Open Web Application Security Project Meeting - March 8 March 8, 2007

About OWASP

The Open Web Application Security Project (OWASP) is an all-volunteer group that produces free, professional-quality, open-source documentation, tools, and standards. The OWASP community facilitates conferences, local chapters, articles, papers, and message forums. The OWASP Foundation, a not- for-profit charitable organization, ensures the ongoing availability and support for our work. Participation in OWASP is free and open to all, as are all the materials on the website (http://www.owasp.org/).

---
WHO

Anyone interested in Web Application Security, Information Security, and Software Development.

Note to CISSP's: OWASP Meetings count towards CPE Credits.

---

This month we have an exciting technical talk discussing the Same-Origin Policy and attacks that attempt to break/circumvent these controls by security researcher Andre Gironda. The details of this month's meeting are below:

Where

UAT - University of Advancing Technology (Entrance at the back of the building)

2625 West Baseline Road

Tempe, Arizona

85283-1056

When

6:30PM, Thursday, March 8th


Agenda

6:30 to 6:45 News & Introductions

6:45 to 7:45 (1 hour): Reflections on Trusting the Same-Origin Policy – and other web+network trust issues – Andre Gironda, Independent Vulnerability Assessor / Researcher

In computing, the same origin policy is an important security measure for client-side scripting (mostly Javascript). It prevents a document or script loaded from one "origin" from getting or setting properties of a document from a different "origin". It was designed to protect browsers from executing code from external websites, which could be malicious.

XSS and CSRF vulnerabilities exploit trust shared between a user and a website by circumventing the same-domain policy. DNS Pinning didn't pan out exactly right, either. Can client-side scripting allow malicious code to get into your browser history and cache? Can it enumerate what plugins you have installed in your browser, or even programs you have installed to your computer? Can it access and modify files on your local hard drive or other connected filesystems? Can client-side scripts be used to access and control everything you access online? Can it be used to scan and attack your Intranet / local network? Does an attacker have to target you in order to pull off one of these attacks successfully? If I turn off Javascript or use NoScript, am I safe? What other trust relationships does the web application n-Tier model break?

7:45 to 8:00: Wrap up

8:00 Happy Hour/Social:

Tilted Kilt

650 West Warner Road, Tempe AZ

http://maps.google.com/maps?f=q&hl=en&q=650+West+Warner+Road+tempe+az&ie=UTF8&z=15&ll=33.336265,-111.948452&spn=0.01764,0.054245&om=1&iwloc=addr

I am always looking for new speakers and topics so feel free to send me an email if you’re interested.

Thanks,

Jon Rose and Adam Muntner