Another great OWASP conference ended yesterday. Other than the terrible food and slightly jarring speaker shuffle, I had a great time. I met lots of interesting folks from lots of different places, including closet webappsec expert Chris Shiflett, the always-blogging Rafal Los, and seasoned veteran Gunter Ollman, among them. I gave a talk on Day 2 about organizing our thoughts on cross-site scripting worms and where worm authors can go in the future with smarter design choices and futureware from HTML5. The slides are here and the corresponding paper from last year’s Belgium conference is here. Let’s go through the highlights of the rest of the conference for those of you who weren’t there.

Clickjacking / UI Redress / iframe + CSS

There’s been some drama recently since Jeremiah Grossman and Robert Hansen abruptly cancelled their ‘clickjacking’ talk at the conference. Instead of giving the talk, the pair fielded questions about the vulnerability in general terms and deflected any detailed questions that might leak information to people attempting to reverse engineer it. This pattern of half-disclosure among security researchers is becoming more popular and I’m not personally sure if the vendors deserve any preferential treatment given their security track record.

Clickjacking, the term, is an attack whereby a victim on a malicious page is tricked into clicking ‘past’ a link or button and ends up clicking on something else. What is that “something else”? How bad can it be? Pretty bad, actually. After about 30 minutes of thinking I came up with 2 really dangerous vectors, one just a general attack framework idea, and another specific vector against Flash I’d rate as a 7/10. However, Jeremiah and RSnake are sitting on a vector that is definitely 10/10. To quote Ptacek, ‘they have the goods.’


Dave Aitel’s talk on trends in public exploit development and future consequences was fascinating. Dealing with “alert(document.cookie)” 24/7/365 does make you itch for that time when you were staying up all night trying to figure out why your write32 exploit worked in gdb but not on the command line. His personality reminds me a lot of Samy, and possibly myself – no coincidence considering we’re all brown.

Bypassing web application/service security controls using Encoding, Transcoding…

Arian never showed up – it was claimed he was lost in NYC. I suspect he was hung over on a beach in Malaysia, rolling over some chubby MILF. <3 u Arian.

Multidisciplinary Bank Attacks

Got a chance to meet Gunter Ollman, who is much nicer in real life than the curmudgeon persona he has online. He discussed man-in-the-browser banker trojans; their technical capability and the business around them. Given that there were between 3,000 and 6,000 variants of banker trojans identified in 2005 alone, and I’ve heard that some ridiculous percentage of IE6 installations tested were infected with one of those variants, this is definitely pertinent considering how much we all work with the financial industry.

Given the signature-based methodology the trojans use to modify pages, couldn’t we play some defense by doing some DOM re-ordering or id-randomizing to at least make the attacks appear more obvious? Kind of like ASLR for the pages? Seems like some good defensive research could produce protection for at least a year or two.


Thanks to the NY chapter and Tom Brennan for organizing such a great conference considering they had to change venues 2 weeks before the event! Hope to see all of you in Portugal for the EU Summit.