In association with heise online

18 May 2009, 10:37

OWASP conference: web hacking and defensive methods

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

The Open Web Application Security Project (OWASP) is an open community that champions improvements to software security. Its AppSec conferences, to discuss secure software development, are held on a different continent each year. The key topics at this year's OWASP AppSec Europe 2009 conference, held in Krakow, Poland from the 13th to the 14th of May, included malware in the browser and tools for software security.

Developers and security experts from the online banking world heard two interesting presentations: Giorgio Fedon of the OWASP Anti-Malware Project reported on "The Bank in the Browser". The project aims to explain what present-day malware can do and what can be done to counter it. The use of "Man-in-the-Browser" techniques (MITB) to modify the user interface and snoop on identity credentials are currently state of the art. Mouse clicks or visual security features aren't effective, because screen shots also land in the drop zone for data backup. There are specific templates for various bank portals on the black market that will "supplement" the interface with HTML, JavaScript and browser APIs, including remotely updating the spyware. Malware can also be hidden by rootkits such as Mebroot.

Gunter Ollmann of Damballa, an IT security service provider, supplemented this with results using back-end tools. He says the tools for mass exploits on web sites using drive-by downloads to inject malware into the computer or the browser, are highly sophisticated and most are better than all the audit tools for penetration testing available on the regular market. He mentioned that some tools for controlling botnets, Turkojan for instance, even offer 24/7 support via email or instant messaging.

Both speakers recommended the use of transaction authentication numbers (TANs), but these aren't in use everywhere in the world. Out-of-band methods (SMSs, one-time passwords, tokens) were described as passable defensive measures at present, although they could be defeated.

On the second big topic, tools for software security, many of the tools presented are OWASP projects and all are under an open-source licence. The open-source tool of choice for carrying out semi-automated Black-Box web vulnerability assessments is currently w3af. The tool was written in Python over a period of three years, mostly through the sole efforts of Andrés Riancho, but at the time of AppSec it was unfortunately still just release candidate 2 1.0. He appealed for assistance, citing the dependencies of various Python libraries as just one area needing work.

Bernardo Damele's presentation of sqlmap, which like w3af can integrate with Metasploit, drew applause. Sadly, sqlmap still doesn't support Oracle and only supports MySQL under Windows and Java is not a supported programming language. It was admitted to the Debian SID Repository in time for the start of AppSec.

Wendel Henrique from SpiderLabs, the advanced security team at Trustwave and Sandro Gauci of EnableSecurity presented two new tools: WafW00f and WafFun, used respectively for the fingerprinting and bypass testing of web application firewalls (WAFs). According to co-author Henrique, WafW00f supports twenty different products. Both tools can currently only be found in Google's SVN repository. The question naturally arises of whether WAF makers will soon be changing their signatures.

(Dr Dirk Wetter)


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit