AppSec Europe 2016 has ended

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Breaker [clear filter]
Thursday, June 30


Compression Bombs Strike Back
Network services often use data compression to reduce protocol message size. However, if data compression is not properly implemented, it can render entire applications vulnerable to DoS attacks. Abusing data compression to exhaust system resources is an old trick. For example, a zip bomb is a recursively highly-compressed file archive prepared with the only goal of exhausting the resources of programs that attempt to inspect its content. This attack was brought to the community attention in 1996 to mount DoS attacks against bulletin board systems.

While this may now seem an old, unsophisticated, and easily avoidable threat,we discovered that developers did not fully learn from prior mistakes. We looked at three protocols (i.e., HTTP, XMPP, and IMAP) and 11 network services including popular ones (e.g., Apache HTTPD, Tomcat, Prosody, and OpenFire) and discovered that the risks of supporting data compression are still often overlooked. 

In this talk, we will walk through data amplification attacks starting from the ever-green zip bomb and xml bomb attacks until our recent results. We will present the current use of data compression in several popular protocol and network services, and 12 common mistakes that we observed at the implementation, specification, and configuration levels. In this talk, we will also present already patched resource exhaustion vulnerabilities which could have been used to perform Denial of Service attack against popular services.

avatar for Giancarlo Pellegrino

Giancarlo Pellegrino

Researcher, Saarland University
Giancarlo Pellegrino, is a post doctoral researcher of the System Security group at CISPA, Saarland University, in Germany. His main research interests include all aspects of web application security in particular security testing (black and white-box) and vulnerability analysis... Read More →

Thursday June 30, 2016 12:25 - 13:10
Room C (Tiziano Ballroom Sec. 2)


Scanning with swagger: Using the Open API specification to find first and second order vulnerabilities in RESTful APIs
APIs support the complex web of interconnected things that exist today, yet they have also created significant challenges for security teams. Nearly every interconnected application has an API-based approach. These APIs are inherently vulnerable to most of the same potential vulnerabilities that applications face. As security teams scramble to figure out ways to get their arms around the risks that exists in their organizations’ APIs, these APIs are going completely untested, leaving vulnerabilities undiscovered.  Fortunately, several recent innovations, like the Open API Specification (formerly known as Swagger), are enabling effective API security testing at the largest attack surface. 

But how? Every user interface comes with known and unknown sets of local vulnerabilities because it communicates with local and remote service APIs. Similarly, every API is also potentially vulnerable to local and remote first order vulnerabilities. These can be observed via request and response; for example a crafted series of GET requests performing blind SQL Injection analysis can be considered a first order vulnerability. Additionally, services that support the function of the API, whether during the time of the request, or queued for latter computation, are considered a second order attack; an example of this could be  a data collection endpoint that consumes JSON, passes this payload to a Kafka broker, which in turn is consumed by a cluster service in Hadoop or Spark.  These payloads queue up into architecture that analyse and augment the data.  Injection and serialization vulnerabilities introduced in this manner are considered second order blind vulnerabilities. 

The Open API Specification is a relative newcomer in the history of  web service interface documentation.  It stands apart from its predecessors by not tying itself to a specific vendor technology, and aims to embrace all forms of RESTful HTTP.  Leveraging this powerful specification for automated scanning of APIs will save time by providing a straightforward mechanism to evaluate APIs without having to proxy traffic or manually build attack vectors. 
Join this presentation as Scott demonstrates novel approaches to using the Open API specification (formerly Swagger) to exhaustively scan API’s for first and second order vulnerabilities, and demonstrate the severity of findings left unfixed. 
Participants will learn: 
• Why APIs are serious challenges for security experts 
• How first and second order vulnerabilities can be left hidden in your APIs and micro services 
• How you can begin to understand, define and test your APIs in a structured manner 
• The latest techniques in API security testing 

avatar for Scott Davis

Scott Davis

Application Security Researcher , Rapid7
Scott has been developing software professionally for over 15 years in a variety of contexts and technologies including wireless sensor networks, robotics, migration modeling & visualization, ERP, interactive projection art, product development and security services. Scott has spent... Read More →

Thursday June 30, 2016 14:10 - 14:55
Room C (Tiziano Ballroom Sec. 2)


Making CSP great again!
Content Security Policy (CSP) is a defense-in-depth mechanism to restrict resources that can be loaded, embedded and executed in a web application, significantly reducing the risk and impact of injections. It is supported by most modern browsers, and it already is at its third iteration - yet, adoption in the web is struggling.

