(2011-01-31) OWASP enlightment on new web standards

In the IT-security world there are a number of fundamental technologies whose security features and vulnerabilities you must understand to keep your systems secure. But on top of those you'll find an ever changing set of standards, protocols and technologies that appear seemingly out of nowhere. Some of them disappear just as quickly, whereas others become ubiquitous. In the sector of IT-technology that is comprised by things like web applications, web servers and all different kinds of browsers, a couple of new standards are on the horizon. Thankfully there are many good places to go to when you need to understand what you may have to work with or secure in the future. One of those are OWASP.

OWASP, or The Open Web Application Security Project as is its full name, opened its Swedish chapter in 2008. Among its founders were people from Swedish security firm "Omegapoint". Owasp is a non-profit organization, membership is free and you're considered a member if you join their mailing list. Here in Sweden, just as in the rest of the world I guess, they semi-regularly arrange seminars on security. Some cost many but many are free and well attended.

On the 31st of January 2011 I attended a two hour presentation hosted by OWASP and sponsored by Omegapoint. Here are some of my notes.

The event started at 5.30 PM with some light food and a chance to mingle with the other attendees. After 30 minutes, it was time to walk into the auditorium and listen to the speakers.

Here are my own notes as I interpreted what was said.

The first lecture was held by Daniel Stenberg of Haxx.se and covered the history of cookies and the upcoming web sockets http replacement technology.

He discussed the history of web cookies and noted that two the RFCs never managed to get into the most common browsers and thus "died out".

The second part covered web sockets:
- Web sockets is considered a bi-directional, message oriented http protocol.
- It is both a java script based API and a TCP-based protocol. This can be confusing.
- The project was started by WHATWG but later taken over by IETF.
- Nicknamned "Hybi".
- Web sockets are negotiated by "upgrading" from regular http. It's a bit like starting negotiations of SSL over http.
- A lot of issues are still being discussed and sorted out.

The second lecture discussed how to conduct application testing on web socket enabled web applications. It was held by Martin Holst Swende.

- Web sockets are not yet supported by most http proxies, making application testing a bit harder than with regular http.

He demonstrated how to create "wrappers" in Java script to modify two methods and thus making it possible the monitor what was sent and received.

On a lighter note he told us about the rather simple mistake that Twitter did when they tried to filter out potential cross site scripting code. They managed to only filter out the first script tag and failed to remove any further attempts within the same message. Yup, hackers exploited this!

Finally he demonstrated what can be done to cause man-in-the-middle attacks with a program called Mallory.

The third lecture covered the new proposed security http headers and was held by Owasp Sweden cofounder John Wilander.

- HTTP strict transport security.
Counteracts attempts to strip of SSL to force the connection back into regular http. This attack technique was demonstrated a while back by Moxie Marlinspike. All existing web browser implementations will not use HTTP strict transport security over non-standard ports.

- X-Frame-Option
This header tells the browser not to allow the page to use frames. It can restrict it to no frames or only frames from the domain the page was retrieved from. It's meant to stop click jacking attacks.

- Content Security Policy
Allows white listing so that script will only be allowed to run if they're on pages downloaded from trusted domains. This will also cut out inline scripts, which is a powerful security measure. It has be potential to break the functionality of non-harmful pages as well.

- Site Security Policy
A collection of security technologies that implements security features that works like the ones mentioned above.

The lectures were all done at 8 PM and afterward we had beer and mingling. The whole evening was well thought out and the lectures were interesting and informative. If you live in Sweden and preferably in Stockholm (most events are held here!), why not joining OWASP. I'm a member since 2008. Note that most lectures are held in Swedish and some of the event cost money. All information can be found here!

Next event is planned to the 7th of March. It will by HTML5 security held by Mario Heiderich.

Tags: Owasp, web application security
Posted: 2011-01-31 by Erik Zalitis
Changed: 2011-02-01 by Erik Zalitis

News archive