Sunday, February 27, 2011

OWASP Summit and AppSensor

The AppSensor session at the OWASP World Summit was a great success. The focus of the discussion was where should AppSensor go next.  We covered all of the available items within the AppSensor project (AppSensor.jar w/ESAPI plugin, detection points guidance, extensive documentation, live running demos, etc) and posed the question "What do we need for your company to adopt AppSensor within your applications".  There was lots of energy in the room and all 50+ seats were filled.  AppSensor is really starting to take off and I'm excited at these results.  These ideas represent the next areas for the project to tackle in order to obtain wide adoption.

Here are the outputs of that discussion as action items for the project. Consider this an invitation for anyone to jump into the AppSensor project and lead one of these areas to success (email me and I can give you more info and support your efforts)

* Concern over False Positives
** Article to discuss why AppSensor false positives won't result in negative system performance or adversely impact non-malicious users. Target Audience: Product Managers, CSOs

* Where is AppSensor integrated into development
** Slides or article to demonstrate process of selecting AppSensor detection points during the threat modeling phase. Notes on how to communicate these requirements to developers. How to test proper deployment

* Is there an AppSensor-like implementation that could be handled by operations?
** This is not the traditional AppSensor approach (e.g. within the code), but we could do further research on aspect oriented implementations or real time log analysis for attack monitoring

* Integration with libraries and frameworks
** Sub project to submit patches for common frameworks to log obvious attack types. The goal is to at least get the logging of attack scenarios in place by default. This makes it easier to adopt an AppSensor approach onto these libraries or frameworks
** Possible first target : Sonar ( - May need to get more info on this idea

* Testimonials from companies using AppSensor or AppSensor-like capabilities
** This wil help raise confidence in the project for potential new adopters

* Software - Code versioning, patching, support ?
** This is a common concern for open source software and OWASP code. What can we do to help make our code more digestible by a company looking for these more stringent development patterns?

* Link in with Fraud systems
** The AppSensor project has been contacted by a large bank to help develop a strategy for detection of fraud through session hijacking and phishing.

Michael Coates

Wednesday, February 23, 2011

AppSec EU 2011 - First Challenge Released!

Hi there,

For all those application security professionals and enthusiasts out there here is the first challenge to win a free entrance ticket for AppSec EU 2011.


As some of you might know, Vicnum is an OWASP project which consists of a flexible web app showing vulnerabilities such as cross site scripting, sql injections, and session management issues. The tool could also be used by those setting up 'capture the flag' exercises or by those who just want to have some fun with web assessments. The Vicnum project was developed for educational purposes by Mordecai Kraushar from Ciphertechs.

For today, we have prepared a customised version of Vicnum The Game that contains several exercises for your enjoyment.

*The Game*

The computer will think of a three digit number with unique digits. After you attempt to guess the number, the computer will tell you how many of your digits match and how many are in the right position. Keeping on submitting three digit numbers until you have guessed the computer's number.

In order to win an free ticket to AppSec EU 2011 you need to solve the following exercises of Vicnum The Game.

- Hack the game: Have a guess count of zero and a guess value > 999
- Hack the database: Find the Vicnum player with the worst possible score (if there is a tie find the older record). Place another record in the database with that player's name concatenated to your name and with a positive score.

Once you solve the exercises, please send us an email to with your full name and details on how you accomplished this goal.

The first one who solves these exercises gets a free ticket to OWASP AppSec
EU 2011!

Please visit to find out further details about the challenge.

A big THANKS goes to Mordecai for setting up and customizing the challenge.

Thank you and best of luck everyone!

Fabio Cerullo

Tuesday, February 22, 2011

Application Security Track at Uber Conf 2011 - July 12-15

OWASP is currently soliciting papers for the Application Security Track at Uber Conf, Denver, CO.

OWASP is partnering with Uber Conf to have an Application Security track at this prestigious conference. Brought to you by the No Fluff Just Stuff Software Symposium Series, Über Conf will explore the ever evolving ecosystem of Java the Platform.

The Ü will offer over 120 technically focused sessions including hands on workshops centered around Architecture, Cloud, Security, Enterprise Java, Languages on the JVM, Build/Test, Mobility and Agility. The goal of Über Conf is a simple one: totally blow the minds of our attendees.

We are seeking people and organizations that want to present about how security relates to the following Java topics (in no particular order):

* Architecture
* Enterprise Java
* Java Internals
* Security - Enterprise & JVM
* Cloud Computing
* Languages on the JVM - Groovy, JRuby, Scala & Clojure
* Java Web Frameworks - Wicket, Tapestry & SpringMVC
* Build Systems - Maven & Gradle
* Testing
* Agility
* Tools

How to make a submission:
* Fill the form available at
* Submit the filled form at

Submission deadline is Feb 28th at 12PM EST (GMT-5)

Submit Proposals to:

Conference Website:

OWASP Website:

Please forward to all interested practitioners and colleagues.

AppSec USA 2011 Minneapolis

OWASP is proud to announce AppSec USA 2011. We're celebrating our first ten years and looking ahead to the next ten years!

Training will be held September 20-21. Talks, CTF, and showroom will be September 22-23. AppSec USA 2011 will be hosted in Minneapolis, Minnesota at the Minneapolis Convention Center.

Think you have a great idea for a one- or two-day class? Submit your idea to Kuai Hinojosa at Trainers get a 40% cut of the training revenue. Price for trainees will be $1,500 for a 2-day training course and $750 for a 1-day training course (see for additional information on group registration discounts). Please e-mail if you would like to reserve trainee space for your organization today.

The call for papers will open March 15. We are excited for high quality submissions from application security professionals, software developers, and thought leaders. This year's format will be four tracks spread across two days covering Cloud Security, Mobile Security, Secure SDLC, OWASP Projects (turbo talks), Software & Architecture Patterns for Security, Software Development Platform Tutorials, New Attacks & Defenses, and Thought Leadership (executive panels, interviews, and speeches). Please e-mail if you would like to reserve conference passes for your organization today at heavily discounted rates. And stay tuned for the call for papers announcement...

AppSec USA 2011 will be a great opportunity to let the community know about your products and services, and also a great time to recruit new talent. See for sponsorship opportunities. We would like to thank IBM for being our first AppSec USA 2011 sponsor!

This year's AppSec USA CTF promises to be the best one yet. If you'd like to volunteer or get prepared for the CTF, visit and send an e-mail to the CTF team.

Thank you!

OWASP AppSec USA 2011: Your life is in the cloud.
Twitter: @appsecusa

Tuesday, February 15, 2011

ESAPI and the Padding Oracle Attack

From Kevin Wall.

I originally noticed that the ESAPI symmetric encryption provided no authenticity way back in August 2009 and argued for a very long time with Jim Manico that what was present in ESAPI 1.4 and 2.0rc3 (or maybe it was rc2?) needed to be burned to the ground and replaced, and he agreed. All I remembered was some type of an attack against cipher padding that caused by one tweaking IVs in a certain way and then looking for errors. I remembered that IPSec at one time had been vulnerable to this same vulnerability, but I just couldn't remember the name of the attack or who or when he wrote about it (S. Vaudenay in 2002) so unfortunately couldn't easily search for it. Fortunately, I knew that I had to use a MAC or an authenticated cipher mode to fix it.

After a few months of arguing on the ESAPI developer list that this was something that needed to be addressed, I finally was able to convince people convince the ESAPI community and I volunteered to make the code changes. Had I been able to find Vaudenay's paper and site it, I probably would have been able to convince folks that changing ESAPI's encryption was necessary...especially that Jim Manico guy. ;-) [Aside: Ironically it was this weakness in ESAPI's crypto that caused me to get involved with ESAPI development. I really liked what it presented and wanted to introduce it at Qwest once it was GA, but I was concerned that Qwest developers that would use the broken ESAPI crypto rather then the encryption library we had developed in-house.]

Anyway, subsequent to the the Rizzo / Duong paper appearing, there was probably at least 4-6 sman months of re-design and recoding effort that had taken place.

In fact, at one point I had things just right (apart from using a timing side-channel as padding oracle), but then *in a moment of clear stupidity*, I went in and changed a few of the exception messages intended for end users "to clarify things a bit". My (faulty) reasoning was that if a user got an encryption error and called a help desk, s/he could only report what s/he could see as he error message. But since the error message could be caused by two very different things I decided to make them slightly different so help desk personnel could distinguish between the two cases and act accordingly. (I know, the *logged* error messages were different, but I figured very few tier 1 help desk people ever have access to log files.)

Anyway, this was a *BIG* mistake and reintroduced the padding oracle attack, although not in the same way that earlier versions of ESAPI had, as they did not support authenticity at all.

So the bottom line is the *reason* that "we fixed padding oracle in ESAPI *very* quickly after the paper came out" is all I really had to do to fix it was to go back and change it so that the user intended exception messages were identical in each case. (I also put in some protection against using timing as a side-channel attack as the padding oracle, but that was pretty straightforward.)

Had the NSA completed their crypto review and mentioned this (they didn't and it's not entirely clear that they ever would have!), then this would have been have been fixed without drawing so much attention. But in a way, I consider it serendipitous that it came out in the Duong & Rizzo paper that ESAPI was somewhat vulnerable. By comparison, ESAPI faired well against the others described their paper. I think had ESAPI not been vulnerable, it likely would not have been mentioned at all in their paper and the conclusion of Rizzo's and Duong's readers would have been that they had not evaluated ESAPI's symmetric encryption at all. As it was, it allowed us a platform to be transparent to the OWASP community, tell them how we were addressing the problem, and (IMO) most importantly brought home the seriousness of what I had been saying all along about ESAPI 1.4 encryption being badly broken which motivated getting people off of it.

The reason we were so quick to get it fixed is because we had it 95% right in the first place. (Unfortunately, 95% right is 5% wrong and with vulnerabilities, that's all it takes.)

Thanks for your time,

OWASP Summit 2011 Results

I'm very proud to announce the Summit 2011 Results, which you can download from here:
As you can see by the Summit's highlights, we achieved an amazing amount of work during the 3 days we were together in Portugal!

Amazingly, we also had a great time, and created/consolidated an enormous amount of friendships/relationships. Just look at the the number of similes (and focused faces) that exist on the Summit's official photo album:

I would like to take this opportunity to thank the Summit organization team, the Working Session chairs, the 180 on-site participants and the 1000s remote participants, for working so hard and achieving so much.

Note that this is the first version of this document. There is work already underway to create a much more detailed and comprehensive version of this document, which will be released as a number of books (Summit 2011 Final Report, Browser Security Report 2011, etc...).

Please distribute this document/Press-Release as widely as possible.

Tuesday, February 1, 2011

OWASP Summit Press Release


Top security experts meet in Portugal to discuss the future of application security Portugal, Lisbon, January 28, 2011 - The OWASP (Open Web Application Security Project) Global Summit, held in February 8th-11th in Lisbon, will bring together the most prominent experts in the area of web application security, with the purpose to further the development of the ongoing efforts in application security and to promote solutions that will help reduce the risks and the mistakes incurred by everyone who uses the Web as a workplace and as an information sharing tool – personal, corporate and governmental alike.

The Summit will consist of intensive and collaborative four-day working sessions across a variety of important topics to our industry such as metrics, browser security, cross-site scripting eradication, mitigation and secure coding.

What’s at stake is tackling the threats of cybercrime, either by making clear that security breaches have high costs to organizations, either by explaining the heavy impact that privacy violation has on users.

More than 175 attendees are expected, from more than 20 countries, including top OWASP leaders and security gurus from Google, Mozilla, Microsoft, Paypal, Dell, Apache, Verizon, and many more.

These topics are of the utmost importance, due to the recent development of information systems and of the emergence of web 2.0 technologies, along with the corresponding increase in web applications and services, bringing forth so many implications regarding security and privacy. Never in our lives have we had so much critical personal information being so dependent and simultaneously so threatened by software and web applications (example: Facebook)

Despite the growing investments in security processes and techniques, the truth is we are in a critical situation. AppSecs still have massive vulnerabilities caused by the multiplicity of tasks and/or tools while vendors and clients lack the awareness to address the issue. These are two weaknesses that are obviously leading to increasingly malicious attackers
Given the general lack of awareness we can question what scenario would ultimately drive people or governments to take action. Widespread identity theft? Financial collapse? Mass logistic failure? Loss of critical information? Medical Systems Exploitation? Fraud? Paralyzed public institutions?

OWASP challenges application security leaders and industry players to share their expertise, experience and point of views to help reinforce web application security.



The Open Web Application Security Project (OWASP) is an open-source application security project. The OWASP community includes corporations, educational organizations, and individuals from around the world. This community works voluntarily to create freely-available articles, methodologies, documentation, tools, and technologies. The OWASP Foundation is a charitable organization that supports and manages OWASP projects and infrastructure.

Contact Information: Abigail Vistas
217800828 – 916406948