2016/11/25

OWASP Benelux 2016, Conference day

slides: https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2016-2#tab=Conferenceday

Securing Android Applications

Dario Incalza
apk: http://image.slidesharecdn.com/english-final-140610053432-phpapp02/95/android-applications-in-the-cruel-world-how-to-save-them-from-threats-6-638.jpg?cb=1402390537
tools:
recommendations

The State of Security of WordPress (plugins)

Yorick Koster
wordpress: blogging software with CMS features

Securing AngularJS Applications

Sebastian Lekies
AngularJS
  • "declarative templating"
  • contextual auto escaping (html, url, resource_url)
    • managed by the $sceProvider
    • URL / output $compileProvider
    • auto-encoding
    • URL validation: $sceDelegateProvider resourceURLWhitelist / Blacklist
  • html sanitizer: removes all script
security pitfalls
  • do not generate templates based on user input
  • do not write user input befor AngularJS is loaded -- careful with mixing other libraries
  • inserting HTML in DOM
    • ngBindHtml with trustAsHtml -- security is disabled! -- use ng-bind-html
    • DIY escapeForHtml() call --managing security on your own is dangerous: AngularJS will sanitize the input for you
    • do not use jqLite
  • white/blacklisting URLs
    • wildcards in schemes:
    • wildcards in domains: replace domainname
      • toplevel domains: replace them with your own (my.evil.com
    • regexps
    • conclusion: ONLY whitelist specific URLs, do NOT use regexp / wildcards

Compression Bombs Strike Back

Giancarlo Pellegrino
Compression
  • main lossless algorithm: deflate (zlib, gzip etc)
  • protocols: IMAP, XMPP, SSH, HTTP response:
    • Accept-Encoding: deflate/gzip
    • Content-Encoding: gzip etc
issues
  • DOS "computationally intensive"
  • data amplification
  • unbalance client/server (server caches compress file, client always decompresses)
old issues
  • zip bombs: 42kb -- 4.5PB unzipped (1996)
  • xmlbombs: recursive entities (2003)
present
attention points
  • first authenticate before uncompressing
  • input validation: size (check decompression ratio, limit size of decompressed message)
  • correctly chain + interprete payload
  • logger: resource exhaustion (e.g. decompress before logging)
  • zip size header can be different than actual zipped content
https://www.usenix.org/conference/usenixsecurity15/technical-sessions/presentation/pellegrino

Zap it !

Zakaria Rachid
https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
use cases
  • simple scanning
  • automatic security integration tests
    docker pull owasp/zap2docker-weekly
    docker run owasp/zap2docker-weekly zap-baseline.py -t http://target
    
  • security plugin
  • zap api

Stealing Secrets through Browser-based Side-channel Attacks

Tom Van Goethem
  • compression: guess char-by-char and check if this impacts response size
    • gzip + input controlled by attacker (or mitm)
  • find out response size:
    • cache api: + authenticted cross-origin responses
      • quota restrictions - can calculate response size of other site
      • getEstimate(): exact quota
      • but: after decompression
    • tcp windows: extra round trip
      • measure number of roundtrips
protection
  • no compression, but bandwidth
  • do not compress secrets
  • samesite cookies
  • no third party cookies

Handling of Security Requirements in Software Development Lifecycle

Daniel Kefer
demo

Closing Keynote: The Future of Security

Bart Preneel

trends
  • big data / analysis
    • visibility
    • mass surveillance
  • privace as security property
  • privacy by design:
    • "General Data Protection Regulation" GDPR
  • cryptowars continue
  • offense over defence (0-days)
recommendations
  • avoid single point of failure / trust
  • future
    • future of internet: simple but secure
    • small local data instead of centralised
    • distributed solutions (e.g. bitcoins)
    • big data --> encrypted data
    • open source solutions