I just got back from Ghent, Belgium where I presented my research into next generation XSS worms. I hope people don’t take too much FUD from the talk- it’s only meant to show a few things, most notably how I (presume to have) solved the problem of decentralized, reliable, and unpoisonable command and control. Queue up the paper while you read the wrap up!

Personal Highlights

  • Seeing the eyes of the students in my RIA class open up real wide when I describe attack techniques like JavaScript hijacking and DNS rebinding
  • Accidentally getting drunk on 4 Belgian beers (the local beer Duvel [which is Flemish for ‘Devil’] has 9% alcohol)
  • Purposely getting drunk on all kinds of beers the next night
  • Meeting Sebastien Deleersnyder and Paolo Coimbra of OWASP for the first time
  • Taking $20 from a sucker who actually bet on Chelsea to beat Man U (Mark Curphey)
  • Seeing the re-engineering Dinis Cruz has done on Ounce to make it scriptable by power users (though it looks like it needs an upgrade to its pre-1990 monochrome UI)
  • Spending time with some of the premier hackers that choose to live in the public eye (pdp, .mario of gnucitizen, who both coincidentally (or not?) have herpes)

Best Talks

Ignoring all the Aspect Security employee talks I can easily pick my top 5:

  1. Gary McGraw‘s exploiting online games was hilarious. Because I was already a giant gaming nerd, I was familiar with most of the techniques discussed, but his presentation was absolutely great. His second talk was also good, but it was dangerous for us consultants in the crowd as we had to keep dodging all the names he was dropping!
  2. Mark Curphey‘s not-easily-summarizable-but-still-very-good talk.
  3. Thomas Roessler‘s explanation of HTML5 security (which you can be sure I’ll be assessing quite soon).
  4. Dinis Cruz‘s abnormally caffeinated self talk about OWASP and the future – you can’t help but be energized to help OWASP more after listening to this guy for more than 5 seconds.
  5. Mario Heidrich‘s (.mario on slackers) dissection of PHPIDS – a great tool which needs a Java version ASAP. I’m entirely in love with the Centrifuge idea. I’ll be honest I never wanted to ask the community if they could fit an XSS into less than 23 characters in fear that there was an obvious one I couldn’t think of.

Out of the refereed papers published at the conference, I like fukami/Ben’s (and my own, of course). It’s not earth shattering, but it’s clever and another example of how undocumented/not-well-known features are often the sources of hilarious issues. I imagine the Flash VM should mark anything past the end-of-function marker (a 16-bit length null byte) non-executable address space, or perhaps more easily it could rip out these malicious islands of code when the SWF file is loaded into memory. I’m really sorry I missed that talk, but I couldn’t let my co-worker Jason Li present on my OWASP AntiSamy project without at least being in the room!

The rest of the refereed papers seemed like solutions to problems already solved in easier ways. Others just have crazy base assertions: “most existing approaches [for input validation] are based on Tainted Mode…” – huh?

Great conference, great people, great city, etc. pdp is going to mix all the pictures up into some whizbang movie and submit it to Cannes, I think. So keep an eye out for that on gnucitizen and House of Hackers!