In this presentation we will highlight the major roadblocks that make CSP deployment difficult, common mistakes, talk about what works and what doesn't in different browsers, show how easy it is to defeat the whitelist-based model with some juicy bypasses, for example thanks to JSONP endpoints, by abusing a CDN and loading outdated versions of AngularJS.

Finally, we present a radically new way of doing CSP in a simpler, easier to maintain and more secure way based on nonces and making use of a new feature we contributed to CSP3.

We hope that after attending this talk you will understand how tricky it can be to deploy an effective CSP policy and what are the common mistakes to avoid, and as an attacker you will get resources and pointers on how well is CSP keeping up with modern web technologies, and how to break it. 
Fun is guaranteed!

avatar for Michele Spagnuolo

Michele Spagnuolo

Senior Information Security Engineer, Google
Senior Information Security Engineer at Google Switzerland, Michele is a security researcher focused on web application security, and the Rosetta Flash guy. He is also author of BitIodine, a tool for extracting intelligence from the Bitcoin network.
avatar for Lukas Weichselbaum

Lukas Weichselbaum

Staff Information Security Engineer, Google
Lukas Weichselbaum is a Staff Information Security Engineer at Google with 10+ years of industry experience who frequently speaks at international infosec and developer conferences.He's passionate about securing Web applications from common Web vulnerabilities and leads the Google-wide... Read More →

Thursday June 30, 2016 15:00 - 15:45
Room A (Michelangelo Ballroom Sect. 3)


The Timing Attacks They Are a-Changin'
An interesting class of attacks is one where an adversary tries to obtain secret information not by directly abusing a programming flaw, but rather by inferring the secret from certain side-effects of applications. These so-called side-channel attacks originate from the world of cryptography, where side-effects such as power consumption or electromagnetic radiation are shown to sometimes leak information about a secret key. Interestingly, these attacks are not just limited to cryptosystems, but can be applied in the context of the web as well. However, the side-effects that can be observed in the context of the web, are often substantially different from what can be observed in cryptosystems. For instance, it can be generally assumed that an adversary does not have physical access to targeted machine, making attacks such as power-analysis, acoustic cryptanalysis and electromagnetic attacks impossible. 

Nevertheless, a side-effect that can be observed, and may leak private data, is timing information. By measuring the time required to perform certain actions, attackers can leverage this information to extract information that should be kept private. Although timing attacks in the web have been discovered well over a decade ago, they have received relatively little attention. The most probable reason for that is that these classic timing attacks may be quite unreliable as the timing measurements fully depend on the condition of the victim's network connection. This means that any network irregularity, or variation in latency at the side of the victim may prevent an attacker from learning any personal information using timing attacks. 

In our research, we explored methods that can be used by adversaries to perform timing attacks that are not limited to the restrictions of these classic timing attacks. More concretely, we found that various browser features expose sensitive timing information related to the size of resources when these are parsed. Furthermore, since the size of certain resources often reflect the state of the user, this new class of timing attacks allows adversaries to rapidly obtain information on a victim's state at numerous websites. Because the timing measurement starts _after_ a resource has been downloaded, the measurement is no longer influenced by network irregularities, resulting in a significantly improved performance. 

To evaluate the gravity of this new class of timing attacks, we evaluated several popular web services for the presence of timing attacks, as well as their ramifications. We found that an adversary can easily discover the personal interests, search history, and demographics (age, geographical location, gender, ...) of any unwitting victim within a few seconds. In our evaluation, we describe various attack scenarios where adversaries can leverage timing information on resources provided by some of the most popular websites to obtain this personal information from any user visiting an attacker-controlled web page. 

Finally, motivated by the severe consequences of these new timing attacks, we explored possible mitigations. We point out that countermeasures can be applied either on the side of the client, or that of the server. Unfortunately, the presence of the timing side-channels in browsers is inherent to their design, i.e. browsers are designed to process resources as soon as possible, and trigger an event to notify the completion. As a result, eradicating timing attacks at the browser-level would most likely require a drastic redesign of the browser architecture, which is unlikely to happen in the near future. Alternatively, mitigating timing attacks on the server side is currently a more viable option. By making the observation that, in essence, timing attacks are strongly related to cross-site request forgery (CSRF) attacks, one can prevent them in a similar fashion.

