Vokiel.com

source: 2010.confidence.org.pl

On the 25-26.05 2010 in Krakow CONFidence ¹ conference took place, in which I had the pleasure to participate. It was the eighth time (since 2005) the conference took place. It brings together lead the world-class professionals. During this two-day meeting there were many presentations describing new and previously disclosed results. CONFidence is not just a conference, is also a professional workshop, discussion panels, competitions, and Fight Club, Hackers Charity for Roulette, CONFidence Breaking Speed and many others.

Conference topics covered many aspects of security, including security of web applications, as in the rest of the entry.

The word of introduction

source: www.krakow.come2europe.eu

At the beginning, I would like to note that the preparation for the conference was at very high level. The service, location (Kiev Cinema), facilities, and most of all, the speakers.

The historic buildings of Krakow, a multitude of pubs located in the basements (ingenious Społem Pub), competitions based on taking further and further pubs has created an interesting mix.

Generally I have a very positive impressions. Let’s go back to the topic – security.

Agenda

The conference gathered over 30 experts. Distributing this group just for two days of the conference has led to necessity of creation two parallel blocks. Unfortunately, I had to choose which presentations to go, and which bypass. Full agenda is available at CONFidence – Agenda ²

Selected presentations, I would like to mention about

1. Anonymity, Privacy, and Circumvention with Tor in the Real World – Jacob Appelbaum
2. Security Sucks – Eddie Schwartz
3. Well known vulnerabilities in human brain and behavior – common admin mistakes – Wojciech Bojdol
4. Dan Kaminsky
5. The Presence and Future of Web Attacks Multi-Layer Attacks and XSSQLI – Mario Heiderich

Above I’m presenting a list of only those selected, complementary to the topics of the blog. Of course, there were more interesting presentations on the conference, like: “You can’t stop us: latest trends on exploit techniques” – Alexey Sintsov. Or “Mobile attacks and preventions – how security will change the mobile market” – Tam Hanna

Presentations

Anonymity, Privacy, and Circumvention with Tor in the Real World – Jacob Appelbaum ³

The topic for this speech is not closely related to the blog topic, but it is worth a mention. TOR is a project and an open network, which is used against censorship, gives people around the world access to the not filtered by governments content. Helps protect users from network surveillance that threatens privacy, confidential business and personal communication. Unfortunately, by many people it’s often associated to habitat for evil, to pedophilia. Perhaps due to a few speeches of politicians who are not familiar with the topic.

From the web developer perspective, visitors who use the Tor cause difficulties in collecting statistics of their visits. Most of the statistics that describe the source of traffic will be mendacious. If on top of that, users will use specially prepared browsers, traking them would be impossible or collected statistics be mendacious.

Security Sucks – Eddie Schwartz ⁴

Excellent presentation, probably not related to designing web applications at all. It was focused on the systems security, networks security. The way of presentation of the subject and the author himself (Eddie Schwartz is the principal officer safety in the NetWitness and has 25 years experience in the field of information security and privacy), have made a great impression on me.

Well known vulnerabilities in human brain and behavior – common admin mistakes – Wojciech Bojdol ⁵

The presentation gives a little different look – psychological. Topic quite interesting, things about which most do not even think. At the presentation were presented errors resulting from defects in human perception, ignoring unfavorable information, no release of information contrary to our view, memory illusions, the illusion of infallibility. In my opinion, noteworthy issues, not only from the standpoint of security systems, networks. Developers also sometimes think they are infallible, that if have 5 years experience preferably knows how to solve the problem, do not seem to see signs of problems, errors. This is later reflected in the quality of the result code, whether desktop applications, or web.

Dan Kaminsky ⁶

Dan Kaminsky is a known biggie in security field. I must admit that in addition to knowledge he has also a very interesting personality. His speech touched the topics of creating secure web applications. Much time was spend the SQL-Injection topic, but the other way, than generally accepted point of view. Dan has focused on preparation of such tools so developers can easily use them. As he noticed at the beginning, most of the bugs occurs because developers are lazy. For example, although there is the PDO bind parameters so many programmers will directly substitute variables for their query.

$query = "SELECT * FROM `TABLE` WHERE `FILED` like $field OR `FIELD2` like $field2";

The code above is more convenient to use, than this below. In addition it contains only one line, not three.

$stmt = $this->_db->prepare("SELECT * FROM `TABLE` WHERE `FIELD` like :field OR `FIELD2` like :field2");
$stmt->bindParam(':field', $field, PDO::PARAM_STR);
$stmt->bindParam(':field2', $field2, PDO::PARAM_STR);

Therefore, he propose such tools developing that will ensure that developers will create applications for them in the quickest manner, and that they will be safe.

The Presence and Future of Web Attacks Multi-Layer Attacks and XSSQLI – Mario Heiderich ⁷

In mine opinion the best speech (fore a web developer) from all the conference. Mario Heiderich is a freelance security consultant and trainer living in Cologne and working for a wide array of German and international companies. In his free time Mario likes to spend a lot of quality time with the Firebug console window. Range of raised issues is very wide, introduction to articulate presentation follows:

1. What happened to web application security?
2. XSS, SQL Injections, Auth and path traversal
3. We have amazing things now! NoScript, the IE8 and Chromium XSS filter and CSP
4. Users must be safer than ever!
5. Wasn’t there HTML5 and next generation browsers?

Mario has presented a lot of different vulnerabilities, unfortunately, to protection against the majority of them is possible only by disabling at all JavaScript. Of course, in the present time, such a radical step will bring up the difficulties in using web applications, some of them completely immobilize. Therefore, remains for us to wait for updates browsers. It is up to manufacturers of such engines is to write, that should prevent such attacks possible to occur.

For example, for people with a browser and firebug installed (or other js console) I recommend testing several of the following pieces of code

top[(Number.MAX_VALUE/45268).toString(36).slice(15,19)]((Number.MAX_VALUE/99808).toString(36).slice(71,76)+'("XSS")')

ω=[[Ṫ,Ŕ,,É,,Á,Ĺ,Ś,,,Ó,Ḃ]=!''+[!{}]+{}][Ś+Ó+Ŕ+Ṫ],ω()[Á+Ĺ+É+Ŕ+Ṫ](Ó+ω()[Ḃ+Ṫ+Ó+Á]('Á«)'))

This code is madness! Check demo on Mario’s page: http://heideri.ch/jso/what??? (works only in IE)

1;--<?f><l￦:!!:x\
/style=`b&#x5c;65h\0061vIo\r/ĸ
:url(#def&#x61ult#time2)\ö/';'`￦/onb
egin=
&#x5bμ=\u00&#054;1le&#114t&#40&#x31)&#
x5d&#x2f/&#xyŧ\>

Or presented XSSQLI attack (XSS attack through SQL Injection)

SELECT UpdateXML(concat( 0x3c,'script',0x3e,'alert(1)',0x3c,'/script',0x3e),'/x', 0);

Bigger report from Mario presentation will be shown in next post.

Źródła

1. CONFidence [↩]
2. CONFidence 2010 – Agenda [↩]
3. Jacob Appelbaum – CONFidence 2010 [↩]
4. Eddie Schwartz – CONFidence 2010 [↩]
5. Wojciech Bojdol – CONFidence 2010 [↩]
6. Dan Kaminsky – CONFidence 2010 [↩]
7. Mario Heiderich – CONFidence 2010 [↩]