Friday, February 23, 2007

Reflection on Jeremiah Grossman

Today’s personality is again well known for its contribution to the world of web application security. Jeremiah Grossman is an expert in webappsec and is a CTO and a co-founder of Whitehat Security. He is also a founding member of Web Application Security Consortium. Jeremiah started hacking around 1991-92 but it was only until 2000, he took it as a profession when he was working for yahoo where he performed various web application security related activities. Over the years he has done a lot of web application security R&D and contributed to the community in various ways. He has spoken at numerous conferences, published a lot of articles, shared a lot of research ideas and made various other contributions including but not limited to Internet Security Apache Benchmark Group and Web Application Security Consortium. In his spare time he trains in Brazilian Jiu Jitsu and play australian rules football and his specialty is web application security, web development, Australian rules football and video game hacking.

Jeremiah is based out of San Jose, CA and is only 29 years old and has spoken at numerous conferences all over the world including Black Hat, ISSA, ISACA, NASA, RSA, OWASP, AFITC, Stanford and many other industry events. His research, writings, and discoveries have featured in USA Today, VAR Business, NBC, ABC News (AU), ZDNet, eWeek, BetaNews, etc. Below is a compilation of most of his work, which by no means, covers his entire contribution.


Articles / Books:-

Ten Things You Should Know about Web Application Security
http://www.whitehatsec.com/downloads/WP10Things.pdf

The 80/20 Rule for Web Application Security
http://www.webappsec.org/projects/articles/013105.shtml

Chasing Vulnerabilities for Fun and Profit
http://www.whitehatsec.com/articles/chasing_vulnerabilities.shtml

Myth-Busting AJAX (In)Security
http://www.whitehatsec.com/home/resources/articles/files/myth_busting_ajax_insecurity.html

Myth-Busting Web Application Buffer Overflows
http://www.whitehatsec.com/articles/mythbusting_buffer_overflow.shtml

Pay Now or Pay Later: Obtaining ROI from Web Security
http://www.cunews.com/roundtable/WhiteHat3.pdf

Technology Alone Cannot Defeat Web Application Attacks
http://searchsoftwarequality.techtarget.com/tip/0,289483,sid92_gci1189767,00.html

Insecure Web Sites
http://www.varbusiness.com/showArticle.jhtml?articleID=18825528

Thwarting SQL Web Hacks
http://www.varbusiness.com/showArticle.jhtml?articleID=18841325

Top 5 Myths of Web Application Security
http://www.varbusiness.com/showArticle.jhtml?articleID=22104030

Web Application Security 101
http://www.whitehatsec.com/articles/webappsec101.pdf

What Phishers Know That You Don't
http://www.betanews.com/article/What_Phishers_Know_That_You_Dont/1114784531

Cross-Site Scripting Worms and Viruses
http://www.whitehatsec.com/downloads/WHXSSThreats.pdf

Top 10 Web Hack of 2006
http://www.whitehatsec.com/home/resources/presentations/files/whitehat_top_hacks_06_F.pdf
Most of the recent ones are listed here:
http://jeremiahgrossman.blogspot.com/2006/12/top-10-web-hacks-of-2006.html

Automated Scanner vs. The OWASP Top Ten
http://jeremiahgrossman.blogspot.com/2007/01/automated-scanner-vs-owasp-top-ten.html

He is also co-authoring a book on XSS to be released tentatively on March 1, 2007
Cross Site Scripting Attacks: XSS Exploits and Defense

He also wrote the foreword for two books:-

Preventing Web Attacks with Apache
http://www.amazon.com/Preventing-Attacks-Apache-Ryan-Barnett/dp/

Hacking Exposed Web Applications, Second Edition
http://www.amazon.com/Hacking-Exposed-Web-Applications-Second/dp/


Contributions:-


Presentations:-

Hacking Intranet Websites from the Outside (Session code: HT2-107)
http://news.thomasnet.com/companystory/506356

Hacking Intranet Websites from the outside - "JavaScript malware just got a lot more dangerous"
http://www.blackhat.com/html/bh-usa-06/bh-usa-06-speakers.html#Grossman

Phishing with super bait
http://www.blackhat.com/presentations/bh-usa-05/bh-us-05-grossman.pdf

Challenges of Automated Web Application Scanning
http://www.blackhat.com/presentations/bh-federal-03/bh-fed-03-grossman-up.pdf

Webserver Fingerprinting
http://www.whitehatsec.com/presentations/Black_Hat_Singapore_2002/BlackHat2002-Singapore.zip

The land that application security forgot
http://opensores.thebunker.net/pub/mirrors/blackhat/presentations/bh-europe-01/jeremiah-grossman/bh-europe-01-grossman.ppt

Hacking Intranet Websites from the Outside with JavaScript Malware Dang (CSI NetSec)
https://www.cmpevents.com/CSINS7/a.asp?option=C&V=11&SessID=4896

StillSecure, After all these years, Podcast #28
http://www.stillsecureafteralltheseyears.com/ashimmy/2007/01/episode_28_of_s.html

Cross-Site Tracing (XST)
http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf

Automated Scanners vs. Low-Hanging Fruit
http://jeremiahgrossman.blogspot.com/2007/02/automated-scanners-vs-low-hanging-fruit.html


Speaking engagements:-

Jeremiah Grossman TV interview with ABC News (AU)
http://www.youtube.com/watch?v=HPutgmAzgQA

ISSA NORCAL Systems Security Symposium 2004, Network Security Conference 2004 – Web Application Security Auditing
http://www.issa-sac.org/conferences/2004/presentations.php#

Black Hat 2006 - Hacking Intranet Websites from the Outside "JavaScript malware just got a lot more dangerous"
http://www.blackhat.com/html/bh-japan-06/bh-jp-06-en-speakers.html#Grossman

Black Hat 2005 - Phishing with Super Bait
http://www.blackhat.com/html/bh-usa-05/bh-usa-05-speakers.html#grossman

Black Hat USA 2004 - Panelist
http://www.blackhat.com/html/bh-usa-04/bh-usa-04-speakers.html

AITP Central Valley – Web Application Security http://www.whitehatsec.com/presentations/AITP_CentralValley_062004.pdf

ISSA Sacramento 2004 – Auditing Web Applications
http://www.issa-sac.org/conferences/2004/presentations.php#

Blackhat Seattle 2004
http://www.blackhat.com/presentations/bh-federal-03/bh-fed-03-grossman-up.pdf

BlackHat Windows 2003 – Hacking Web Applications Training Class, Detecting Web Application Attacks Presentation
http://www.blackhat.com/html/win-usa-03/train-bh-win-03-wh.html

Blackhat New Orleans 2002 – Web Application Security and Arsenal http://www.blackhat.com/presentations/win-usa-02/grossman-winsec2002.ppt

Blackhat Europe 2001 – Web Application Security http://www.blackhat.com/presentations/bh-europe-01/jeremiah-grossman/bh-europe-01-grossman.ppt

Air Force Information Technology Conference 2001, Web Application Security
http://www.whitehatsec.com/presentations/AFITC_2001/afitc_2001.ppt

DefCon Las Vegas 2001 – Web Application Security in Theory and Practice
http://www.whitehatsec.com/presentations/Defcon9_2001/defcon9_presentation2001.ppt

Speaker and Panelist for the Web Application Security Forum (Tokyo, Japan) - “WASC Activities and U.S. Web Application Security Trends”
http://www.whitehatsec.com/presentations/WASC_WASF_1.02.pdf

Blackhat Singapore 2002 – Web Server Fingerprinting - "A first look into web server fingerprinting"
http://www.blackhat.com/presentations/bh-asia-02/bh-asia-02-grossman.pdf

Podcast with ITRadio (Risky Business #1)
http://www.itradio.com.au/?p=6

Credit Union Information Security Conference Panelist 2004 http://www.cunews.com/infosec.htm

Washington Software Alliance 2003 / ISSA Pugeot Sound 2003 / Blackhat Federal 2003 / SuperCIO 2003 / NASA AMES 2003 – Challenges of Automated Web Application Scanning
http://www.whitehatsec.com/presentations/NASA_AMES_2003_v1.0.ppt

ISSA San Diego – Auditing Web Applications
http://www.whitehatsec.com/presentations/Auditing-Web%20Applications.pdf

ToorCon San Diego 2001 (Couldn’t find the url)


Proof of concepts:-

Intranet Hacking
http://jeremiahgrossman.blogspot.com/2006/09/video-hacking-intranet-websites-from.html

Browser Port Scanning without JavaScript
http://jeremiahgrossman.blogspot.com/2006/11/browser-port-scanning-without.html

Bypassing Mozilla Port Blocking
http://jeremiahgrossman.blogspot.com/2006/11/bypassing-mozilla-port-blocking.html

I know if you're logged-in, anywhere
http://jeremiahgrossman.blogspot.com/2006/12/i-know-if-youre-logged-in-anywhere.html

I know where you’ve been
http://jeremiahgrossman.blogspot.com/2006/08/i-know-where-youve-been.html

Goodbye Applet, Hello NAT'ed IP Address
http://jeremiahgrossman.blogspot.com/2007/01/goodbye-applet-hello-nated-ip-address.html

JavaScript Array Overwriting - Advanced Web Attack Techniques using GMail
http://jeremiahgrossman.blogspot.com/2006/01/advanced-web-attack-techniques-using.html


Tools written by him:-

WhiteHat Webserver Fingerprinter (no longer available)http://www.whitehatsec.com/presentations/Black_Hat_Singapore_2002/wh_webserver_fingerprinter.tgz

Scoring Tool CIS for the Apache Benchmark
http://www.cisecurity.org/bench_apache.html

WhiteHat Arsenal (no longer available)


Memberships:-

WASC Co-Founder


Blog:-

http://jeremiahgrossman.blogspot.com


Website:-

www.whitehatsec.com


Companies worked for:-

Amgen, Yahoo, WhiteHat


Email:-

jeremiah__at__whitehatsec__dot__com


He is a man of ideas and thinks differently from others. His blog is amongst the most followed blogs on information security. A must follow figure in web application security to stay current with emerging threats and news.

Last Week – RSnake
Next Week – Ivan Ristic

No comments: