OWASP AppSec Ireland 2010
Over the weekend I attended OWASP AppSec Ireland 2010 at Trinity College in Dublin. The event was a full day event held on the 17th September starting at 9AM and ‘officially’ ending at 9PM. On my first night in Dublin I went for an excellent Italian meal with some great people, these include @securityninja, @Angelill0, @danielcornell and others. The evening was polished off with a traditional pint of Guiness in a local pub.
On the day of the conference I arrived a little early and had some brief discussions with a couple of the attendees. The conference kicked off with the keynote talk by John Viega titled “Application Security in the Real World”. This was an excellent talk that put into perspective the reality of application security within business. The keynote was followed by a brief unplanned summary by Samy Kamkar on his talk which he is touring Europe with. I look forward to seeing his full talk at BruCON next weekend.
DVWA 1.0.7 is here!
After 9 months since the last release we are proud to present the all new Damn Vulnerable Web Application version 1.0.7.
What’s new?
The vulnerability help page has been improved.
We now display the logged on username along with the vulnerability level and php-ids status.
Blind SQL injection has been implemented.
We now have official documentation.
You can now compare all vulnerable source code in one page with the ‘view all’ button.
The whole theme has been redesigned, including a new great looking logo.
Many bug fixes and small changes throughout the application.
DropBox Security
For those of you new to Dropbox:
“Dropbox is a Web-based file hosting service operated by Dropbox, Inc. which uses cloud computing to enable users to store and share files and folders with others across the Internet using file synchronization.”
http://en.wikipedia.org/wiki/Dropbox_%28service%29
Dropbox has become very popular and widely used as it has so many different uses and makes file sharing over the internet easy. Dropbox allows you to make public image galleries, share files publicly, share files between computers and manage version control. All this straight from your file system. I like to think of it as git or a subversion repository with a nice interface.
[Interview] The Jester
It’s not often I interview people for the blog however when some one catches my eye and raises my interest I like to find out more about them and share it with my readers. This time I interviewed ‘The Jester’. The Jester has been in the media spotlight recently for taking down Jihadist terrorist web sites via use of a targeted DoS attacks.
* Can you tell us a little bit about yourself and what you do?
Ryan, I would like to give you and your readers a little more about me but it’s kind of difficult to do that, given the nature of my targets, all I can give you sir is what’s already ‘out there’ – I am ex-mil – and slightly pissed at the surge in Jihadist online activities.
Now with regard to what I do: I aim to cause disruption to the online efforts of Jihadists on the internet. They have realized that they can recruit, train and coordinate home-grown terrorists completely via the internet, without ever having to meet. This cuts out much of the risk associated with any face-to-face contact for the recruiters. Web recruitment targets young, tech-savvy, vulnerable Muslims, the iPod generation if you like. By making these sites unreliable, the potential recruit numbers start to dwindle. I limit my hits to defined time-slots (rather than killing them completely) because I am well aware that official Counter Terrorist Agencies use some of these sites for intelligence gathering. I have been asked why I DON’T hit certain sites, well it’s simple. By NOT hitting certain sites (and hitting others hard) I am ‘herding’, people give up easily when a site is constantly up and down, and move on to a more reliable one. So it creates a funnel-effect, funneling terrorists and potential terrorists away from peripheral sites and into a smaller space that is easier to monitor.
Why Johnny Can’t Pentest
A white paper released recently (not dated) by the University of California titled ‘Why Johnny Can’t Pentest: An Analysis of Black-box Web Vulnerability Scanners’ evaluates eleven commercial and open-source black-box web vulnerability scanners.
The three authors of the paper (Adoupe, Marco, Vigna) test the black-box scanners against their custom vulnerable web application they called WackoPicko. Their custom web application contained a number of different technical and business logic vulnerabilities, both authenticated and un-authenticated.
They tested each scanner against WackoPicko in three different modes. Initial (point-and-click), Config (login credentials/mechanism provided) and Manual (local proxy use). The eleven scanners tested were Acunetix, Appscan, Burp, Grendel-Scan, Hailstorm, Milescan, N-Stalker, NTOSpider, Paros, w3af and Webinspect.