avatar for Tom Van Goethem

Tom Van Goethem

imec-DistriNet - KU Leuven
Tom Van Goethem is a PhD student at the University of Leuven with a keen interest in web security and privacy. In his research, Tom likes performing large-scale security experiments, whether to analyze the presence of good and bad practices on the web, or to demystify security claims... Read More →

Thursday June 30, 2016 15:00 - 15:45
Room C (Tiziano Ballroom Sec. 2)


The Tales of a Bug Bounty Hunter: 10+ Interesting Vulnerabilities in Instagram
Bug bounty hunting is the new black! During this technical talk, more than 10 interesting vulnerabilities identified in Instagram, the increasingly-popular photo-based social media platform, will be presented. All vulnerabilities were disclosed responsibly via Facebook’s Public Bug Bounty program over the course of 2015 and 2016, and will be discussed in detail. Required advanced Mobile Security attack techniques for this Research, such as Binary Modification, Dynamic Hooking and Burp Suite Plugin Development will be covered, among other trickery. The most interesting vulnerabilities were hybrid: Combinations of complementary vulnerabilities in different environments (e.g. Web and Mobile). The root cause(s) of all identified issues will be mapped onto the Software Development Life Cycle (SDLC), to analyze where they could have been prevented from materializing. Last but not least, the monetary rewards offered by Facebook for each vulnerability and general Bug Bounty Hunting advice will be shared with the community.

avatar for Arne Swinnen

Arne Swinnen

IT Security Consultant, NVISO
Arne Swinnen is an IT Security Consultant at NVISO, a Belgian Cyber Security Consulting firm. He previously worked for Verizon in a similar position. Arne specializes in Application Security and Digital Forensics. He is also a member of NVISO R&D Labs, for which he conducts technical... Read More →

Thursday June 30, 2016 17:05 - 17:50
Room C (Tiziano Ballroom Sec. 2)
Friday, July 1


The Top 10 Web Hacks of 2015
Every year the security community produces a stunning number of new Web hacking techniques that are published in various white papers, blog posts, magazine articles, mailing list emails, conference presentations, etc. Within the thousands of pages are the latest ways to attack websites, Web browsers, Web proxies, and their mobile platform equivalents. Beyond individual vulnerabilities with CVE numbers or system compromises, we are solely focused on new and creative methods of Web-based attack. Now in its ninth year, the Top 10 Web Hacking Techniques list encourages information sharing, provides a centralized knowledge base, and recognizes researchers who contribute excellent work. 

This talk will be a summary of the Top 10 new Web Hacking Techniques that were put out in 2015. The list of candidates is community sourced and voted upon. The list gets trimmed down from between 50-100 to 15 in no order. That list of 15 techniques that get the most votes will go on to the panel of expert judges. They will pick the Top 10 and order them based on a group consensus after reviewing all the research. This talk will go through these 10 techniques and highlight the important points of what was done in the research and how to protect yourself or your organization if applicable. 

We will do a technical deep dive and take you through the Top 10 Web Hacks of 2015 as picked by an expert panel of judges.

avatar for Jonathan Kuskos

Jonathan Kuskos

Senior Application Security Engineer, WhiteHat Security
@JohnathanKuskos is a Manager for WhiteHat Security where he is charged with the expansion of their Belfast, Northern Ireland Threat Research Center. After personally hacking hundreds of web applications over several years he moved into a managerial role so that he could contribute... Read More →

Friday July 1, 2016 10:20 - 11:05
Room C (Tiziano Ballroom Sec. 2)


Attack tree vignettes for Containers as a Service applications and risk centric threat models
On the heels of platform virtualization comes the proliferation of containers - compartmentalized applications aimed at achieving greater efficiency in packaging, delivering and managing applications. With platform-level virtualization adoption still maturing, the rise of app level virtualization and isolation over shared platform resources is already intriguing many dev shops who are looking in greater efficiencies around environment management and deployment. Security concerns are abound, particularly as the theme of true isolation and priv escalation haunt many early instances of containers. During this talk we'll look at threat modeling vignettes based upon current implementations and industry use cases around Containers as a Service. We'll explore viable threat patterns around deploying and using containers as well as current and evolving countermeasures for threat mitigation. 

