Next Page >>
Open Web Application Security Project
(sorry for the span and for receiving multiple copies of this)
Best regards,
2nd. OWASP Ibero-American Web-Applications Security conference 2010 (IBWAS’10)
ISCTE – Lisbon University Institute
25th – 26th November 2010
Lisboa, Portugal
http://www.ibwas.com
and open for all conference attendees event will be held at the Vintage Wine
Bar at 6:30pm (near the conference location). We would appreciate it if you
let us know if you are coming so we can be ready, please mail
ofers@breach.com to confirm.
The Open Web Application Security Project (OWASP) is a worldwide free and
open community focused on improving the security of application software.
Our mission is to make application security "visible," so that people and
organizations can make informed decisions about application security risks.
More details and registration on http://www.owasp.org/index.php/AppSecEU08
requests or responses[1]. Servlet filters are often recommended as an
effective way to perform input validation in Java web applications due
to the centralized nature and little modifications required to the
application's code.
Open Web Application Security Project (OWASP) has developed Stinger,
which aims to provide a centralized input validation component which can
be easily applied to existing or developmental applications[4].
There is a vulnerability in servlet filters, such as the Stinger filter,
which under certain conditions will allow attacker to bypass input
2nd. OWASP Ibero-American Web-Applications Security conference (IBWAS’10)
ISCTE – Lisbon University Institute
25th – 26th November 2010
Lisboa, Portugal
http://www.ibwas.com
**CALL FOR TRAINING SESSIONS**
Best regards,
-------------------------------------------------------------------------
2nd. OWASP Ibero-American Web-Applications Security conference (IBWAS’10)
ISCTE – Lisbon University Institute
25th – 26th November 2010
Lisboa, Portugal
http://www.ibwas.com
Hi,
the German section of the Open Web Application Security Project (OWASP)
announces a for Presentations (CfP) for the third OWASP AppSec Germany
conference on the 20th of October 2010 in Nuremberg. The conference will
be held in parallel with the IT security exhibition. The conference is
primarily oriented toward a german speaking audience, but also
presentations in English are welcome. The OWASP AppSec Germany 2010 will
extend the range of typical security conferences with contributions
covering development, operation and test of web-based applications.
Mumbai Celebrates OWASP Day : OWASP Live 0
OWASP Day - Day of Worldwide OWASP One Day Conferences
Date: 6th September ,2007
Timing: 2:30 PM to 6:00 PM
Venue: HOTEL HEAVENS INDIA
-----Original Message-----
From: Inferno [mailto:inferno@securethoughts.com]
Sent: Thursday, August 20, 2009 2:18 AM
To: bugtraq@securityfocus.com
Subject: Bypassing OWASP ESAPI XSS Protection inside Javascript
Bypassing OWASP ESAPI XSS Protection inside Javascript
------------------------------------------------------
By Inferno (inferno {at} securethoughts {dot} com)
OWASP Mumbai joins in celebrating OWASP Live 0.
OWASP Live 0 is Day of Worldwide OWASP One Day Conferences.
Block your calendar on 6th September 2007 to join us on the event. Registrations for the event are FREE !!
Interested in Speaking / Sharing your thoughts??
The topic of the event will be on "Privacy in the 21st Century", so all talks should be related to it (we should be addressing the Web Application side of Privacy (for example what happens to Privacy with SQL Injection, XSS and issues like pdp's Snoop)
The Joomla! Component com_bc does not properly escape parameters:-
ctask, bcItemid, lang, nlang , rid, rsid, sec_code, template, and
usergid.
This leads to Cross Site Scripting vulnerability. For more information
about this kind of vulnerability, see OWASP Top 10 - A2, WASC-8 and
CWE-79: Improper Neutralization of Input During Web Page Generation
('Cross-site Scripting').
4. VERSIONS AFFECTED
3. VULNERABILITY DESCRIPTION
The BlastChat's chat client Component does not properly escape
"Itemid" parameter, which leads to Cross Site Scripting vulnerability.
For more information about this kind of vulnerability, see OWASP Top
10 - A2, WASC-8 and CWE-79: Improper Neutralization of Input During
Web Page Generation ('Cross-site Scripting').
4. VERSIONS AFFECTED
I am proud to announce the program for OWASP Israel 2007 conference to be
held on Dec 3rd 2007 at the Interdisciplinary Center (IDC) Herzliya in
participation with the ICD's Efi Arazi Computer Science School. The
conference is free and open for everyone. You are also most welcomed to send
this invitation to anyone who may be interested. Further information and the
full agenda can be found at:
https://www.owasp.org/index.php/OWASP_Israel_2007_Conference
The Program (full descriptions can be found at
Vendor Contact: 2/18/2010
Vendor Response: 2/18/2010
Patch Available: 5/2010 Patched in maintenance releases (3.1.1 & 3.0.9)
Credit: Jeromie Jackson CISSP, CISM
COBIT & ITIL Certified
President- San Diego Open Web Application Security Project (OWASP)
Vice President- San Diego Information Audit & Control Association (ISACA)
SANS Mentor
LinkedIn: www.linkedin.com/in/securityassessment
Blog: www.JeromieJackson.com
Twitter: www.twitter.com/Security_Sifu
Bypassing OWASP ESAPI XSS Protection inside Javascript
------------------------------------------------------
By Inferno (inferno {at} securethoughts {dot} com)
Everyone knows the invaluable XSS cheat sheet maintained by "RSnake". It is
all about breaking things and features all the scenarios that can result in
XSS. To complement his efforts, there is an excellent XSS prevention cheat
sheet created by "Jeff Williams" (Founder and CEO, Aspect Security). As far
as I have seen, this wiki page provides the most comprehensive information
on protecting yourself from XSS on the internet. It advises using the OWASP
I'm pleased to announce that the Zed Attack Proxy has been accepted as
an OWASP project.
Its new homepage is here:
http://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
The next release of OWASP ZAP, planned for later this year, is
expected to include:
* OWASP rebranding
* Improvements to the passive and active automated scanners
also be in attendance for portions of the class. So, if you ever wanted
a chance to learn more about ModSecurity and to pick the brain's of the
ModSecurity experts, this is your chance :)
In the true nature of open source, most of the proceedings from the
course goes to OWASP, the Open Web Application Security project, for
open source projects and activities promoting web application security.
For more details, a complete program and registration go to:
https://www.owasp.org/index.php/7th_OWASP_AppSec_Conference_-_San_Jose_2
007/Training
3. VULNERABILITY DESCRIPTION
Some URLs in phpMyAdmin do not properly escape user inputs that lead
to cross site scripting vulnerability.
For more information about this kind of vulnerability, see OWASP Top
10 - A2, WASC-8 and
CWE-79: Improper Neutralization of Input During Web Page Generation
('Cross-site Scripting').
3. VULNERABILITY DESCRIPTION
Some URLs in Joomla! do not properly escape encoded user inputs that
lead to cross site scripting vulnerability.
For more information about this kind of vulnerability, see OWASP Top
10 - A2, WASC-8 and
CWE-79: Improper Neutralization of Input During Web Page Generation
('Cross-site Scripting').
Credit: Jeromie Jackson CISSP, CISM
COBIT & ITIL Certified
President- San Diego Open Web Application Security Project (OWASP)
Vice President- San Diego Information Audit & Control Association
(ISACA)
SANS Mentor
Hi there, I'd like to announce as delivery for Owasp Spring of Code
2007 project, the 0.50 release of Orizon.
Orizon is a source code review engine, built with the aim to give
developers something usable to build code review tools.
Orizon is independent from the language used to write the sources
because its APIs translate the code in a XML file and APIs are
provided to apply security checks over the translated XML file.
‣ Luciano Bello ; CITEFA/Si6 , Debian Project ; Argentina
‣ Marc Schoenefeld ; University of Bamberg ; Germany
‣ Matt Jonkman ; Emerging Threats.net (formerly bleedingthreats.net) ; USA
‣ Morgan Marquis-Boire ; Security-Assessment.com ; New Zealand
‣ Neelay S. Shah ; Foundstone Inc., A Division of McAfee ; USA
‣ Paolo Perego ; Spike Reply srl, Owasp Orizon Project leader ; Italy
‣ Peter Panholzer ; SEC Consult Unternehmensberatung GmbH ; Austria
‣ Rafael Dominguez Vega ; MWR InfoSecurity ; UK
‣ Saumil Udayan Shah ; CEO, Net-Square ; India
‣ Scott Lambert, Jason Geffner ; Microsoft, NGSSoftware Ltd. ; USA
‣ Sharon Conheady ; Ernst & Young ; UK
Local: Yes
Published: August 11, 2010
Timeline: Submission to MITRE: August 11, 2010
Credit: Jeromie Jackson CISSP, CISM
COBIT & ITIL Certified
President- San Diego Open Web Application Security Project (OWASP)
Vice President- San Diego Information Audit & Control Association (ISACA)
SANS Mentor
LinkedIn: www.linkedin.com/in/securityassessment
Blog: www.JeromieJackson.com
Twitter: www.twitter.com/Security_Sifu
Version 1.1.0 of ZAP has now been released.
