The OWASP 2008 Application Security Conference is September 24th & 25th 2008
in New York City.
With over 50 APPSEC speakers, 6 training classes and a Capture the Flag
event. This event is the largest web application security focused conference
anywhere, don't miss it!
Event agenda and registration :
http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference
Monday, August 18, 2008
Monday, August 11, 2008
SurfJacking: HTTPS will not save you, but "secure" will
There is a lot of talk out there about a new tool for "SurfJacking". The basic premise is that an attacker can compromise your session even if you are using SSL. This sounds scary, and it is bad. If you get lazy about reading papers, as I sometimes do, here is the primary fix. Use the "secure" flag for your cookies.
What is the secure flag?
Don't get hung up on the "critical for the integrity part". If you went to the effort to create a cookie for the user, its probably important. Go ahead and set the secure flag.
Haven't heard of SurfJacking? Look here
New Tool to Automate Cookie Stealing from Gmail, Others. Washing Post
SurfJacking.pdf from net-security.org
Since we are setting flags, go ahead and also set the httpOnly flag. This is unrelated to the above issue, but its a good move and will help prevent against XSS cookie theft.
-Michael Coates
What is the secure flag?
a cookie whose value is critical for the integrity of the session should have this flag enabled in order to allow its transmission only in an encrypted channel to deter eavesdropping. - OWASP
Don't get hung up on the "critical for the integrity part". If you went to the effort to create a cookie for the user, its probably important. Go ahead and set the secure flag.
Haven't heard of SurfJacking? Look here
New Tool to Automate Cookie Stealing from Gmail, Others. Washing Post
SurfJacking.pdf from net-security.org
Since we are setting flags, go ahead and also set the httpOnly flag. This is unrelated to the above issue, but its a good move and will help prevent against XSS cookie theft.
-Michael Coates
Posted by
Michael Coates
Chicago OWASP Event
The next Chicago OWASP meeting is just around the corner. I highly recommend you attend if you weren't planning to already.
Details:
When: Thursday, August 21st, 2008 at 6pm CDT.
Where: Bank of America Plaza at 540 W. Madison, Downtown Chicago, 23rd floor.
RSVP: RSVP to jason{AT}wittys.com by 8/19/2008 if you plan to attend.
Agenda
6:00 Refreshments and Networking
6:15 Bad Cocktail: Spear Phishing + Application Hacks - Rohyt Belani, Managing Partner, Intrepidus Group
7:15 Get Rich or Die Trying - Making Money on The Web, The Black Hat Way - Jeremiah Grossman, Founder & CTO of Whitehat Security
See you there.
-Michael Coates
Details:
When: Thursday, August 21st, 2008 at 6pm CDT.
Where: Bank of America Plaza at 540 W. Madison, Downtown Chicago, 23rd floor.
RSVP: RSVP to jason{AT}wittys.com by 8/19/2008 if you plan to attend.
Agenda
6:00 Refreshments and Networking
6:15 Bad Cocktail: Spear Phishing + Application Hacks - Rohyt Belani, Managing Partner, Intrepidus Group
7:15 Get Rich or Die Trying - Making Money on The Web, The Black Hat Way - Jeremiah Grossman, Founder & CTO of Whitehat Security
See you there.
-Michael Coates
Posted by
Michael Coates
Friday, August 1, 2008
Heading to Black Hat
I'll be heading to Black Hat this weekend. Stop by the Advanced Web Application Penetration Testing and say hello. Otherwise I'll be at the OWASP/WASC event on Wednesday and of course attending the sessions on Wednesday/Thursday.
Looking forward to a good conference...
-Michael Coates
Looking forward to a good conference...
-Michael Coates
Posted by
Michael Coates
Subscribe to:
Posts (Atom)