The holidays are gone, kids are back to school. For the security landscape, it means that security meetings are also back! The first OWASP Belgium Chapter wasÂ organisedÂ tonight. Here is my quick wrap-up.
This time theÂ meetingÂ started in the afternoon with a technical workshopÂ organisedÂ by SPION. Due to agenda conflicts, I did not attend this one. I joined the meeting for the second part organised in a classic format: after a brief introduction with news about the Chapter and the OWASP foundation in general, two speakers came to present their researches.
- Should websites trust remote providers?
- Can we safely execute their code?
- What’s the quality ofÂ theirÂ maintenance?
Then, again based on the finding, some weirdness:
- Cross-user scripting (ex: http://localhost/script.js)
- Cross-network scripting (ex: http://192.168.2.1/script.js)
- Stale IP-based remote inclusions
- State domain-based remote inclusions
- Typo-squatting XSS
- Executing the remote scripts in a sandbox (not always easy).
- Download the script locally.
- robtex.comÂ (with a good domain visualisation feature)
- Google advanced searches (intent:, inurl:, filetype:, etc)
- Google Hacking DB
- Search engineÂ optimisationÂ tools (canÂ crawlÂ target websites for you)
Most of them are classic ones. But that was a good reminder or a good way to populate your bookmarks! That was a good meeting to start the new season!