Friday, February 23, 2007

Reflection on Jeremiah Grossman

Today’s personality is again well known for its contribution to the world of web application security. Jeremiah Grossman is an expert in webappsec and is a CTO and a co-founder of Whitehat Security. He is also a founding member of Web Application Security Consortium. Jeremiah started hacking around 1991-92 but it was only until 2000, he took it as a profession when he was working for yahoo where he performed various web application security related activities. Over the years he has done a lot of web application security R&D and contributed to the community in various ways. He has spoken at numerous conferences, published a lot of articles, shared a lot of research ideas and made various other contributions including but not limited to Internet Security Apache Benchmark Group and Web Application Security Consortium. In his spare time he trains in Brazilian Jiu Jitsu and play australian rules football and his specialty is web application security, web development, Australian rules football and video game hacking.

Jeremiah is based out of San Jose, CA and is only 29 years old and has spoken at numerous conferences all over the world including Black Hat, ISSA, ISACA, NASA, RSA, OWASP, AFITC, Stanford and many other industry events. His research, writings, and discoveries have featured in USA Today, VAR Business, NBC, ABC News (AU), ZDNet, eWeek, BetaNews, etc. Below is a compilation of most of his work, which by no means, covers his entire contribution.

Articles / Books:-

Ten Things You Should Know about Web Application Security

The 80/20 Rule for Web Application Security

Chasing Vulnerabilities for Fun and Profit

Myth-Busting AJAX (In)Security

Myth-Busting Web Application Buffer Overflows

Pay Now or Pay Later: Obtaining ROI from Web Security

Technology Alone Cannot Defeat Web Application Attacks,289483,sid92_gci1189767,00.html

Insecure Web Sites

Thwarting SQL Web Hacks

Top 5 Myths of Web Application Security

Web Application Security 101

What Phishers Know That You Don't

Cross-Site Scripting Worms and Viruses

Top 10 Web Hack of 2006
Most of the recent ones are listed here:

Automated Scanner vs. The OWASP Top Ten

He is also co-authoring a book on XSS to be released tentatively on March 1, 2007
Cross Site Scripting Attacks: XSS Exploits and Defense

He also wrote the foreword for two books:-

Preventing Web Attacks with Apache

Hacking Exposed Web Applications, Second Edition



Hacking Intranet Websites from the Outside (Session code: HT2-107)

Hacking Intranet Websites from the outside - "JavaScript malware just got a lot more dangerous"

Phishing with super bait

Challenges of Automated Web Application Scanning

Webserver Fingerprinting

The land that application security forgot

Hacking Intranet Websites from the Outside with JavaScript Malware Dang (CSI NetSec)

StillSecure, After all these years, Podcast #28

Cross-Site Tracing (XST)

Automated Scanners vs. Low-Hanging Fruit

Speaking engagements:-

Jeremiah Grossman TV interview with ABC News (AU)

ISSA NORCAL Systems Security Symposium 2004, Network Security Conference 2004 – Web Application Security Auditing

Black Hat 2006 - Hacking Intranet Websites from the Outside "JavaScript malware just got a lot more dangerous"

Black Hat 2005 - Phishing with Super Bait

Black Hat USA 2004 - Panelist

AITP Central Valley – Web Application Security

ISSA Sacramento 2004 – Auditing Web Applications

Blackhat Seattle 2004

BlackHat Windows 2003 – Hacking Web Applications Training Class, Detecting Web Application Attacks Presentation

Blackhat New Orleans 2002 – Web Application Security and Arsenal

Blackhat Europe 2001 – Web Application Security

Air Force Information Technology Conference 2001, Web Application Security

DefCon Las Vegas 2001 – Web Application Security in Theory and Practice

Speaker and Panelist for the Web Application Security Forum (Tokyo, Japan) - “WASC Activities and U.S. Web Application Security Trends”

Blackhat Singapore 2002 – Web Server Fingerprinting - "A first look into web server fingerprinting"

Podcast with ITRadio (Risky Business #1)

Credit Union Information Security Conference Panelist 2004

Washington Software Alliance 2003 / ISSA Pugeot Sound 2003 / Blackhat Federal 2003 / SuperCIO 2003 / NASA AMES 2003 – Challenges of Automated Web Application Scanning

ISSA San Diego – Auditing Web Applications

ToorCon San Diego 2001 (Couldn’t find the url)

Proof of concepts:-

Intranet Hacking

Browser Port Scanning without JavaScript

Bypassing Mozilla Port Blocking

I know if you're logged-in, anywhere

I know where you’ve been

Goodbye Applet, Hello NAT'ed IP Address

JavaScript Array Overwriting - Advanced Web Attack Techniques using GMail

Tools written by him:-

WhiteHat Webserver Fingerprinter (no longer available)

Scoring Tool CIS for the Apache Benchmark

WhiteHat Arsenal (no longer available)


WASC Co-Founder



Companies worked for:-

Amgen, Yahoo, WhiteHat



He is a man of ideas and thinks differently from others. His blog is amongst the most followed blogs on information security. A must follow figure in web application security to stay current with emerging threats and news.

Last Week – RSnake
Next Week – Ivan Ristic

No comments: