AppSec Europe 2016 has ended

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Builder [clear filter]
Thursday, June 30


OWASP AppSec Pipeline Project: Automate all the AppSec
How many applications are in your company’s portfolio? What’s the headcount for your AppSec team? Whatever your situation is, I am sure the numbers are not in your favor. This talk covers the OWASP AppSec Pipeline project which provides real world examples from AppSec programs at several different companies who have seen increases of 5x in productivity. Companies covered include Rackspace with approximately 4,000+ employees and Pearson with 40,000+. Both have an international presence and far more apps and developers that AppSec staff. The talk will also introduce the AppSec Pipeline toolbox, a community-driven collection of Agile, DevOps and automation friendly tools for your AppSec program. Also covered are the key principles to speed and scale up AppSec programs using an AppSec Pipeline as well as practical examples of these practices put into use. Start early and begin to buy down the technical security dept by leaving the traditional AppSec program thinking behind. Come to the talk and find out how to add the best of Agile and DevOps to your AppSec security work. 

avatar for Aaron Weaver

Aaron Weaver

Application Security Manager, NA Bancard
Aaron Weaver is the Application Security Manager at NA Bancard. Prior to that he was at Cengage Learning and Protiviti where he built out their secure coding practice. Aaron has managed application security programs at large organizations and leads OWASP Philadelphia. Aaron speaks... Read More →

Thursday June 30, 2016 10:20 - 11:05
Room B (Tiziano Ballroom Sec. 1)


Systematically Breaking and Fixing OpenID Connect
OAuth is the new de facto standard for delegating authorization in the web. An important limitation of OAuth is the fact that it was designed for authorization and not for authentication. The usage of OAuth for authentication thus leads to serious vulnerabilities as shown by Zhou et. al. in [4] and Chen et. al. in [1].
OpenID Connect was created on top of OAuth to fill this gap by providing federated identity management and user authentication. OpenID Connect was standardized in February 2014, but leading companies like Google, Microsoft, AOL and PayPal are already using it in their web applications.

As part of our current research we provided the first in-depth analysis of OpenID Connect. We discovered seven novel attacks, which were not considered by any previous research. In addition, we adapted and extended already known attacks from other SSO protocols like SAML and OpenID on OpenID Connect. In summary, we came up with 15 different attacks resulting in Broken-End-User authentication, information leakage, Server-Side-Request-Forgery (SSRF) and Denial-of-Service (DoS). We categorized all attacks in five different classes:
- Malicious Endpoint attacks (four attacks) are based on a specification flaw in the Discovery and Dynamic Registration features of OpenID Connect, which allow an attacker to break user authentication, compromise user privacy, and enable SSRF, client-side code injection, and DoS.
- ID Spoofing (five attacks) result in an unauthorized access to the victim's account. During the attacks, the attacker is able to create maliciously crafted authentication tokens, which bypass the verification logic on the Client (also known as Relying Party).
- Signature Bypass (three attacks) allow changing the digitally signed authentication without invalidating the signature. Thus, an attacker is able to get an unauthorized access to the victim's account.
- Session Overwriting introduce a complex attack based on a specification flaw, which enforces the Client to send sensitive information like client_secret and valid code to a domain controlled by the attacker.
- Trivial attacks (two attacks) include Replay attacks and Token recipient confusion, which are already known and well studied.

Finally, we contacted the authors of the OpenID Connect and OAuth specifications. They acknowledged our attacks and recognized the need to improve the specification [3] and to address the existing threats. We are currently involved in the discussion regarding the mitigation of the existing issues and an extension to the OpenID Connect specification is currently created for this reason [2].

In our presentation we reveal novel insides and new security aspects of using protocols like OAuth and OpenID Connect. Additionally, we will present two of the new attacks discovered by our research and discuss the countermeasures. We conclude with the concept of a fully automated penetration testing tool developed in collaboration with the OpenID Connect working group allowing the flexible security evaluation of implementations.

[1] E. Chen, Y. Pei, S. Chen, Y. Tian, R. Kotcher, and P. Tague. OAuth Demystied for Mobile Application Developers. In Proceedings of the ACM Conference on Computer and Communications Security (CCS).
[2] M. Jones. Oauth 2.0 mix-up mitigation. IETF, January 2016. URL https://tools.ietf.org/html/draft-jones-oauth-mix-up-mitigation-00.
[3] openid connect. Discovery / Security Considerations: CSRF attack on user in-put identifier, 2015. URL https://bitbucket.org/openid/connect/issues/979/discovery-security-considerations-csrf. Accessed: 25.08.2015.
[4] D. E. Yuchen Zhou. Automated Testing of Web Applications for Single Sign-On Vul-
nerabilities. In 23rd USENIX Security Symposium (USENIX Security 14).

avatar for Christian Mainka

Christian Mainka

Security Consultant, Horst Görtz Institute for IT Security, Chair for Network and Data Security, Ruhr-University Bochum
Christian Mainka is a Security Researcher at the Ruhr University Bochum, Chair for Network and Data Security. Since 2009, he focuses on XML and Web Services technologies and develops his penetration testing tool WS-Attacker and has published several papers in the field of XML security... Read More →
avatar for Vladislav Mladenov

Vladislav Mladenov

Ruhr University Bochum
Vladislav Mladenov is a PhD Student at the Ruhr University Bochum, Chair for Network and Data Security. He is interested in the security of XML-based services. Additionally, he investigates different Single Sign-On protocols like OAuth, OpenID, OpenID Connect and SAML. Other topics... Read More →
avatar for Tobias Wich

Tobias Wich

Senior Consultant, ecsec GmbH
Tobias Wich works for ecsec GmbH since 2010 as senior consultant for IT-security with an emphasis on smart cards and identity management systems. He is also working on his PhD Thesis at Ruhr University Bochum as an external student. His recent works include research with respect to... Read More →

Thursday June 30, 2016 10:20 - 11:05
Room C (Tiziano Ballroom Sec. 2)


Tell me stories about your appsec, let's skip the pentest
Capturing and describing S-SDLC problems is also possible based on interviewing managers and workers (instead of measuring the symptoms with dynamic and static methods). The participants of the development processes themselves most of the times are aware of the problems or they can tell stories from which a competent interviewer then can interpret the presence of appsec problems. We assume that this inteview-based method becomes more adequate and efficient when the requirements and principles of taking care about security are already present in the SDLC (since as we know the maturity is a relative characteristic and improving security can be a long process). 

The root causes of application security are mostly of organizational nature, not technical. For capturing and describing organizational problems there is a mature methodology -- qualitative interviewing. And there is a more specific variant of it, the narrative interviewing, meaning you make interviewees tell stories about their professional practice and the real life practices they follow and also about other rules of the development process in place. While burning substantially less efforts than a pentester a prepared interviewer can take a trustworthy picture of the state of the application security in a software manufacturing unit. Based on the interpretation of the professional stories told and other details of the oral account, that is based on the interview analysis an appsec consultant can competently advise his client how to improve with the S-SDLC. 

Interviewing may bring up the gaps between the security related goals and the actual practice, and may suggest what nuances of the organizational, workplace processes cause the inability to fulfill the existing S-SDLC targets, or the failures to act according to the methodological prescriptions. Or it may bring up the mismatch between the trainings and the areas of actual dissatisfaction with the security quality. Interviewing may also shed light on the difficulties of complying with advanced security policies within the frame of the time pressure created by business targets (which is a widespread problem however hard to communicate in the ethical hacker’s hat or in any other technological consultant role). These kind of findings you can expect from the interview-based audit are different from the pentest findings obviously, but it is also evident that the roots of the pentest findings may well be traced to the banal organizational failures and certain conflicting goals. 

It's nothing new about information gathering by interviewing persons at the client's organization. Regarding the application security the main idea of the speech is that the problems in the appsec field have similar nature to those observed by the organizational developers who aim to improve the workings of the organization units and whole institutions. Thus an application security consultant can reuse the instrumentation created for the organizational developers. 

The organizational appsec audit may not suffer from the usual problems of the VAPT audits where the findings are gibberish for the decision makers and are communicated via several redirections and filters and where there is a usual gap between the testers who does not speak the language of developers and the developers who are supposed to change their patterns based on the reports. In the organizational development (especially if based on competent interviews) the “auditors” speak the language of the management, and the findings are likely to be understood by the business. 

It is quite natural to step further from the organizational appsec audit to the appsec consultancy phase to improve the S-SDLC itself and certain organizational aspects having impact on the security quality, as well as to improve the rules of the decision-making surrounding software development.

avatar for Timur Khrotko

Timur Khrotko

appsec co-producer, org researcher, secmachine.net
Timur spent the recent 14 years running a small IAM-focused ISV and an application security consulting firm. He holds a PhD in Business management. His research topics are stereotypes of thinking in general and behavioral patterns of executive managers in particular. More details... Read More →

Thursday June 30, 2016 10:20 - 11:05
Room D (Tiziano Ballrom Sec. 3)


Making OpenSAMM More Effective in a DevOps World
Software security maturity models such as OpenSAMM can be effective tools for organizations to use to understand the maturity of security practices within their development teams. But ambitious development timelines, limited resources, and a variety of competing priorities limit how frequently software security maturity models are actually used. Making matters worse, development cycles are being compressed in organizations where continuous integration or DevOps concepts are being embraced. Finally, organizations that have never conducted an OpenSAMM assessment are reluctant to spend so much time and energy to receive “zeros” on their OpenSAMM scorecard and confirm what they suspected in the first place – they have little or no security practices in their development environment. 

OpenSAMM is effective for some organizations while others may be moving so fast or have so little security in place that the assessment is of dubious value. How can OpenSAMM remain relevant in a world where development occurs at near light speed? What adaptations are needed to provide a range of options to organization looking to measure their maturity levels and to benchmark their activities against peer organizations? How can you show value to development teams and business units quicker and in a more agile fashion? 

Recent efforts to update OpenSAMM and to add benchmarking data are important and needed, but point to a greater need to streamline the process of assessments against the model. But organizations where speed is an imperative are demanding more flexible options the allow them to adapt the underlying concepts of the OpenSAMM, while minimizing the impact on software development production. The session will start with a quick overview of the status of the OpenSAMM project, including the efforts of the recent benchmarking initiative. These efforts are focused on updating the OpenSAMM model and providing comparative data that allows clients to understand their software security maturity compared to industry peers. The session will also provide a brief overview of where OpenSAMM can provide tremendous value in any application security program, when and where they should be used, and how security organizations should capitalize on their results. 

The bulk of the session will focus on how organizations have had recent successes using a variety of strategies to insert SAMM concepts where development is occurring at breakneck speeds and security teams simply have little authority to review every development team. One strategy to be examined will be the use of a two-stage, or iterative process, to identify the highest concentration of risky development practices, followed by a scaled assessment process that focuses the majority of assessing activities on the development areas of most perceived risk. 

In this approach, lightweight surveys are sent to multiple development teams to conduct a first-pass measurement of the riskiest development activities. This brief survey is followed by a quick risk ranking activity to identify which teams warrant priority assessments and to tailor the depth of follow-up assessments according to perceived risk. 

Another major strategy involves leveraging existing technologies such as application vulnerability platforms or source code repositories to “self report” maturity improvement activities, lessening the burden on development teams while providing consistent updates to the security team monitoring security improvement. The presentation will outline how one can automate reporting on team maturity by capturing metrics such as frequency of testing, prevalence of certain types of vulnerabilities, and mean time to fix application vulnerabilities. The session will highlight how one can publish data across development teams to provide visibility, increase accountability, and encourage security improvements across the organization.

avatar for Dan Cornell

Dan Cornell

CTO, Denim Group
A globally recognized application security expert, Dan Cornell holds over 20 years of experience architecting, developing and securing web-based software systems. As Chief Technology Officer and Principal at Denim Group, Ltd., he leads the technology team to help Fortune 500 companies... Read More →

Thursday June 30, 2016 12:25 - 13:10
Room B (Tiziano Ballroom Sec. 1)


Leveling up your application security program
In this talk, David will relay lessons learned from his time building the application security program and culture at Riot Games. 

David will give an overview of how Riot approaches application security in a fast paced, agile environment. This will include how Riot implements controls which do not negatively impact product development or player experience. David will explain how Riot provides secure coding guidance to software engineers, works with QA, and maintains an application security community of practice. This talk will also include demonstrations of custom security tools we’ve developed to help our engineers produce secure code. 

There are many options when it comes to understanding and improving an application security program. This talk will address Riot’s efforts in this regard.

avatar for David Rook

David Rook

Senior Security Engineer, Riot Games
David Rook is a Senior Security Engineer and the product owner of Application Security at Riot Games. He has held various application security roles in the financial services industry since 2006 before moving into the computer games industry in early 2014. He is a contributor to several... Read More →

Thursday June 30, 2016 14:10 - 14:55
Room B (Tiziano Ballroom Sec. 1)


Building secure cloud-native applications with spring boot and spring security
In this talk Andreas will present how to build a secure cloud-native application using spring boot and spring security.
After a quick introduction the session starts with a live coding demo building a completely new web application already having a solid base level of security (including authentication, authorization, csrf protection and security headers) in just minutes.

Throughout this talk you will learn step-by-step how to 

- implement integration tests to verify both web- and method-layer authorization
- easily add ssl transport security already at development stage
- break up the application in "cloud-native" microservices using Rest calls 
secured by OAuth2
- extend the application with runtime application self protection (RASP) using 
the OWASP AppSensor

All steps will also be accompanied by short demos.

Based on a daily work experience of developing enterprise ready applications, best practices to integrate security in the agile development process will be presented as well.

avatar for Andreas Falk

Andreas Falk

Managing Consultant, NovaTec Consulting GmbH
Andreas Falk (@andifalk) has been working in enterprise application development projects for more than twenty years. He is working as managing consultant for NovaTec Consulting GmbH in Germany since five years. In various projects, he has since been around as consultant, architect... Read More →

Thursday June 30, 2016 15:00 - 15:45
Room B (Tiziano Ballroom Sec. 1)


Addressing Security Requirements in Development Projects
As the software development projects have been becoming more and more agile throughout the past years, the same thing has to apply for security teams in order to be understood as business enablers rather than as an obstacle. In this talk we aim to present a tool which we have implemented on the basis of 1&1's internal secure software development lifecycle, with the goal of increasing comprehensibility and automation/scalability of particular security-related activities in development projects. 

The core functionality of the tool is management and implementation support of two types of security requirements: 
- lifecycle requirements, describing security-related activities performed during the development 
- technical requirements, describing the desired security properties of systems/artifacts being built 

Other notable features are: 
- categorizing and filtering of requirements for systems with different properties 
- integration with JIRA, enabling to automatically create and monitor progress of tasks of dev teams 
- export of the requirement sets for external partners in order to align security of external and internal development 

The plan is also to release this application as an open source project and involve the security community in its further development.

avatar for Daniel Kefer

Daniel Kefer

Head of Application Security, 1&1 Mail & Media Development & Techhnology GmbH
Daniel Kefer has been working in the application security field since 2007. Having started as a penetration tester, he soon became passionate about proactive security efforts and working closely with developers. Since 2011 he has been working for 1&1 where he currently leads an internal... Read More →
avatar for Rene Reuter

Rene Reuter

IT Security Consultant, Robert Bosch GmbH
René Reuter is a security engineer with over 6 years of experience in the application security field. At Robert Bosch GmbH, he works as an IT Security Consultant responsible for identifying vulnerabilities and design flaws that may impact Robert Boschs' applications and infrastructure... Read More →

Thursday June 30, 2016 16:15 - 17:00
Room D (Tiziano Ballrom Sec. 3)


Don't Touch Me That Way
With over 3.1 million applications in the Apple AppStore and Google Play Store, and more than 7.5 billion mobile subscribers in the world, mobile application security has been shoved into the forefront of many organizations. One of the newly added features on mobile devices is that of a fingerprint reader. Both iOS and Android provide access to the hardware fingerprint reader through APIs. The fingerprint APIs can be used correctly and incorrectly. Join David and Jack as they show how the APIs work, how you can use them correctly and incorrectly, and how a malicious actor may attack the fingerprint APIs. This talk will involve code, tools and iOS and Android test applications to demo.

avatar for David Lindner

David Lindner

Director, Application Security, Contrast Security
David Lindner is the Director, Application Security at Contrast Security. David is an experienced Application Security Professional with over 18 years of experience in the computer security industry. During this time, David has worked within multiple disciplines in the security field... Read More →
avatar for Jack Mannino

Jack Mannino

CEO, nVisium
Jack Mannino is the CEO of nVisium. Passionate about security and impossible to keep away from a keyboard, his expertise spans over 15 years of building, breaking, and securing software. Jack founded nVisium in 2009, and since then has helped the world's largest software teams enhance... Read More →

Thursday June 30, 2016 16:15 - 17:00
Room C (Tiziano Ballroom Sec. 2)


Using JIRA to manage Risks and Security Champions activities
Some of the challenges of an effective Application Security programme are: 

a) how to capture and process security bugs/flaws discovered (manually, security reviews, attacks, SAST/DAST tools, etc..) 
b) manage developer's security activities 
c) create networks of Security Champions 
d) assign application security risks to relevant business/products owner 
f) capture application security knowledge 

Over the past year, Dinis has been leading a number of Application Security teams in the UK and this presentation will provide detailed and technical information on how JIRA was used to create 'Application Security' workflows, management reports and all of the challenges described above. 

One of the key concepts of the proposed JIRA workflow is an 'official Accept Risk' action, which changes the dynamic of the Security teams from "...NO you can't do that..." to "...If you do that there are these risks which you have to accept..." and "...here are the risks that your application has, now chose which ones you want to fix or accept"

avatar for Dinis Cruz

Dinis Cruz

Dinis Cruz is a Developer and Application Security Engineer focused on how to develop secure applications. A key drive is on 'Automating Application Security Knowledge and Workflows' which is the main concept behind the OWASP O2 Platform. After many years (and multiple roles) Dinis... Read More →

Thursday June 30, 2016 17:05 - 17:50
Room B (Tiziano Ballroom Sec. 1)
Friday, July 1


A chain of trust: How to implement a supply chain approach to build and launch that rocket
A new entrant to the OWASP Top 10 2013 ranking was A9 - Using components with Known vulnerabilities. Increasingly, the compromise point of an application has not been due to code that has originated in house, the 2015 Data Breach Investigations Report states 97% of attack mediums can be traced to 10 CVES. Standards like PCI-DSS call for auditing and constant monitoring of the status of these components, but often this leads to controls outside the realm of what is scaleable. Luckily, security of can be and is a developer choice as much as a process. In this session we talk through what can be done to implement a process that helps lower compound risk from 3rd party suppliers as early in the software lifecycle as is possible, and how to help facilitate security as a part of the DevOps culture

avatar for Ilkka Turunen

Ilkka Turunen

SE, Sonatype
Ilkka Turunen is a Solutions Architect working at Sonatype in Europe and Asia. His background is in software and systems engineering, acting as an architect for several commercial projects. He's helped define everything from the software design to web-scale infrastructure architectures... Read More →

Friday July 1, 2016 10:20 - 11:05
Room A (Michelangelo Ballroom Sect. 3)


Practical Threat Modeling with Microsofts Threat Modeling Tool 2016
Threat modeling has been a known and effective practice for identifying weaknesses within the application design for a while know. However, as with other security practices, it requires quite some security know-how and experience to create a proper threat model and derive countermeasures from identified threats. Therefore, most organizations that want threat modeling being conducted internal to improve their software security require a suitable tool that could assist developers, architects, etc. do create such a threat model. When it comes to threat modeling tools most will surely name Microsofts Threat Modeling tool that has been made freely available by Microsoft in different versions quite some time. But only the newest version comes with one decisive new feature that no existing tool had before and that have the potential to help organizations with using threa tmodeling internally a lot. It allows us now to not only investigate but also to change the existing threat logic and to build custom templates with own logic and shapes for new threat models. Based on a lot of practical experience with using this tool in a larger organization, this talk will show how organizations can use it to practically build their own threat modeling tool by mapping their specific security architecture (access management systems, security zones, etc.), custom threats and security requirements into it so that they are already considered in all new threat models created with this tool.

avatar for Matthias Rohr

Matthias Rohr

CEO, Secodis GmH
Matthias Rohr (CISSP, CSSLP, CISM) has over 12 years of experience in architecting, developing and securing web-based applications. He is the founder and of Secodis, a security service and solution provider specialized on integrating security into the software development (Secure... Read More →

Friday July 1, 2016 10:20 - 11:05
Room B (Tiziano Ballroom Sec. 1)


AppSec Awareness: A Blue Print for Security Culture Change
How does an individual change the application security culture of an organization? By designing and deploying an application security awareness program that contains engaging content, humor, and recognition. Application security awareness is part security knowledge, part lessons learned from history, and action to improve security into the future. Each company has an application security culture, but most of them need a boost. 

