Aptana (Eclipse juiced up for web developers) recently drank the python coolaid and provided integration via PyDev. So I thought I would try it out. I was surprised when a standard installation yielded the following error:

Unable to complete action for feature “PyDev for Eclipse” due to errors.   Unable to create file “/C:/Program Files/Aptana/Aptana Studio 1.2/plugins/org.python.pydev_1.4.4.2636\PySrc/ThirdParty/wrapped_for_pydev/ctypes/_ctypes.dll”. [C:\Program Files\Aptana\Aptana Studio 1.2\plugins\org.python.pydev_1.4.4.2636\PySrc\ThirdParty\wrapped_for_pydev\ctypes\_ctypes.dll (Access is denied)]

Ah, I quickly figured out that the problem was that I put my Aptana installation in “Program Files” which on Windows Vista is protected by a chastity belt. So does this mean no one at Aptana tried installing pydev on Windows Vista in Program Files? Anyway, a simple solution was to change the installation location for the PyDev.

OK this is a meaningless post intended for the googlebots.

I attended the OWASP AppSec 2008 conference last week (Sept 24-25) in New York City. It had many great talks and notable moments, but may be remembered for one talk that did not happen. WhiteHat Security had a presentation on an exploit they called “Clickjacking” — basically when an attacker can make you click where they want you to click even if you click somewhere else. But they pulled the talk because a vendor got scared. WhiteHat frontman Jeremiah Grossman did give an illuminating talk (“Get Rich or Die Trying”) on how people are making money on the web, lots of money, illegally. You’ll definitely want to check out this presentation when the conference videos are posted on the web.

On the positive side (from the perspective of securing software), one of my favorite talks was by Jeff Williams of Aspect Security, who introduced the OWASP Enterprise Security API (ESAPI). The goal of ESAPI is to provide a standard, simple and secure API for doing validation, encoding, encryption, logging, user and session management, authentication, file uploads and other tasks necessary for secure coding. It could do for secure coding what Java concurrency utilities library does for concurrency. I think my favorite feature is the AccessReferenceMap which simply allows developers to provide an indirect reference to resources (such as files or user ids), so that the actual resource is not exposed in the URL or HTTP header.

An interesting side affair run throughout the conference was the Capture The Flag competition, set up by some students at New York Polytechnic University. Basically a server was set up with 30+ applications with different vulnerabilities, and attendees were allowed to hack away at the applications for points and prizes (of course, they put all this on a dedicated WIFI network, not the hotel’s WIFI). I got in on the action a little late, but still got the exhilaration of successfully hacking 4 applications. Anyway, the organizers announced that they would release the source code for the game server with vulnerable applications, no doubt providing hours of joy for ACM student chapters and antisocial graduate students. (It is not available yet, but if you are looking for something to hack, check out WebGoat.)

Other notable moments were (ISC)² unveiling a new certification process (Certified Information Systems Security Professional – CISSP), Gunter Ollmann‘s talk on the 100 Billion Dollar a year industry in attacking banks, Lee Kushner’s talk on how to get an AppSec job, and Zed Abbadi’s talk on how usability affects security.

On a personal note, the conference was a good opportunity for me to meet many vendors in the security domain and inform them about my research efforts. I made contacts at Aspect Security, Amazon.com, Imperva, Protiviti and ts/sci security that I hope to follow up with. Unfortunately, I did not win any of the raffles (including a 42-inch HDTV) despite meticulously depositing my business card with every vendor.

UPDATE: Some videos are now up at http://www.owasp.tv/. Also, “clickjacking” made the top news stories on Yahoo News.

UPDATE II: Jeremiah Grossman has now posted specific details (and video) about the clickjacking demo he was going to do at OWASP. Basically a hacker can take over your camera or microphone when you visit an infected site! They do this by forcing you to click the “Allow” button in the flash player without you realizing it. This incarnation of the exploit is probably not too lucrative, though you could use it to spy on your girlfriend!

5 hours later, I still can’t get the @%#& thing to work. Finally I stumble upon this forum post where someone else had the same problem. The cause:

XIFF was sending an initialization message:

<?xml version=”1.0″?><stream:stream to=”im.flosoft.biz” xmlns=”jabber:client” xmlns:stream=”http://etherx.jabber.org/streams” version=”1.0″>

My XMPP server (in this case im.flosoft.biz) was expecting:

<?xml version=”1.0″?><stream:stream to=”im.flosoft.biz” xmlns=”jabber:client” xmlns:stream=”http://etherx.jabber.org/streams”>

(missing the version=”1.0″ at the end) And because of this simple omission, the exchange failed. completely. horribly.

Well the solution is simply to edit line 108 in XMPPSocketConnection.as and remove version=”1.0″

Hope this helps someone.

UPDATE:

The modified file is: XMPPSocketConnection.as

Powered by Jott

Powered by Jott

Powered by Jott

Powered by Jott

Powered by Jott

Time-of-check, time-of-use race conditions (TOCTOU) occur when a program checks a property and then makes a decision based on this property later on. The classic example is when a c program checks the access properties of a file using the file name and the access() method, and then tries to open and write to the file later. An attacker could change the meaning of the file name between the access and the open, and steal information.