This talk will employ risk centric approaches to threat modeling around containers and tie in many of the more current threat and countermeasures covered from Docker15. The risk centric threat modeling approach will tie in well to security by design intents being fostered into evolving container related controls. This talk will not address in general the general precepts around threat modeling but rather dive into a few deployment scenarios around containers that have been analyzed for viable threat motives, supporting attack patterns, and effective countermeasure options for risk reduction.

avatar for Tony UcedaVelez

Tony UcedaVelez

CEO/ Owner, VerSprite
Tony UcedaVélez is CEO at VerSprite, an Atlanta based security services firm assisting global multi-national corporations on various areas of cyber security, secure software development, threat modeling, application security, security governance, and security risk management. Tony... Read More →

Friday July 1, 2016 11:35 - 12:20
Room C (Tiziano Ballroom Sec. 2)


Internet banking safeguards vulnerabilities
All internet banking applications are different but all of them share many common security features which are very specific to this domain of web applications, such as: 
- transaction limits, 
- notifications via SMS or e-mail, 
- authorization schemes, 
- trusted recipients, 
- two-factor authentication and transaction authorization, 
- pay-by-links, 
- communication channel activation (e.g. mobile banking or IVR). 
It is not very rare that these safeguards are incorrectly implemented leaving the internet banking application vulnerable. 

Last year at AppSec EU I was talking about common vulnerabilities in e-banking transaction authorization. As a follow-up to this presentation, OWASP Transaction Authorization Cheat Sheet was published and gained some attention from banks, developers and testers. This year, I want to continue and expand this work to other security mechanisms which are specific and common to internet banking applications. During my presentation I want to show some common mistakes made during implementation of the abovementioned internet banking safeguards. 
As a follow-up, I am planning to expand OWASP Transaction Authorization Cheat Sheet to Internet Banking Cheat Sheet which will include guidelines for secure implementation of all security mechanisms common to contemporary internet banking applications. At the end of my presentation, I also want to discuss the idea of expanding key OWASP materials such as ASVS, Testing Guide, Development guide by adding appendixes specific to group of applications (such as internet/mobile banking, e-commerce, etc.). 

Proposed agenda: 
* Security features of contemporary internet banking – quick overview. 
* Examples of vulnerabilities in implementation of these safeguards (logical and technical flaws) and recommendations, e.g.: 
- transaction limit bypass, 
- trusted recipients feature abuses, 
- transaction authorization vulnerabilities (quick recap from AppSec EU 2015 presentation), 
- notification blocking, 
- currency exchange rates manipulation (e.g.: oscillator, rounding errors) 
- unauthorized changes to safeguards configuration 
* Upcoming changes due to PSD2 implementation (Payment Initiation Services, Account Information Services, Strong Customer Authentication). 
* Future work announcement and invitation to cooperation (Cheat Sheet, ASVS / Testing Guide / Dev Guide modules). 

avatar for Wojtek Dworakowski

Wojtek Dworakowski

IT security consultant with over 15 years of experience in the field. Managing Partner at SecuRing, a company dealing with application security testing and advisory on IT security. Has led multiple security assessments and penetration tests especially for financial services, payment... Read More →

Friday July 1, 2016 12:25 - 13:10
Room A (Michelangelo Ballroom Sect. 3)


Practical Attacks on Real World Crypto Implementations
While the cryptographic community concentrates on designing provably secure cryptographic primitives, real world implementations still suffer from vulnerabilities presented more than a decade ago at scientific crypto conferences. In the recent years, we could for example observe resurrections of padding oracles, Bleichenbacher attacks, or invalid curve attacks. These examples prove the existence of a large gap between the crypto and security communities. 

This talk will give an overview of our recent attacks on cryptographic libraries. We will first discuss the application of Bleichenbacher's attack on various TLS implementations. We will give important insights about the side channels that allowed us to perform the attacks. In particular, we first show that there existed implementations allowing us to apply direct Bleichenbacher's attack. Second, we show that additional exception handling in object oriented languages could lead to timing side channels, which could be exploited over the network, in real conditions. 

We will then move to the description of invalid curve attacks (also know as invalid point attacks). These attacks were first described by Biehl et al. at Crypto 2000, and can be circumvented by simply checking whether an incoming point belongs to a correct curve. However, our recent study of various crypto libraries and Hardware Security Modules revealed that three of them were vulnerable to these attacks. This allowed us to extract EC private keys from Java servers or from the Utimaco HSM. 
At the end of the talk, a real attack against an Apache Tomcat server will be presented, and how it could be used to extract a private EC key. 

This talk is based on these publications: 
- Christopher Meyer, Juraj Somorovsky, Eugen Weiss, Jörg Schwenk, Sebastian Schinzel and Erik Tews. Revisiting SSL/TLS Implementations: New Bleichenbacher Side Channels and Attacks. 23rd USENIX Security Symposium (Usenix Security 2014). 
- Tibor Jager, Juraj Somorovsky and Jörg Schwenk. Practical Invalid Curve Attacks on TLS-ECDH. ESORICS 2015. 
- Den­nis Kup­ser, Chris­ti­an Main­ka, Jörg Schwenk, Juraj So­mo­rovs­ky. How to Break XML En­cryp­ti­on - Au­to­ma­ti­cal­ly.Work­shop on Of­fen­si­ve Tech­no­lo­gies (WOOT), 2015 

Our papers are available at https://www.nds.rub.de/chair/people/jsomorovsky/

avatar for Juraj Somorovsky

Juraj Somorovsky

Security Consultant, Ruhr-University Bochum
Juraj Somorovsky finished his PhD in the area of XML Security in 2013. In his thesis „On the Insecurity of XML Security“ he analyzes various attacks on Web Services and presents practical countermeasures against these attacks, which were applied in XML Security specifications... Read More →

Friday July 1, 2016 14:10 - 14:55
Room C (Tiziano Ballroom Sec. 2)


Big problems with big data - Hadoop interfaces security
Did "cloud computing" and "big data" buzzwords bring new challenges for security testers? 
In this presentation I would like to show that penetration testing of Hadoop installation does not really differ much from any other application. Apart from complexity of the installation and number of interfaces, standard techniques can be applied to test for: web application vulnerabilities, SSL security, encryption at rest, obsolete libraries bugs and least privilege principle. 
We tested popular Hadoop environments and found few critical vulnerabilities, which for sure cast a shadow on big data security. So as not to stop with CVE shooting, we would like to show you our approach of testing big data installations and few ideas of how to keep them secure. 

- big data installations architecture 
- attack vectors and surfaces 
- least privilege principle in popular Hadoop environments 
- more detailed attack vectors and possible risks: obsolete packages in popular Hadoop environments, vulnerabilities in web interfaces 
- more focus on administrative interfaces (Ranger, Ambari, Hue) 
- problems with user interfaces (e.g. Hue) 
- hints for pentesting Hadoop installations 
- hints for securing Hadoop installations

avatar for Jakub Kaluzny

Jakub Kaluzny

Sr. IT Security Consultant, SecuRing
Jakub is a Senior IT Security Consultant at SecuRing and performs penetration tests of high-risk applications, systems and devices. He was a speaker at many internetional conferences: BlackHat Asia, OWASP AppSec EU, PHdays, HackInTheBox, ZeroNights as well at local security events... Read More →

Friday July 1, 2016 15:00 - 15:45
Room C (Tiziano Ballroom Sec. 2)


Why Hackers Are Winning The Mobile Malware Battle - Bypassing Malware Analysis Techniques
In the proverbial game of cat-and-mouse between endpoint security vendors and malware writers, malware attacks have recently grown more sophisticated. More enterprises are losing ground to hackers, who are able to outmaneuver static and runtime solutions by constantly changing their attack strategies. The team that uncovered iOS malicious profiles, WiFiGate, HTTP Request Hijacking and Invisible Profiles are taking it upon themselves to coach enterprises on how to regain control, and turn the tables on the hackers behind next-generation mobile malware. 

In their presentation, Yair and Adi will break down the current set of techniques (signatures, static analysis, dynamic analysis, social cyber-intelligence) used to identify malware on mobile devices, and identify the pros and cons of these approaches. They will also explain why attackers constantly succeed in fooling these technologies, and explore the problem of false positive/false negative tradeoffs in such solutions. 

During a live, interactive demo, Adi and Yair will create a mobile malware, meant to be undetected by all static and runtime analysis technologies. The new malware will then be scanned by public commercial mobile endpoint protection solutions. Audience members will be encouraged to participate, and opt into an ethical attack to witness the results in real-time.

avatar for Yair Amit

Yair Amit

CTO & Founder, Skycure
Yair Amit is co-founder and CTO at Skycure, leading the company’s research and vision and overseeing its R&D center. Yair has been active in the security industry for more than a decade with his research regularly covered by media outlets and presented in security conferences around... Read More →

Friday July 1, 2016 16:15 - 17:00
Room C (Tiziano Ballroom Sec. 2)