This session is about exposing each audience member to a successful blue print for how they can build an application security awareness program of their own. The content is based on five years of real life experience implementing application security awareness in a large enterprise reaching 30,000 people. Go beyond traditional security awareness, and dive deep into changing the DNA of those who code, test, and deploy applications within their organization. 

The session uses the illustration of building a house, with six points used to show the ideal way to construct a successful application security awareness program. We move from answering what is application security awareness, to providing the details for how anyone can build a program of their own. This advice is from real life experience; this is how we did it, and how anyone in the audience can use this blue print to deploy their own program. 

The six blueprints are: 

Mission: how to define and build a team to support 
Program architecture: design a program that covers all roles and recognizes achievements, on a budget 
Curriculum: what to teach, and how to decide what to include 
Humor: how to use humor to engage the audience 
Content Creation: how to build application security learning that people want to enjoy 
Tools: things you can add to enhance the program's organizational visibility 

I'll share all that I have learned over the past five years on this topic, summarized into a 45 minute window. This includes best practices, lessons learned, and experience as a pioneer in the creation of this type of program. I've built a super successful program, and want to empower and enable others to build similar programs.

avatar for chris_romeo.1y2dtviu


Security Journey
Chris Romeo is CEO and co-founder of Security Journey where he creates and deploys security culture influencing training, consults, and speaks. His passion is to bring security culture change to all organizations large and small through the creation and design of gamified security... Read More →

Friday July 1, 2016 12:25 - 13:10
Room D (Tiziano Ballrom Sec. 3)


SecDevOps: A View from the Trenches
DevOps practices have become the de-facto approach to deliver applications at rapid scale and unprecedented speed. However, any process is as fast as its biggest bottleneck and security is becoming the most pervasive bottleneck in most DevOps practices. Teams are unable to come up with security practices that integrate into the DevOps lifecycle and ensure continuous and smooth delivery of applications to customers. In fact, security failures in DevOps amplify security flaws in production as they are delivered at scale. If DevOps should not be at odds with security, then we must find ways to achieve the following on priority: 

- Integrate effective threat modeling into Agile development practices 
- Introduce Security Automation into Continuous Integration 
- Integrate Security Automation into Continuous Deployment 

While there are other elements like SAST and Monitoring that are important to SecDevOps, my talk will essentially focus on these three elements with a higher level of focus on Security Automation. In my talk, I will explore the following, with reference to the topic: 

- The talk will be replete with anecdotes from personal consulting and penetration testing experiences. 
- I will briefly discuss Threat Modeling and its impact on DevOps. I will use examples to demonstrate practical ways that one can use threat modeling effectively to break down obstacles and create security automation that reduces the security bottleneck in the later stages of the DevOps cycle. 
- I firmly believe that Automated Web Vulnerability Assessment (using scanners) no matter how tuned, can only produce 30-40% of the actual results as opposed to a manual application penetration test. I find that scanning tools fail to identify most vulnerabilities with modern Web Services (REST. I will discuss examples and demonstrate how one can leverage automated vulnerability scanners (like ZAP, through its Python API) and simulate manual testing using a custom security automation suite. In Application Penetration Testing, its impossible to have a one size-fits all, but there’s no reason why we can’t deliver custom security automation to simulate most of the manual penetration testing to combine them into a custom security automation suite that integrates with CI tools like Jenkins and Travis. I intend to demonstrate the use a custom security test suite (written in Python that integrates with Jenkins), against an intentionally vulnerable e-commerce app. 
- My talk will also detail automation to identify vulnerabilities in software libraries and components, integrated with CI tools. 
- Finally, I will (with the use of examples and demos) explain how one can use “Infrastructure as Code” practice to perform pre and post deployment security checks, using tools like Chef, Puppet and Ansible.

avatar for Abhay Bhargav

Abhay Bhargav

CEO, we45
Abhay Bhargav is the Founder of we45, a focused Application Security Company. Abhay is a builder and breaker of applications. He is the Chief Architect of “Orchestron", a leading Application Vulnerability Correlation and Orchestration Framework. He has created some pioneering works... Read More →

Friday July 1, 2016 12:25 - 13:10
Room B (Tiziano Ballroom Sec. 1)


From DTD to XXE: An Evaluation of XML-Parsers
Extensible Markup Language (XML) is extensively used today in applications, protocols and databases. XML has to be well-formed and can optionally be valid. If the document conforms to the grammar which is specified within the DTD, the document is called valid. DTDs also introduce enities which are basics storage units. This is problematic because entities introduce a series of vulnerabilities. Two of the most widely known constitute a denial-of-service (DoS) attack, called billion laughs, and an XML External Entity (XXE) attack. Both were first discovered back in 2002. With web services becoming more popular and other standards evolving, like XML Inclusions (XInclude) and Extensible Stylesheet Language Transformations (XSLT), other threats soon followed, like using XInclude in a similar way as XXE, URL Invocation to conduct Server Side Request Forgery attacks and encoding issues. Using XSLT and the security thereof is a (research) topic on its own. A quick Internet search quickly reveals that most of these threats are still active today and are further developed and automated. [1][2][3] At the time of writing the Common Vulnerability Database [4] reports a total of 168 findings for XXE and 15 for DoS using billion laughs attack. Therefore we assume that DTDs are still prevalent and widely activated. D.Morgan and Ibrahim [5] have investigated this matter in a structured way in 2014. Other news concerning security of XML seem to be spread all over the Internet [6][7][8][9][10].

This presentation delivers the following contributions. First we accumulate up to date knowlegde of XML security. Second we implement tests for a better understanding of entity processing. Third we implement an exhaustive set of tests to check the default settings of a plethora of parsers from different programming languages. Fourth we investigate the impact of features which govern the processing of DTD and entities in those parsers. Fifth we present a new attack using XML Attribute Value Normalization, which is a part of the XML specification.

- We show how DTD attacks are working
- 28 parser of 6 languages were analyzed (Ruby, .NET, PHP, Java, Python, Perl.)
- A total of 1107 tests were executed to evaluate the security of all parsers
- We computed a score to measure the security of each parser, helping a developer choosing the best parser.

[1] Ssd advisory – zendxml multibyte payloads xxe/xee. [Online]. Available: https://blogs.securiteam.com/index.php/archives/2550
[2] Burp suite now reports blind xxe injection. [Online]. Available: http://blog.portswigger.net/2015/05/burp-suite-now-reports-blind-xxe.html?m=1
[3] Forcing xxe reflection through server error messages. [Online]. Available: https://blog.netspi.com/forcing-xxe-reflection-server-error-messages/
[4] Cve - common vulnerabilities and exposures (cve). [Online]. Available: https://cve.mitre.org
[5] Xml schema, dtd, and entity attacks. [Online]. Available: http://vsecurity.com/download/papers/XMLDTDEntityAttacks.pdf
[6] Nir goldshlager. [Online]. Available: https://twitter.com/Nirgoldshlager/status/618417178505814016
[7] Best xml library to validate xml from untrusted source. [Online]. Available: http://www.perlmonks.org/?node_id=1104296
[8] [Online]. Available: https://www.owasp.org/index.php/XML_External_Entity_%28XXE%29_Processing
[9] [Online]. Available: https://media.blackhat.com/eu-13/briefings/Osipov/bh-eu-13-XML-data-osipov-slides.pdf
[10] [Online]. Available: http://lab.onsec.ru/2014/06/xxe-oob-exploitation-at-java-17.html

avatar for Christian Mainka

Christian Mainka

Security Consultant, Horst Görtz Institute for IT Security, Chair for Network and Data Security, Ruhr-University Bochum
Christian Mainka is a Security Researcher at the Ruhr University Bochum, Chair for Network and Data Security. Since 2009, he focuses on XML and Web Services technologies and develops his penetration testing tool WS-Attacker and has published several papers in the field of XML security... Read More →
avatar for Vladislav Mladenov

Vladislav Mladenov

Ruhr University Bochum
Vladislav Mladenov is a PhD Student at the Ruhr University Bochum, Chair for Network and Data Security. He is interested in the security of XML-based services. Additionally, he investigates different Single Sign-On protocols like OAuth, OpenID, OpenID Connect and SAML. Other topics... Read More →

Christopher Späth

Christopher Späth is a PhD Student at the Ruhr University Bochum, Chair for Network and Data Security. He wrote his master thesis about the security implications of DTD attacks against a wide range of XML parsers. His first contact with XML security was back in 2011, when he wrote... Read More →

