Primate Brow Flash

Inspirational OWASP meeting last night. The speaker, Andrew van der Stock, threw out many terms and ideas that he expected the audience to be familiar with. I wrote down many of these for later lookup.

• extJS is a woefully insecure ajax framework. If someone is using extJS, their application is likely vulnerable to Cross Site Scripting. In the words of a lead developer of extJS, Jack Slocum:
  

  “It’s not the view layer’s job to do data security cleanup. In fact, doing so there could have a huge negative impact on performance of your application. That should be on an entirely different layer. I would recommend that when you do validation of data entered, you also do clean up to remove any insecure content.”

  Wow. Run from this. Don’t pause to collect your stuff. Just Run.

• Clickjacking. In Andrew’s view, Clickjacking is going to render the internet unusable once it gets better understood. As I understand it, an attacker can position an invisible button above an ordinary button on a web page you are viewing. So,you think you click on a “Submit” button in some forum, but you actually click a hovering invisible button that ends up linking to your bank account or email account. Kind of like when Sylvester’s tail gets painted like a tweety bird and he bites it. At this point, noscript addon for Firefox is the only defense against this. but:
  

  For the moment, the best defense against clickjacking attacks is to use Firefox with the NoScript add-on installed. Users running that combination will be safe, said Hansen, against “a very good chunk of the issues, 99.99 percent at this point.”

  In the next breath, however, he called the Firefox-NoScript solution a stop-gap fix suitable only for technical users. “If my Mom was using NoScript, I’d be taking all kinds of technical support calls,” he said. “It’s not the right solution.”

  Interestingly, the noscript site itself employs clickjacking for more positive ends. The spot where you click, “Install now” actually has an invisible overlay of the real firefox add-ons site that your browser already trusts. This allows a more seamless install of the software because your browser thinks it is getting it from mozilla. Based on this example, I can think of 3 ways to implement clickjacking

  1. You visit a nefarious site that has coded an invisible button over one of the visible buttons on the page
  2. You visit a benign site that has been compromised into creating one of these invisible buttons
  3. You visit a site vulnerable to XSS that is then used to create a clickjacking situation.

  In each of these, clickjacking seems to be a combination of two or more other attacks (XSS,CSRF)

• ESAPI. This is one I should really have known about. It is a set of interfaces by OWASP that provide foils for each of the major web application attack vectors. The initial release is for Java, but .NET and PHP versions are in the works.
• HoneyComb Project: This is an attempt to create a comprehensive storehouse of information about application security. It exists in wiki form as well as a giant word doc.
• Paypal Security Key. Andrew was impressed by the security devices that Paypal gives to their users for next to nothing. Leading the way in two-factor identification over the web, Paypal has “The Security Key, “a device that generates a temporary 6-digit security code every 30 seconds. Use it every time you log in for added security” If Paypal can do this so cheaply, then everyone should.
• Log4J no security logging level. I use Log4J all the time, but never questioned why it didn’t have a security logging feature. I found “How to add a security logging level to Log4J“, but I’m not sure if it meets all the needs that Andrew had in mind. I’m going to test this out.
• Volunteers: OWASP needs volunteers. It needs PHP experts to work on the PHP ESAPI. It needs technical editors to work on the OWASP Guide for developers. Testers, writers, and wikipedians. It needs volunteers to organize the HoneyComb project. It is a good way to learn more, get your name out there, and contribute to a valuable organization.

This entry was posted on Thursday, October 2nd, 2008 at 1:32 pm and is filed under owasp, security. You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.