This afternoon, the OWASP Belgian Chapter organized its annual Benelux Day in Leuven. The event started round 12:30 with a great initiative: a workshop based on WebGoat.
This is an OWASP project which maintains an insecure web application (based on Tomcat) used to teach web security. The proposed lessons cover all the classic vulnerabilities found in websites. Some of them are quite easy but others are much more complex. That was challenging! If you are interested, download a free copy of the OWASP LiveCD.
After a short coffee break, the presentations started. The first of them were very business oriented. Migchiel de Jong, from Fortify Software, presented and explained the differences between the available approaches to perform a security assessment. The three basic approaches are: Ethical hacking (hiring an expert), automate hacking (black box) or analyzing the software (static & dynamic analysis). Migchiel explained the benefits of “hybrid” approach (black & white combined) and concluded with a demo of the Fortify 360 product.
Eoin Shall spoke about “Secure Development”. Some vulnerabilities like XSS were discovered years ago (XSS in 1996!) but are still widely used today why? Websites are still vulnerable! And applications are not properly tested: Negative Testing is still not commonplace within the SDLC but ironically easy to do! It’s important to define the application perimeter (which is the border router, a web application firewall or a login page?) and how to fix the application using secure software development, application security testing (manual as automated) and code review (manual as automated). Eoin talked about the philosophy of secure development and, of course, the famous SDLC (“Software Development Life Cycle”).
After a break, Bart Preneel presented some slides about SHA-3 or “The quest for long-term security in cryptographic hashing”. Everybody is aware of the collision issues which targeted the MD5 & SHA-1 algorithms. That’s why the SHA-3 competition was launched by NIST. According to other people in the audience (who were much more aware than me), it was a great talk. Honestly, too much formulas for my brain at the end of the day.
Noa Bar-Yosef, from Imperva, spoke about “Business Logic Attacks” (BLAs). This was a great talk! As opposed to “classic” technical attacks, BLAs use normal requests and legitimate input values. They abuse functionalities, they directly target the business of the target often using multiple requests. But as technical attack they are illegal! “Business Logic Bots” (BLBs) are developed and used for the following type of attacks: brute force, DoS, web spam or click fraud. Hardcore robotics are used for queue jumping (in ticketing systems as example), for auctions sniping (to place a bid as close as possible of the auction end) or for poll skewing (to produce erroneous statistics). There exist also gaming bots and information harvesting bots.
What are the solutions? Detection is based on basic tools like black lists, user agents, patterns or request structure (missing headers). Proactive detection is performed via techniques which add extra content in the response or via positive/negative detection (CAPTCHAs are a good example). The detection may also occur via frequency management or flow (example: the bot will bypass some steps in the scenario).
How to mitigate? Trying to defuse the effects (slow down a brute force, reduce rate of DDoS, enforce a flow). Via blacklists, by dropping some requests or throttling (1″ delay is enormous for an automated attack but for not users). Used tools are very complex and require a lot of maintenance and fine-tuning!
The next speaker was Colin Watson. He explained how the compliance requirements can affect the security of a web application. Compliance requirements must be addressed asap in the SDLC. He presented the WCAG (“Web Content Accessibility Guidelines) 2.0 and demonstrated how the accessibility of a website can introduce security issues: re-authentication, sessions management, timeouts, etc could lead to vulnerabilities. A good balance is required between security and accessibility.
After a last cup of coffee, Seba (from the OWASP Belgian Chapter) presented the new version of the well-known OWASP Top-10 project. What changed? The new version speaks about “risks” instead of “vulnerabilities” (2 were added, 2 were dropped):
- Added: security misconfiguration, unvalidated redirects and forwards.
- Removed: malicious file execution, information leakage and improper error handling.
Seba reviewed all the security issues and gave some tips to mitigate them. The document is a must for all the web developers who should know it by heart like the multiplication tables for our children!
And, last but not least, Sandro gave a status of his research about Web Application Firewalls: how to detect, bypass and exploit most of the WAF’s used on the Internet. Like an operating system, a WAF can be detected by analyzing the response sent to the browser (headers rewriting, cookies or response codes). Once you know your enemy, it’s easier to try to bypass it via multiple evasion techniques. I recommend you to have a look at the waffit project maintained by Sandro.
It was a nice event with, as usual, lot of social networking. The security landscape is quite small in Belgium. There was also lot of people coming from the Netherlands, Luxembourg and Germany.
The presentations are now online on http://www.owasp.org/index.php/BeNeLux_OWASP_Day_2009
regards
Seba