Friday July 1, 2016 14:10 - 14:55
Room B (Tiziano Ballroom Sec. 1)


Everything You Need to Know About Certificate Pinning, But Are Too Afraid To Ask
Pinning Certificates (“Cert Pinning”) trends perennially, coming to the fore with each new SSL hack. Security urges developers to pin certs and many mobile apps do — some applying pinning to problems it doesn’t solve while others do so entirely unnecessarily. What risks does pinning really reduce? What should a developer consider prior to deciding to pin certs? Are there tradeoffs? Once decided, how should they do it?

Taking a perspective useful to both developers and penetration testers, this presentation covers these tradeoffs; from how organizational maturity impacts viability, to the risk reduction offered by the choices developers make about which elements of the certificate and chain to validate. 
The presentation will quickly recap the basics of certificates, their chains, and SSL validation.

Expect to leave understanding common misconceptions and key subtleties of pinning that may in fact /decrease/ security or impose undue complexity. Expect to understand common developer mistakes in pinning, for example in mobile WebViews. By the end of the presentation attendees will understand organizational and operational complexities, relevant design, and implementation-level detail.

avatar for John Kozyrakis

John Kozyrakis

Technical Strategist, Cigital
John Kozyrakis is a Technical Strategist at Cigital and his primary area of expertise is mobile application security. Over the years, he has been involved with penetration testing, reviewing source code, security architecture and reverse engineering. John works with software architects... Read More →

Friday July 1, 2016 15:00 - 15:45
Room B (Tiziano Ballroom Sec. 1)


From Facepalm to Brain Bender - Exploring Client-Side Cross-Site Scripting
With the current generation of dynamic, client-side Web applications, the issues related to attacks against the client rise. Arguably the biggest problem is Cross-Site Scripting, which has been known for a number of years. Although studies have shown that at least one in ten Web pages contains a client-side XSS vulnerability, the prevalent causes for this class of Cross-Site Scripting have not been studied in depth. Therefore we present a large-scale study to gain insight into these causes. To this end, we analyze a set of 1,273 real-world vulnerabilities contained on the Alexa Top 10k domains using a specifically designed architecture, consisting of an infrastructure which allows us to persist and replay vulnerabilities to ensure a sound analysis. In combination with a taint-aware browsing engine, we can therefore collect important execution trace information for all flaws. 

Based on the observable characteristics of the vulnerable JavaScript, we derive a set of metrics to measure the complexity of each flaw. We subsequently classify all vulnerabilities in our data set accordingly to enable a more systematic analysis. In doing so, we find that although a large portion of all vulnerabilities have a low complexity rating, several incur a significant level of complexity and are repeatedly caused by vulnerable third-party scripts. In addition, we gain insights into other factors related to the existence of client-side XSS flaws, such as missing knowledge of browser-provided APIs, and find that the root causes for Client-Side Cross-Site Scripting range from unaware developers to incompatible first- and third-party code. 

In addition, we showcase several of the identified problems and discuss the often occurring well-meant, but ultimately ineffective countermeasures we discovered. We will end the talk with an overview of best practices that allow developers to avoid such problems.

avatar for Bernd Kaiser

Bernd Kaiser


Sebastian Lekies

Sebastian Lekies is an Information Security Engineer at Google and a PhD Student at the Ruhr-University Bochum. His research interests encompass client-side Web application security and Web application security testing. He graduated from University of Mannheim with a M.Sc. in Business... Read More →

Stephan Pfistner

Stephan Pfistner is an Information Security Engineer at Google. He holds a M.Sc. in IT Security from Technical University of Darmstadt. His research interests revolve around Web application and network security as well as security testing in those areas. As part of the Security Test... Read More →
avatar for Ben Stock

Ben Stock

CISPA, Saarland University
Dr.-Ing. Ben Stock is a postdoctoral researcher at the Center for IT-Security, Privacy, and Accountability at Saarland University. Prior to that, Ben finished his PhD at the University in Erlangen, researching the specifics of Client-Side Cross-Site Scripting. His research was published... Read More →

Friday July 1, 2016 15:00 - 15:45
Room A (Michelangelo Ballroom Sect. 3)