(Cross-posted on PLUM Ideas)
I attended the OWASP AppSec 2008 conference last week (Sept 24-25) in New York City. It had many great talks and notable moments, but may be remembered for one talk that did not happen. WhiteHat Security had a presentation on an exploit they called “Clickjacking” — basically when an attacker can make you click where they want you to click even if you click somewhere else. But they pulled the talk because a vendor got scared. WhiteHat frontman Jeremiah Grossman did give an illuminating talk (“Get Rich or Die Trying”) on how people are making money on the web, lots of money, illegally. You’ll definitely want to check out this presentation when the conference videos are posted on the web.
On the positive side (from the perspective of securing software), one of my favorite talks was by Jeff Williams of Aspect Security, who introduced the OWASP Enterprise Security API (ESAPI). The goal of ESAPI is to provide a standard, simple and secure API for doing validation, encoding, encryption, logging, user and session management, authentication, file uploads and other tasks necessary for secure coding. It could do for secure coding what Java concurrency utilities library does for concurrency. I think my favorite feature is the AccessReferenceMap which simply allows developers to provide an indirect reference to resources (such as files or user ids), so that the actual resource is not exposed in the URL or HTTP header.
An interesting side affair run throughout the conference was the Capture The Flag competition, set up by some students at New York Polytechnic University. Basically a server was set up with 30+ applications with different vulnerabilities, and attendees were allowed to hack away at the applications for points and prizes (of course, they put all this on a dedicated WIFI network, not the hotel’s WIFI). I got in on the action a little late, but still got the exhilaration of successfully hacking 4 applications. Anyway, the organizers announced that they would release the source code for the game server with vulnerable applications, no doubt providing hours of joy for ACM student chapters and antisocial graduate students. (It is not available yet, but if you are looking for something to hack, check out WebGoat.)
Other notable moments were (ISC)² unveiling a new certification process (Certified Information Systems Security Professional – CISSP), Gunter Ollmann‘s talk on the 100 Billion Dollar a year industry in attacking banks, Lee Kushner’s talk on how to get an AppSec job, and Zed Abbadi’s talk on how usability affects security.
On a personal note, the conference was a good opportunity for me to meet many vendors in the security domain and inform them about my research efforts. I made contacts at Aspect Security, Amazon.com, Imperva, Protiviti and ts/sci security that I hope to follow up with. Unfortunately, I did not win any of the raffles (including a 42-inch HDTV) despite meticulously depositing my business card with every vendor.
UPDATE: Some videos are now up at http://www.owasp.tv/. Also, “clickjacking” made the top news stories on Yahoo News.
UPDATE II: Jeremiah Grossman has now posted specific details (and video) about the clickjacking demo he was going to do at OWASP. Basically a hacker can take over your camera or microphone when you visit an infected site! They do this by forcing you to click the “Allow” button in the flash player without you realizing it. This incarnation of the exploit is probably not too lucrative, though you could use it to spy on your girlfriend!