I’ve recently gone on a python binge. I like the quick scripting, but I’m also trying to explore the code analysis tools for python.

Aptana (Eclipse juiced up for web developers) recently drank the python coolaid and provided integration via PyDev. So I thought I would try it out. I was surprised when a standard installation yielded the following error:

Unable to complete action for feature “PyDev for Eclipse” due to errors.   Unable to create file “/C:/Program Files/Aptana/Aptana Studio 1.2/plugins/org.python.pydev_1.4.4.2636\PySrc/ThirdParty/wrapped_for_pydev/ctypes/_ctypes.dll”. [C:\Program Files\Aptana\Aptana Studio 1.2\plugins\org.python.pydev_1.4.4.2636\PySrc\ThirdParty\wrapped_for_pydev\ctypes\_ctypes.dll (Access is denied)]

Ah, I quickly figured out that the problem was that I put my Aptana installation in “Program Files” which on Windows Vista is protected by a chastity belt. So does this mean no one at Aptana tried installing pydev on Windows Vista in Program Files? Anyway, a simple solution was to change the installation location for the PyDev.

OK this is a meaningless post intended for the googlebots.

OWASP AppSec 2008

(Cross-posted on PLUM Ideas)

I attended the OWASP AppSec 2008 conference last week (Sept 24-25) in New York City. It had many great talks and notable moments, but may be remembered for one talk that did not happen. WhiteHat Security had a presentation on an exploit they called “Clickjacking” — basically when an attacker can make you click where they want you to click even if you click somewhere else. But they pulled the talk because a vendor got scared. WhiteHat frontman Jeremiah Grossman did give an illuminating talk (“Get Rich or Die Trying”) on how people are making money on the web, lots of money, illegally. You’ll definitely want to check out this presentation when the conference videos are posted on the web.

On the positive side (from the perspective of securing software), one of my favorite talks was by Jeff Williams of Aspect Security, who introduced the OWASP Enterprise Security API (ESAPI). The goal of ESAPI is to provide a standard, simple and secure API for doing validation, encoding, encryption, logging, user and session management, authentication, file uploads and other tasks necessary for secure coding. It could do for secure coding what Java concurrency utilities library does for concurrency. I think my favorite feature is the AccessReferenceMap which simply allows developers to provide an indirect reference to resources (such as files or user ids), so that the actual resource is not exposed in the URL or HTTP header.

An interesting side affair run throughout the conference was the Capture The Flag competition, set up by some students at New York Polytechnic University. Basically a server was set up with 30+ applications with different vulnerabilities, and attendees were allowed to hack away at the applications for points and prizes (of course, they put all this on a dedicated WIFI network, not the hotel’s WIFI). I got in on the action a little late, but still got the exhilaration of successfully hacking 4 applications. Anyway, the organizers announced that they would release the source code for the game server with vulnerable applications, no doubt providing hours of joy for ACM student chapters and antisocial graduate students. (It is not available yet, but if you are looking for something to hack, check out WebGoat.)

Other notable moments were (ISC)² unveiling a new certification process (Certified Information Systems Security Professional – CISSP), Gunter Ollmann‘s talk on the 100 Billion Dollar a year industry in attacking banks, Lee Kushner’s talk on how to get an AppSec job, and Zed Abbadi’s talk on how usability affects security.

On a personal note, the conference was a good opportunity for me to meet many vendors in the security domain and inform them about my research efforts. I made contacts at Aspect Security, Amazon.com, Imperva, Protiviti and ts/sci security that I hope to follow up with. Unfortunately, I did not win any of the raffles (including a 42-inch HDTV) despite meticulously depositing my business card with every vendor.

UPDATE: Some videos are now up at http://www.owasp.tv/. Also, “clickjacking” made the top news stories on Yahoo News.

UPDATE II: Jeremiah Grossman has now posted specific details (and video) about the clickjacking demo he was going to do at OWASP. Basically a hacker can take over your camera or microphone when you visit an infected site! They do this by forcing you to click the “Allow” button in the flash player without you realizing it. This incarnation of the exploit is probably not too lucrative, though you could use it to spy on your girlfriend!

For a class project I thought I would use XIFF to connect two Flash clients together as in instant messenger. Should be simple enough — I had a working prototype with a similar library by Nick Velloff. So I decided to try to simply write some login code (and get a nice sound on my Pidgen IM client). …

5 hours later, I still can’t get the @%#& thing to work. Finally I stumble upon this forum post where someone else had the same problem. The cause:

XIFF was sending an initialization message:

<?xml version=”1.0″?><stream:stream to=”im.flosoft.biz” xmlns=”jabber:client” xmlns:stream=”http://etherx.jabber.org/streams&#8221; version=”1.0″>

My XMPP server (in this case im.flosoft.biz) was expecting:

<?xml version=”1.0″?><stream:stream to=”im.flosoft.biz” xmlns=”jabber:client” xmlns:stream=”http://etherx.jabber.org/streams”&gt;

(missing the version=”1.0″ at the end) And because of this simple omission, the exchange failed. completely. horribly.

Well the solution is simply to edit line 108 in XMPPSocketConnection.as and remove version=”1.0″

Hope this helps someone.


The modified file is: XMPPSocketConnection.as

What are some of the organizations specific bug detectors that are created to enforce internal organizational policies? listen

Powered by Jott

At today’s usability lab demonstration of eye tracker. There was one eye tracker that was head mounted and inconvenient to the user and another that was mounted on the monitor and did not(?) any convenience to user, lesson is collect as much data as you can in an experiment without inconveniencing the participant. listen

Powered by Jott

I leaned a lesson at todays usability lab demonstration of Eye Tracker and that is that you want to collect as much data as you can, doing experiment without inconvenient thing the participants. listen

Powered by Jott

Michael Ernst at MIT has a paper at MSR 2007 on “Prioritizing warning categories by analyzing software history”. The idea is that those warnings that are fixed quickly by developers are likely to be important. listen

Powered by Jott