7

I am a member of the local ACM student chapter in my university and as part of our activities I am scheduled to give a talk on current issues on Web Application Security (and possibly secure coding measures). The talk will be presented at the students of our computer science department and will last around one hour of theory followed by a demo/hands-on module (around 1 hour as well).

I want to ask for your suggestions on which topics do you think I should cover and how to demo some of them. I'm inclined to present the "TOP10 list of web security issues" by OWASP, talk about them and use the resources from "OWASP's guide to building secure web apps" for countermeasures and suggestions.

For hands-on lab I'm thinking of using a intentionally vulnerable app like WebGoat or something related. What are your thoughts? Thanks.

Ion
  • 646
  • 5
  • 11

2 Answers2

2

The OWASP Top 10 is a great idea for content - although as you may see from my other posts, I always recommend a piece around business practicality, so if you can combine the talk with information on implementation and business risk I think it can make a very powerful presentation.

For example, incorporating information on how complex remediation for each of the OWASP top 10 is can be of high value (eg the code changes for reducing the risk of SQL injection attacks is relatively straightforward in coding frameworks which have input validation and output encoding modules)

You may think that that may be off-topic for technical folks, devs etc., but it will help them if they are in a position to understand business drivers (or blockers) for remediation work.

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
2

In terms of more content you could cover the Sammy Worm and how it avoids he problem of HTTPOnly cookies entirely. Its important to note that XSS is a lot more than just document.cookie and PoC alert boxes. CSRF becomes very difficult to prevent, but not impossible. Captcha's can be used to prevent CSRF even if XSS is present (defense in depth). In fact Google uses this method, such as to authorize account unlinking in youtube as well as other places.

There are a lot of different types of XSS, dom based xss being a really strange one. So yes, in fact you can write insecure JavaScript, although thats not usually the problem. (I have gotten this question a lot when doing an XSS talk.)

Very recently the CSP and notes from a post-xss world has gotten a lot of attention. There are a lot of great minds working on the problem of xss. The anti-reflective XSS security features found in Chrome, IE and Firefox's NoScript are also interesting, they are also flawed. Where IE's XSS filter is by far the most flawed.

I also tell developers that XSS is an output problem, and that in a Model View Control, the View is the best place to prevent XSS. Trying to escape input and store it in the database is a horrible practice. For one, the data becomes malformed and comparison operations can fail. But more importantly you have no idea how the data is going to be used when you insert it into the database, more often than not you will be blindly applying the wrong XSS sanitation method.

Developers should know to test their code. There are lot of free solutions available. There is the open source Skipfish project and sitewatch has a free service.

rook
  • 46,916
  • 10
  • 92
  • 181
  • Thanks for throwing in the useful links Rook. Any suggestions/ideas about the hands-on portion of the talk? Perhaps OWASP Hackademic project? – Ion Dec 22 '11 at 15:50
  • @Ion maybe the [xss archive](http://www.xssed.com/archive/special=1) and defacing the page with something like "staloned" or anther funny image showing that you can control the content of the page. – rook Dec 22 '11 at 16:04