OWASP conference: web hacking and defensive methods
The Open Web Application Security Project (OWASP) is an open community that champions improvements to software security. Its AppSec conferences, to discuss secure software development, are held on a different continent each year. The key topics at this year's OWASP AppSec Europe 2009 conference, held in Krakow, Poland from the 13th to the 14th of May, included malware in the browser and tools for software security.
Gunter Ollmann of Damballa, an IT security service provider, supplemented this with results using back-end tools. He says the tools for mass exploits on web sites using drive-by downloads to inject malware into the computer or the browser, are highly sophisticated and most are better than all the audit tools for penetration testing available on the regular market. He mentioned that some tools for controlling botnets, Turkojan for instance, even offer 24/7 support via email or instant messaging.
Both speakers recommended the use of transaction authentication numbers (TANs), but these aren't in use everywhere in the world. Out-of-band methods (SMSs, one-time passwords, tokens) were described as passable defensive measures at present, although they could be defeated.
On the second big topic, tools for software security, many of the tools presented are OWASP projects and all are under an open-source licence. The open-source tool of choice for carrying out semi-automated Black-Box web vulnerability assessments is currently w3af. The tool was written in Python over a period of three years, mostly through the sole efforts of Andrés Riancho, but at the time of AppSec it was unfortunately still just release candidate 2 1.0. He appealed for assistance, citing the dependencies of various Python libraries as just one area needing work.
Bernardo Damele's presentation of sqlmap, which like w3af can integrate with Metasploit, drew applause. Sadly, sqlmap still doesn't support Oracle and only supports MySQL under Windows and Java is not a supported programming language. It was admitted to the Debian SID Repository in time for the start of AppSec.
Wendel Henrique from SpiderLabs, the advanced security team at Trustwave and Sandro Gauci of EnableSecurity presented two new tools: WafW00f and WafFun, used respectively for the fingerprinting and bypass testing of web application firewalls (WAFs). According to co-author Henrique, WafW00f supports twenty different products. Both tools can currently only be found in Google's SVN repository. The question naturally arises of whether WAF makers will soon be changing their signatures.
(Dr Dirk Wetter)