while researching these applications,  these range from  medium to critical risks, and it will be shown how we can exploit these vulnerabilities and compromise the phone’s file system with practical attacks.
 
From a basic reflected XSS to an optimistic scenario: RCE, when the device is jailbroken and also has other app to support (web server with dynamic language for example), some of these exploitations will be presented to the public.
 
And, all of the issues previously discussed can be magnified since the service (web server) is automatically advertised (and/or responds) to mDNS queries, making the device running that APP an easy target for anyone in the same wireless connection and watching these packets or simply running an mDNS browser.

Speakers
avatar for Bruno

Bruno

Senior Security Consultant, Trustwave SpiderLabs
Bruno Gonçalves de Oliveira is a MSc candidate, computer engineer and senior security consultant at Trustwave’s SpiderLabs where his duties are mostly focused in offensive security, doing hundreds of penetration tests from common systems and environments to embedded and uncommon... Read More →


Thursday November 21, 2013 1:00pm - 1:50pm EST
Salon 4 (5th Floor Ballroom) NY Marriott Marquis

2:00pm EST

Buried by time, dust and BeEF
For those who do not listen Mayhem and black metal, the talk title
might seem a bit weird, and I can't blame you.
You know the boundaries of the Same Origin Policy, you know SQL injection and time-delays,
you know BeEF. You also know that when sending cross-domain XHRs you
can still monitor the timing of the response: you might want to infer
on 0 or 1 bits depending if the response was delayed or not.
This means it's possible to exploit every kind of SQL injection,
blind or not blind, through an hooked browser, if you can inject a time-delay
and monitor the response timing.
This works flawlessly in cross-domain situations,
you don't need a 0day or a particular SOP bypass to do this,
and it works in every browser.
The potential of being faster than a normal single-host multi-threaded SQLi
dumper will be explored. Two experiments will be shown: WebWorkers as well
as multiple synched hooked browsers, which split the workload communicating
partial results to a central server.
A pure JavaScript approach will be exlusively presented during this talk,
including live demos. Such approach would work for both internet facing targets as well as
applications available in the intranet of the hooked browser.
The talk will finish discussing the implications of such an approach
in terms of Incident Response and Forensics,
showing evidence of a very small footprint.

Speakers
avatar for Michele Orru

Michele Orru

Michele Orru a.k.a. antisnatchor is an IT and ITalian security guy. Lead core developer of the BeEF project, he mainly focuses his research on application security and related exploitation techniques. He is one of the authors of Browser Hacker's Handbook, which will be out by late... Read More →


Thursday November 21, 2013 2:00pm - 2:50pm EST
Salon 2 (5th Floor Ballroom) NY Marriott Marquis

3:00pm EST

HTTP Time Bandit
Video of session:
https://www.youtube.com/watch?v=jFNnI1DDSaE&list=PLpr-xdpM8wG8ODR2zWs06JkMmlRiLyBXU&index=35


While web applications have become richer to provide a higher level user experience, they run increasingly large amounts of code on both the server and client sides. A few of the pages on the web server may be performance bottlenecks. Identifying those pages gives both application owners as well as potential attackers the chance to be more efficient in performance or attack.
   We will discuss a tool created to identify weaknesses in the web application by submitting a series of regular requests to it. With some refinement and data normalizations performed on the gathered data,
and then performing more testing based on the latter, it is possible to pinpoint the single most (CPU or DB) resource-consuming page of the application. Armed with this information, it is possible to perform more efficient DOS/DDOS attacks with very simple tools.
   The presentation will be accompanied by demos of the tool performing testing and attacking on various targets. The tool will be published for the interested researchers to play with.

Speakers
VT

vaagn toukharian

Senior Software Engineer, qualys
Was involved with security industry since 1999. Experience includes work on Certification Authority systems, encryption devices, large CAD systems, Web scanners. Outside of work interests include Photography, and Ironman Triathlons.


Thursday November 21, 2013 3:00pm - 3:50pm EST
Salon 1 (5th Floor Ballroom) NY Marriott Marquis

3:00pm EST

Wassup MOM? Owning the Message Oriented Middleware
Audio of session:
https://www.youtube.com/watch?v=09uc435FEWY&list=PLpr-xdpM8wG8ODR2zWs06JkMmlRiLyBXU&index=29

Message Oriented Middleware (MOM) allows disparate applications to communicate with each other by exchanging information in the form of messages. A MOM and its clients create an enterprise messaging application that forms the transactional backbone of several large organizations worldwide. Security is therefore an important aspect of these applications.
This research analyzes enterprise messaging security from three different perspectives:
1. The first perspective derives from the fact that most of the enterprise messaging products support the vendor-agnostic Java Messaging Service (JMS) API and therefore focuses on the offensive uses of the JMS API to attack an enterprise messaging application.
2. The second perspective revolves around a JMS compliant message broker (or MOM) as message brokers form the core of the enterprise messaging. I chose ActiveMQ for my research as it is open source and among the most popular message brokers that support JMS API. I will discuss a few ActiveMQ 0days vulnerabilities, potential flaws in its various authentication schemes and its configuration defaults that can make it vulnerable to attacks.
3. The third perspective focuses on a new tool JMSDigger that can be leveraged to engage and assess enterprise messaging applications. Several live demonstrations will show attacks such as authentication bypass, JMS destination dumps, 0day vulnerabilities and JMSDigger etc...

Speakers
avatar for Gursev Singh Kalra

Gursev Singh Kalra

Senior Principal, Foundstone Professional Services, McAfee
Gursev Singh Kalra serves as a Senior Principal with Foundstone Professional Services, a division of McAfee. Gursev has authored several security related whitepapers and his research has been voted among the top ten web hacks for 2011 and 2012. He loves to code and he has authored... Read More →


Thursday November 21, 2013 3:00pm - 3:50pm EST
Salon 4 (5th Floor Ballroom) NY Marriott Marquis

3:30pm EST

Bug Bounty - Group Hack
The Great OWASP Bug Bash of 2013

CALLING ALL SECURITY NINJAS… Whether you’re attending Appsec in person or in spirit, you’re invited to join Bugcrowd and the OWASP team as we unite hackers across the world for the first everInternet-wide bug bash.

This collaborative hack-a-thon will feature testers and providers of public bug bounty programs finding bugs in the world’s largest Internet companies! Companies contributing to bounty programs, including Prezi, Facebook, Google and Yandex will be present to meet and greet those responsible for improving global application and internet security. No need to worry about protecting your identity, masks will be provided!

Featuring…
The Inaugural Wall of Bugz, music, drinks, hacking contests, special prizes, the world’s largest gummy bug and more!

Bug Bounty programs have been getting a lot of press lately, and for good reason. They work. Bugcrowd will be running this event live from 8-12 every night during Appsec USA 2013 and we actively encourage OWASP members around the world to participate.

Just some of the targets to pick from: https://bugcrowd.com/list-of-bug-bounty-programs/


Speakers
avatar for Tom Brennan

Tom Brennan

Founder, Security Architect, ProactiveRISK
Tom Brennan is a mage at Proactive Risk with two decades of hands on the keyboard building, breaking and defending data for clients worldwide. He is a an alumni of McAfee, Intel Security, SafeCode, Trustwave, WhiteHat, ADP, Datek Online and the United States Marines. As a volunteer... Read More →
avatar for Dinis Cruz

Dinis Cruz

AppSec, OWASP
Dinis Cruz is a Developer and Application Security Engineer focused on how to develop secure applications. A key drive is on 'Automating Application Security Knowledge and Workflows' which is the main concept behind the OWASP O2 Platform. After many years (and multiple roles) Dinis... Read More →
avatar for Casey Ellis

Casey Ellis

Founder, Bugcrowd
As Founder of Bugcrowd, Casey Ellis brings over 14 years of information security experience to lead the company’s technology vision and strategic operation. Prior to Bugcrowd, he served as chief security officer at ScriptRock and as an information security specialist and account... Read More →
avatar for Samantha Groves

Samantha Groves

Program Manager, OWASP
Samantha Groves is the Project Manager at OWASP. Samantha has led many projects in her career, some of which include website development, brand development, sustainability and socio-behavioral research projects, competitor analysis, event organization and management, volunteer engagement... Read More →


Thursday November 21, 2013 3:30pm - 4:00pm EST
Belasco & Broadhurst (5th Floor) NY Marriott Marquis