Core Security Experts Detail Widespread Web Applications Vulnerability at OWASP Conference.Leading Vulnerability Researchers to Demonstrate Pervasive Cross-Site Scripting See XSS. Issue WASHINGTON -- Core Security Technologies, provider of CORE IMPACT solutions for comprehensive enterprise security testing Security Testing: (The) Process to determine that an IS (Information System) protects data and maintains functionality as intended. The six basic security concepts that need to be covered by security testing are: confidentiality, integrity, authentication, authorisation, , today announced that one of its industry leading CoreLabs security researchers will serve as a featured presenter at the OWASP (Open Web Application Security Project) An organization founded by Mark Curphey in 2001 to help make open source software secure. With member communities around the world, OWASP projects are involved with specific programming languages, functions and AppSec DC 2009 conference being held at the Walter E. Washington Convention Center The Washington Convention Center has been the name of two convention centers in Washington, D.C. The old Washington Convention Center was located at 909 H Street NW and was in use from 1983 until 2004. Nov. 10-13. CoreLabs WebApps Exploit Writer Matias Blanco Blanco (meaning the color white in Spanish) is an adjective often used in Spanish surnames. Below is a list of famous people and places associated with the word. will demonstrate cutting-edge "User Input Piercing" exploitation techniques that allow for the automatic discovery and exploitation of cross-site scripting vulnerabilities to be carried out against arbitrary web applications. In addition to presenting algorithms and techniques for performing the technique, Blanco will submit heuristic methods heuristic method Decision making A form of problem-solving based, not on scientific proof but rather on plausible, possible, or creative conclusions to questions that cannot be answered in the context of, or the 'logic' of which lies outside of, a currently that can determine if such a cross-site scripting attack can be used to execute scripting code on a compromised browser and will also present an algorithm to address potential encoding See encode. issues. CoreLabs WebApps Exploit Writer Federico Muttis co-authored the research. Much as with CoreLabs' highly-acclaimed presentations at Black Hat USA 2009 and CanSecWest Conference, which garnered significant interest from both the media and larger vulnerability research community, Blanco's presentation will break new ground in illustrating the readily available and exploitable nature of this serious security exposure affecting ubiquitous web application technologies. The CoreLabs expert will also demonstrate how, when combined with CORE IMPACT's patented agent technology, this technique can be used to assess the impact of XSS (CROSS-Site Scripting) Causing a user's Web browser to execute a malicious script. There are several ways this is done. One approach is to hide code in a "click here" hyperlink attached to a URL that points to a non-existent Web page. vulnerabilities in an automated fashion. What: "User input piercing for Cross-site Scripting Attacks" When: Thursday, Nov. 12, 2009; 4:50 p.m. - 5:55 p.m. ET Where: OWASP AppSec DC 2009, Walter E. Washington Convention Center Who: Matias Blanco, Core Security Exploit Writer * View the research paper Presentation Details: Cross-site scripting, or XSS, represents one of the most widespread and available forms of potential web application exploitation on the Internet today, with attackers taking advantage of the opportunity on an increasingly regular basis. Traditionally, XSS vulnerability fuzzing See fuzz testing. techniques have focused primarily on black-box analysis using a static set of vectors and encoding to unearth exploitable flaws. Using a different approach that employs cookie reflection and encoding analysis to determine the information needed to exploit XSS vulnerabilities, CoreLabs will illustrate a dangerous new method that attackers could assail as·sail tr.v. as·sailed, as·sail·ing, as·sails 1. To attack with or as if with violent blows; assault. 2. To attack verbally, as with ridicule or censure. See Synonyms at attack. 3. to compromise many common web applications. Topics covered in the User Input Piercing presentation will include: * User Input Piercing XSS analysis * Potential injection point discovery * XSS vectors (including remote) * XSS encoding detection The Open Web Application Security Project (OWASP) has grown to become the most influential online application security research organization in the world, and CoreLabs is honored to continue to contribute to its advancement, while being recognized for its own pioneering work in the field. Organizations of every kind benefit from the further illustration of exploitable web applications vulnerabilities that can leave their IT operations and electronic data at risk to targeted and sophisticated attacks from cybercriminals. Core Security continues to feed the intelligence garnered via its CoreLabs research directly into its CORE IMPACT family of automated penetration testing A test of a network's vulnerabilities by having an authorized individual actually attempt to break into the network. The tester may undertake several methods, workarounds and "hacks" to gain entry, often initially getting through to one seemingly harmless section, and from there, solutions to ensure that organizations have access to security assessment products that allow them to determine their own exposure to such widely available vulnerabilities. CoreLabs exploit writers Matias Blanco and Federico Muttis are credited as the original authors of the User Input Piercing research project, aided by colleagues Fernando Russ, Aureliano Calvo and Eduardo Arias Eduardo Arias is a Panamanian environmental analyst whose discovery of contaminated toothpaste saved lives by alerting the public to potentially poisonous products purchased from China. . For more information about the presentation or to schedule meetings with Core Security's experts at OWASP AppSec DC 2009, please contact Tim Whitman or Lauren O'Leary at 781-684-0770 or via email at: coresecurity@schwartz-pr.com. About Core Security Technologies Core Security Technologies is the leader in comprehensive penetration testing software solutions that IT executives rely on to expose vulnerabilities, measure operational risk and assure security effectiveness. The company's CORE IMPACT product family offers a comprehensive approach to assessing the security of network systems, endpoint systems, email users and web applications against complex threats. All CORE IMPACT security testing solutions are backed by trusted vulnerability research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Based in Boston, MA and Buenos Aires Buenos Aires (bwā`nəs ī`rēz, âr`ēz, Span. bwā`nōs ī`rās), city and federal district (1991 pop. , Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at http://www.coresecurity.com. |
|
||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion