HITB 2008 ...




We are conducting training and speaking on Web 2.0 Attacks at HITB in Malaysia. They have great trainings and talks lined up this year as well. I look forward to meet lot of folks out there.

Training
Talk
We have training and speaking event at OWASP Appsec in Delhi - India. Seems a great event.

More on it.

One Day Workshop Series

We are conducting one day application security workshops in various cities in India. If you are interested in it.

More information here.

AppCodeScan 1.2 - Posted...

We did some source code assessment and on the basis of it .NET application rules are added. Can download and play around with the tool.

Link to tools page

Secure Application Coding Training at Syscan Singapore


[1st July 2008] Syscan - Singapore
Secure Application Coding Training


Application source code, independent of languages and platforms, is a major source for vulnerabilities. One of the CSI surveys on vulnerability distribution suggests that 64% of the time, a vulnerability crops up due to programming errors and 36% of the time, due to configuration issues. According to IBM labs, there is a possibility of at least one security issue contained in every 1,500 lines of code. To avoid these sort of security issues one needs to follow sound secure coding and design principals. It is also imperative to know code review methodologies and strategies to assess the quality of code before deploying to the production. The course is designed by the author of "Web Hacking: Attacks and Defense", “Hacking Web Services” and “Web 2.0 Security – Defending Ajax, RIA and SOA” bringing his experience in application security and research as part of curriculum.
Secure Coding course for Applications is hands-on class. The class features real life cases, hands one exercises, code scanning tools and defense plans. Participants would be methodically taken down to the source code level and exposed to the flaws in design and coding practices. The class would then focus on what are the proper ways of writing secure code and analyze the code base. This class addresses popular languages and platforms like VB/C# (.NET), Java(J2EE), PHP, ASP etc.

Paper on Blind SQL injection

This paper describes technique to deal with blind SQL injection spot with ASP/ASP.NET applications running with access to XP_CMDSHELL. It is possible to perform pen test against this scenario though not having any kind of reverse access or display of error message. It can be used in completely blind environment and successful execution can grant remote command execution on the target application with admin privileges.

Download - PDF
Read here in HTML

HackInTheBox & RSA 2008- Blueinfy Training and Research

Training Title: Web Application Security – Advanced Attacks and Defense
Introduction and adaptation of new technologies like Ajax, Rich Internet Applications and Web Services has changed the dimension of Application Hacking. We are witnessing new ways of hacking web based applications and it needs better understanding of technologies to secure applications. The only constant in this space is change. In this dynamically changing scenario in the era of Web 2.0 it is important to understand new threats that emerge in order to build constructive strategies to protect corporate application assets. Application layers are evolving and lot of client side attack vectors are on the rise like Ajax based XSS, CSRF, Widget injections, RSS exploits, Mashup manipulations and client side logic exploitations. At the same time various new attack vectors are evolving around SOA by attacking SOAP, XML-RPC and REST. It is time to understand these advanced attack vectors and defense strategies.
Presentation Title: Securing Next Generation Applications – Scan, Detect and Mitigate
Presentation Details:
McKinsey’s recent global survey suggested that 80% of companies are investing in Web 2.0 technologies. Web 2.0 technologies are no longer restricted to social networking site but forming backend to enterprise level applications. This evolution is giving rise to next generation application hacking and attack vectors. It is imperative to understand these new attacks and scanning methods to detect vulnerabilities. This presentation will be full of real life cases, live demonstrations, new tools and techniques along in-depth coverage on the latest concepts and methodologies.

Presenting Research at RSA 2008


Session Code: SOA-202
Session Title: Web 2.0 Security Chess: Combat Strategies and Defense Tactics
Scheduled Date/Time: Wednesday, April 09 09:10 AM
RED ROOM 310
Session Abstract: Ajax, web services and rich Internet (Flash) are redefining moves on the security chessboard. Attack strategies are emerging like cross-site scripting with JSON or cross-site request forgery with XML. This session will cover Web 2.0 attacks, tools for assessment, and approaches for code analysis with demonstrations. Professionals can apply knowledge in real life to a secure Web 2.0 application layer.

Agenda

Infosecworld 08 - Presentations on iHTTPModule and CSRF

You can go through my presentation and research work on iHTTPModule and CSRF. I have posted them on slideshare. Here is the posting you can view over here or go to the slideshare.

[CSRF]

[.NET iHTTPModule - Interesting stuff]

InfosecWorld - iHTTPModule and CSRF

Speaking on iHTTPModule with IIS 7.0 integrated pipe. It can help in building defense by creating WAF. Also, addressing CSRF and security controls around it. Looking forward to meet some of the application security folks as well.

Workshop in Dubai - Application Security


Having 2 days workshop for ISACA in Dubai. Look forward to meet some of UAE folks. Cheers!

If you are interested in joining - More Detail

BLackhat DC - On Web 2.0 Scanning


Scanning Applications 2.0 - Next generation scan, attacks and tools

Ajax, Web Services and Rich Internet (Flash) are redefining application security scanning challenges and strategies. We are witnessing some emerging attack vectors like Cross Site Scripting with JSON, Cross Site Request Forgery with XML, WSDL scanning, XPATH injection with XML streams etc. This presentation will cover Web 2.0 attacks, new scanning tools for assessment and approaches for Web 2.0 code analysis with demonstrations. Professionals can apply knowledge in real life to secure Web 2.0 application layer.

This presentation will focus on core Web 2.0 security issues along with assessment toolkit developed by the presenter. 1.) It is imperative to analyze Web 2.0 application architecture with security standpoint. We will evaluate real life vulnerabilities with Google, MySpace and Yahoo. 2.) Web 2.0 technology fingerprinting is very critical step to determine application security posture. 3.) Crawling Ajax driven application is biggest challenge and we will cover approaches to address this critical issue by dynamic DOM event management with Ruby. 4.) Scanning Web 2.0 application for security holes is an emerging issue. It needs lot of JavaScript analysis with DOM context to discover XSS and XSRF vulnerabilities in Ajax and Flash with new attack vectors hidden in payload structures like JSON, XML, JS-Arrays etc. 5.) Addressing assessment methods and tools to discover security lapses for SOAP, REST and XML-RPC based Web Services along with innovative fuzzing.