Conference Program - OWASP AppSec USA 2011

Web Application Security PayloadsAndrés RianchoWeb Application Payloads are the evolution of old schoolsystem call payloads which are used in memory corruptionexploits since the 70’s. The basic problem solved by any payloadis pretty simple: “I have access, what now?”. In memorycorruption exploits it’s pretty easy to perform any specific taskbecause after successful exploitation the attacker is able tocontrol the CPU / memory and execute arbitrary system callsin order to create a new user or run an arbitrary command;but in the Web Application field, the attacker is restrictedto the “system calls” that the vulnerable Web Applicationexposes:••Local File Read - read()••OS Commanding - exec()••SQL Injection - read(), write() and possiblyexec()Web Application Payloads are small pieces of code that arerun in the attackers box, and then translated by the Web applicationexploit to a combination of GET and POST requeststo be sent to the remote web-server.This talk will introduce attendees to the subject and showa working implementation of Web Application Payloads thatuses the “system calls” exposed by vulnerable Web Applicationsto collect information from, and gain access to theremote Web server.Our greatest achievement regarding web application payloadsis the possibility of automatically downloading the remote application’ssource code, statically analyzing it to identify morevulnerabilities, and exploit those new vulnerabiliies to keepescalating privileges in the remote system.When Zombies Attack - a Tracking Love StoryAshkan Soltani, Gerrit PadghamOnline privacy and behavioral profiling are of growing concernamong both consumers and government regulators. Consumersuse the web for a variety of business and personal activities,including things that they would prefer to keep private.Mobile devices introduce additional concerns as typically, theyare carried with us nearly everywhere we go. The “alwayson” nature of these systems closely mirror the activity of theirowners, thereby revealing a historical trail of online and offlineactivities to multiple unknown third parties.In this talk, we will present the current state of online trackingand highlight current practices such as “cookie respawning”and non-cookie based tracking that popular websitesand mobile applications engage in. We will discuss theories22on why the platforms we use do not adequately protect usersfrom these threats and highlight the proposed solutions, suchas additional transparency tools and Do-Not-Track that areintended to help mitigate these issues. We will also demonstrateMobileScope, a technical solution we have been developingto give the end user ultimate visibility into the traffictheir device is sending. Finally, we will discuss open questionssurrounding the ability to adequately assess risk drawing frombehavioral economics and risk management theories for cuesas to potential outcomes in this space.Why do developers make these dangerous softwareerrors?Michelle Moss, Nadya BartolAccording to the US Computer Emergency Readiness Team(US-CERT), most successful cyber-attacks result from targetingand exploiting software vulnerabilities, a significantnumber of which are introduced during software design,development, and sustainment phases of the lifecycle. Today’ssoftware modules and hardware components are created andassembled globally, and delivered physically and/or virtually.Unfortunately, many organizations do not understand thelikelihood of a software vulnerability being exploited and theimpact it could have on the organization’s critical functions orbusiness relationships. As a result, it is more challenging forsecurity professionals to ensure the integrity, confidentiality,and availability of high-value data crucial to mission and businessfunctions. It is understandable that IT security organizationsstruggle to justify funding, assign responsibly, andmeasure progress for application security. This presentationwill provide insight to engaged appropriate stakeholders toaddress the technical, management, and operational aspectsof incorporating software assurance into the IT lifecycle.You’re Not Done (Yet) – Turning Securable Apps intoSecure Installations using SCAPCharles SchmidtSecure software engineering practices get a great deal ofattention today and deservedly so – they form a foundationwithout which effective security becomes impossible.However, this is not the end of a developer’s part in supportingapplication security. Even the best software developmentmethodology will only be able to make application security apossibility. To have a truly secure application, the end user orsysadmin must install and configure it and its dependenciescorrectly. Doing this requires that good security configurationpractices be conveyed from the application developerto the end user in a format the user can utilize. While oftenneglected, this aspect of application security is what turnssecurity theater into practical security that has a real benefit