OWASP AppSec Europe 2015

Every year the security community produces a stunning number of new Web hacking techniques. Now in its 9th year, the Top 10 Web Hacking Techniques list encourages information and knowledge sharing and recognizes researchers who contribute excellent work. In this talk, we will do a technical deep dive and take you through the Top 10 Web Hacks of 2014, as picked by an expert panel of judges. - See more at: https://www.rsaconference.com/events/us15/agenda/sessions/1641/top-10-web-hacking-techniques-of-2014#sthash.nMmmvHCg.dpuf

The Zed Attack Proxy (ZAP) is an OWASP Flagship project and the largest open source web application security tool measured by active contributors.
While it is an ideal tool for people new to appsec it also has many features specifically intended for advanced penetration testing.
In this talk Simon will give a quick introduction to ZAP and then talk about some of the latest changes that have been made, including features that will not have been presented at any other conference.

While we all surf the web, read news, buy products or download songs an entire world of automated minions are performing the dirty work for their human masters. These bots perform actions anywhere on the spectrum between legal and illegal. While some bots legally mine data from public web sites, others harass web sites by sending HTTP requests for different purposes such as content theft, comment spam, scan of vulnerabilities or even attempt to deny service from other users. Whether we like it or not - web bots of all kinds and forms are swarming the Internet.
 
In this presentation, we will provide an overview into the web bot world as it is seen by Akamai’s intelligent platform, which handles almost 30% of all web traffic every day.  The presentation will cover the following topics:
History of web bots
Web bot types & their purposes
Legal & illegal bot activity (w/ real world examples)
Mitigation approaches to web bots

API's are everywhere now. SOA, IoT, Mobile, and Thick clients all heavily rely on web services and API's. This talk will present a primer on how to assess these services/interfaces for developers and testers alike. The introduction will include topics such as API identification, common implementations and frameworks. The bulk of the talk will focus on a assessment checklist that anyone can use to test these technologies for security flaws covering topics such as:

Authentication
Verbose-ness
Hidden Functions
Lack of Access Control
Transport Security
Tampering/Trust
Injection

** Where possible we will point to free resources for assessors to carry out the testing ** 

Discussions about how to protect personal data are lively, but still there was no specific and independent description of privacy risks for web applications available. Thus, companies lack guidance to apply during systems development and users cannot easily check whether they take privacy risks. Therefore the OWASP Top 10 Privacy Risks project was founded 2014 to develop a top 10 list for privacy risks in web applications. The project covers technological and organizational aspects like missing encryption or insufficient transparency and results and practical countermeasures are presented in this session.

E-banking transaction authorization – possible vulnerabilities, security verification and best practices for implementation
Most of  the modern internet or mobile banking applications use some sort of second factor, such as TAN lists, SMS codes, time-based OTP tokens, etc. to let user verify  banking operations and to protect against MitM or malware attacks. During security tests in pre-production, it often turns out that tested banking systems have serious security flaws regarding implementation of transaction authorizations mechanisms,  that (if not detected and corrected) could allow attacker to bypass or weaken those safeguards. During this presentation I would like to throw light on transaction authorization mechanisms security. The agenda will include:
• Examples of possible vulnerabilities, which could allow to bypass those security mechanisms.
• Resistance of selected transaction authorization mechanisms to common banking malware attacks.
• Suggested best practices regarding implementation of transaction authorization.

In this presentation, we will provide the necessary insights in this emerging Web technology, and discuss the various security aspects of WebRTC. This content is based on a recent study of the Web Security specifications we have been conducting together with researchers at W3C and Trinity College Dublin in the context of the European FP7 research project STREWS.
Firstly, the overall WebRTC architecture will be presented, and the enabling technologies (such as STUN, TURN, ICE and DTLS-SRTP) will be introduced. This architecture will be illustrated in multiple deployment scenarios. As part of this description, the basic security characteristics of WebRTC will be identified.
Secondly, we will discuss how the new WebRTC technology impacts the security model of the current Web. We will highlight some of the weaknesses they have spot during their security assessment, as well as discuss the open security challenges with the WebRTC technology.

The (Android) WebView is an embeddable component that powers the majority of internet-enabled apps. In Android, WebViews are currently a hot topic but for all the wrong reasons. WebViews make connections, render HTML and run JavaScript and so can be attacked using traditional web attacks like connection hijacking and XSS. Secondly, WebView-enabled apps combine local resources with web-based content that are rendered in the same container. This makes a Same Origin Policy bypass far more dangerous: it can mean access to the local device file-system and juicy local user data that you thought was sandboxed. Malicious code can even target other applications remotely by using the WebView as a proxy. Finally WebViews create residual risks that simply cannot be mitigated through any in-app technical control. This talk is aimed at both testers and developers. They learn some fundamental WebView mistakes, how to attack them, how to fix them and which vulnerabilities simply must be accepted in this design.

By analyzing the data from over 100 mobile application security assessments, we identify the typical types of mobile vulnerabilities, the system components that contain those vulnerabilities, the components where given types of vulnerabilities cluster, and how to test for each of these. Attendees will learn in the session how to identify these vulnerabilities, how to create and implement an effective mobile security plan, and where to focus their limited testing resources to minimize mobile application portfolio risks. This is critical because automated web application testing tools are able to easily find vulnerabilities while today’s mobile security industry does not offer automated testing tools that can effectively test web services (i.e. the interaction between mobile clients and back-end services.) As a result, best practices for mobile application testing must incorporate significant, often laborious, manual testing. At this point in the presentation, we will use the statistics from the research to define the appropriate manual testing that needs to be implemented. 

In this presentation Alex Inführ talks about possible attack vectors against web pages by using PDFs.
First the structure of a simple PDF will be presented to give
a quick overview about the concept of PDF. Additionally interesting features in the PDF specification will be discussed.
This includes information about privileged JavaScript,FormCalc, XFA, Actions and more.
Adobe Reader also has some interesting security concepts, which mostly focus on protecting the end user on a system level.

In the second part Alex Inführ will cover possible attacks against the user. This includes web related issues as well as attacks against the end user system.
The attacks show how privileged JavaScript can be used to steal local files from the user. Additionally possible XXE issues will be covered.
Another big topic is FormCalc and the possibility to read any file same origin. This gives attackers the possibility to break CSRF protection completely.

Last but not least Alex Inführ will talk about what protection could be applied.
This will cover methods for end users as well as for website owners.