This release adds the following main features:
OWASP rebranding
Brute Force scanner c/o the OWASP DirBuster project
Port scanner
Active Scan tab
Enhancements to the Spider tab
Smartcard support c/o Andiparos
possible and no later than 1st March 2010.
CFP Program Committee
The CFP program committee is comprised of the following OWASP Greek
Chapter members:
* Athanasios Kostopoulos, [Senior Penetration Tester]
* Costas Vassilakis, [Professor, University of Peloponnese]
* Dimitris Mitropoulos, [Researcher, Athens University of
Example:
<%@ taglib prefix="fn" uri="http://java.sun.com/jsp/jstl/functions" %>
<fmt:param value="${fn:escapeXml(comment.field['name'])}" />
Alternatively one could use the OWASP ESAPI (Enterprise Security API) to
encode all output. For more details on the OWASP ESAPI consult the
google
code repository and see http://www.owasp.org/index.php/ESAPI
Example:
sensitive data, and comply with security requirements such as PCI.
VUPEN WASS is based on a proprietary technology developed by VUPEN security
experts, and combines black-box (smart and automated) and grey-box
(signature-based) scanning to accurately identify web vulnerabilities such
as those in the OWASP Top 10 including SQL injection and cross-site
scripting,
but also real-world vulnerabilities such as shell command injection and
file inclusion.
Read More: http://www.vupen.com/english/wass/
Mystification de la prise d'empreinte (OS Fingerprinting Defeating)
- Guillaume Prigent (France)
Web Application Firewalls
- Sebastien Gioria (OWASP France)
UC Security (Unified Communications Security)
- Abhijeet Hatekar (Sipera Systems) (India)
SS7
The issue is a lack of input validation. OWASP would be a great learning exercise for the coders on this product. It seems to be assumed that only trust-worthy users will connect only to trust-worthy sites. I could not find any evidence of input validation.
Through the magic of Web Scarab and Paros proxy, one can capture the Internet communications used by the F90 Internet Connection Kit software. What you soon see is that the software does not account for either bypassing the local application and changing the input or in spoofed and re-directed sites.
The software does not validate the site it gets the information from nor does it sufficiently validate the input to the software.
At the moment as I think there are so few people as crazy as I am who actually have to have a gadget just as it is Internet connected; this is not likely to become a widespread attack vector.
The software is an oversized web proxy with other stuff to connect to the coffee machine thrown in. Jura did not make the assumption that an evil attacker could purposefully modify and publish "evil" coffee "recipes.
Securitybyte & OWASP AppSec Asia Conference is a forum where Ethical Hackers, Practitioners, Researchers, and Developers in Information Security field, gathers to showcase and exchange new Researches, Innovations, Practical ideas and Experiences. If you are developing, researching, or implementing practical solutions to protect Corporate or Government Information Infrastructures, please consider sharing your experience and expertise at this conference.
First round of CFP submission is July 30th, 2009.
Send your interest and submissions to cfp@securitybyte.org
For any Speaking query, please contact us at speakers@securitybyte.org
We are seeking submissions for both Two days Conference Track & Post conference two days Training workshops in the following areas:
Conference Tracks (17 – 18 Nov, 2009)
Ofer Shezaf
Work: ofers@breach.com, +972-9-9560036 #212
Personal: ofer@shezaf.com, +972-54-4431119
VP Security Research, Breach Security
Chair, OWASP Israel
Leader, ModSecurity Core Rule Set Project
Leader, WASC Web Hacking Incidents Database Project
Next Page>>
|
