Monday, November 19, 2007

AppSec 2007 pictures of breach party

OWASP and WASC AppSec Conference is over and it was by far the best conference i have ever been to. I was able to meet up with so many fantastic people, some of them i have exchanged emails with before and was good to see them in person. The conference topics and the presentation were really good. It was also my first time moderating a panel and it was a great experience. With such a sensitive topic, I was hoping the discussion would be a little bit more controversial but I guess since there was just one microphone, everyone was waiting for their turn and hence the discussion got a little dull. Or maybe the absece of google on the panel and microsoft getting a lot better in their security practice didnt help much :) It was a good discussion none the less.

Breach is building a reputation of throwing the best vendor parties during these conferences. Here are my set of pictures for the Tech Expo and the breach party.

RSnake flirting with the waitress

Pravir and Dinis Cruz sharing some thoughts

You get so many webappsec guys together and the lightning starts to come down. :)

From left : Jeremiah Grossman, Arian Evans, pdp, Myself, Ryan Barnett, Stefano DiPaola, Ory Segal and his colleague from IBM

pdp giving Arian a lesson on Web 2.0 hacking :)

Ryan Barnett, Stefano and Ory Segal (Happy to be here)

Whitehat Security Ops Team with few friends

Dinis Cruz and Arian Evans

Jeremiah, pdp and (i dont the person in the middle)

Ory Segal (enjoying the party)

The pictures below are of the Expo

Wednesday, November 07, 2007

Who are the real culprits for PCI compliance?

There was an article in SearchSecurity today on TJX issue.

Don't blame PCI DSS for TJX troubles, IT pros say,289142,sid14_gci1280854,00.html?track=sy160&asrc=RSS_RSS-10_160

Here is an excerpt from the article

The auditor said TJX passed a PCI DSS check-up, but that the auditor failed to notice some key problems.

"They had no network monitoring and no logs, and they had unencrypted data," he said. "But this wasn't picked up by the auditor. They passed the Level 1 inspection and shouldn't have."

This makes me wonder what is the real objective of PCI complpiance. Most of the companies are still trying to understand the PCI requirements and hire a third party to assess their infrastructure for PCI compliance. Now, if PCI council has approved a vendor to assess a company's infrastructure for PCI requirements then for a company, the vendor understand PCI requirements and have proven to PCI council that they are qualified and capable of doing a good job. Now if a vendor charges $1000 to do the job or $15000 is upto the vendor. Companies are always looking for a good bargain and there is nothing wrong with that, as long as they are going to an approved vendor.

So if a company still gets breached after they are PCI compliant (assuming the data stored was not encrypted), who is actually liable in this case? The company or the vendor who certified the company for PCI compliance? In my mind, if the vendor would have told the company that they have to encrypt the sensitive data in their database, and company has not done it, then there was no question of company being PCI compliant.

Company getting penalized is understandable but is PCI council also going to impose penalties and fines on vendors who are not doing a good enough job? If a company is PCI compliant then its not completely company's fault for the data breach as much as it is the vendors, who did not identify and report the issues and certified the company as PCI compliant.

Monday, November 05, 2007

Panel discussion on Website Vulnerability Disclosure during AppSec Conference on Nov 15

As most of you know that OWASP-WASC AppSec Conference is held in ebay between Nov12-Nov15 including the training sessions. There are very many exciting topics to look forward to in the conference and not to forget the vendor parties at the end of the day. One of the things i am excited about is the panel discussion on Website Vulnerability Disclosure (which i will be moderating). We have some really great people on the panel and i am expecting a great lively discussion as the topic is also a little bit touchy :)

The panelists are
1. Robert "RSnake" Hansen - CEO of SecTheory with his blog at "".
2. Bruce Lowenthal - Director of Oracle Security Alerts Group, Oracle
3. Zulfikar Ramzan - Advanced Threat Team, Symantec;
4. Katie Moussouris - Security Strategist, Microsoft
5. Christopher Ernst - US Secret Service, San Francisco Field Branch.

I am expecting this to be one of the best panel since it is not only a sensitive topic but also since we will have the corporate, hacker and govt/law point of view on the subject.

Since i have been working on the questions to ask during the panel discussion, i thought i will also take others opinion on what kind of questions they would like to be asked. So, if you have any suggestions, please feel free to send me an email or leave them as a comment on the blog.

Do plan to be there as it should be fun. The date/time of the panel discussion is
Nov 15, 16:30 - 17:30

Here is the entire conference agenda

Conference Registration page (if you havent registered already) including the details on the vendor parties

Thursday, November 01, 2007

WASC meetup on Nov 8

Its time for another WASC Meet-Up. As usual this will be an informal gathering. No agenda, slide-ware, or sponsors. Just some like minded people from the security industry getting together to share their stories over beer. Everyone is welcome and it should be a really fun time!

Please RSVP by email ASAP, if you haven't done so already, so we can make the proper reservations: anurag dot agarwal at yahoo dot com

Time: Thursday, Nov. 8 @ 7:00pm


Duke of Edinburgh
10801 N Wolfe Rd
Cupertino, CA 95014-0618
Phone: (408) 446-3853

Tuesday, September 04, 2007

OWASP & WASC AppSec 2007

The OWASP/WASC Black Hat cocktail party was so successful it only made sense to join forces again, this for an upcoming conference. OWASP & WASC AppSec 2007 is scheduled for Nov 12 – 15 @ eBay campus in San Jose, California. This will be an entire conference dedicated to web application security and something not to be missed. In fact, we’re a little nervous because the venue might be able to fit everyone (300 max) wanting to attend.

Currently we’re busy formalizing the agenda and coordinating the logistics with parties and events. If the wish list pans out, we’ll have an amazing speaker/topic line-up, a ton of industry experts in attendance, security professionals from all over silicon valley, and a hopefully a few surprises to go with it. The official announcement is below and I'll update the blog with new developments.

FYI: There are plenty of sponsorship opportunities for interested organizations.

OWASP and WASC have joined forces for this year's AppSec 2007 conference being held at eBay in San Jose, CA on Nov 12-15. A huge concentration of the industry leading experts will be in attendance presenting high quality web application security content. AppSec 2007 offers a unique opportunity for security professionals, software developers, and IT managers to get up to speed on the latest and greatest attack techniques, defense strategies, and industry trends in an atmosphere of peers. The conference format and venue is also perfect for networking and sharing experiences with others that are down in the trenches. AppSec 2007 expects to exceed all attendance records from the previously years, making space extremely limited. There's only room for approximately 300 attendees. So if you're planning to come, please register soon.

For more details and registration:

The conference also features:
1) Two full days of tutorials on a wide variety of web application security topics.
2) A web services security track
3) Vendor services and technology expoConference

Location: The AppSec 2007 Conference will be held at eBay at their facility at: 2211 North First Street in San Jose, CA Nov 12th-15th.

Training Days: Novermber 12th-13th
Main Conference: November 14th-15th

WASC Meetup at IT Security World Conference on Sep 17

WASC is organizing another Meet-Up during the IT Security World Conference (Sep 17-18) in San Francisco @ O'Neills). As usual this will be an informal gathering. No agenda, slide-ware, or sponsors. Baysec is also organizing a meetup during that time and we are hoping to meet other security professionals from Bay Area. Everyone is welcome and it should be a really fun time!

Please RSVP by email ASAP, if you haven't done so already, so we can make the proper reservations: (

Time: Monday, Sep. 17 @ 7:00pm


O’Neills Irish Pub
747 3rd StSan Francisco,
CA 94107
Phone: (415) 777-1177

Wednesday, August 22, 2007

WASC WASSEC Project - Update

Thank you all for your patience. We have received an overwhelming response from the WASSEC (Web Application Security Scanner Evaluation Criteria) project. To proceed with the project please

1. Please email and reply to confirmation email.
2. It is moderated subscription so every contributor has to be approved to send messages to the list.
3. Once you are subscribed to the list, then email to post messages.

All further communication will be done through the mailing list. Please keep checking your junk mail folder in case some messages might go there. We are also in the process of setting up a wiki for the length of the project to post updates, etc. Until then I will be updating my blog with the project details.

Once again, thank you for your participation.

Monday, August 13, 2007

WASC Announcement: 'WASSEC Project' Call for Participants

WASC has announced a new project WASSEC (Web Application Security Scanner Evaluation Criteria). Currently WASC is seeking volunteers from various sections of the community including penetration testers, scanner vendors, security researchers and also end users to contribute to the project.

A brief description of the project

The Web Application Security Evaluation Criteria is a set of guidelines to evaluate web application security scanners on their identification of web application vulnerabilities and its completeness. It will cover things like crawling, parsing, session handling, types of vulnerabilities and information about those vulnerabilities. The goal of this project is to evaluate the technical aspects of the web application security scanners and NOT the features provided by it.

The project page can be found at

If you would like to be involved with the project, please contact Anurag Agarwal (

Sunday, August 12, 2007

Did WebApp developers learn from Samy worm?

At the Mozilla Pyjama party during Blackhat, Me and Jeremiah met up with Bubba Gump and he shared with us an interesting story on how he was able to do something similar like Samy worm on another social networking site. His story just goes to show that there are so many other websites which are still getting hacked the same way but either have no clue or are in a denial mode. We asked him to share his story with others in the community too and if he can write it for us then I will post it on my blog. The site developers were already notified of the vulnerability and they have fixed it so I am posting this story on my blog. Here it goes

Awhile back I read a Newsweek article about a new social networking website called This site is designed for making car-pooling arrangements and is run by an environmentalist CEO named Robin Chase. The idea is to help the environment and save money on gas at the same time – an interesting concept.

After signing up for a free account on the GoLoco site, I couldn't help but play around with it a bit. I started by going to the Modify Profile page and injecting <> tags into various items in my profile to see what would happen. For the most part, any tag I injected would be properly HTML encoded before being echoed back onto the page. However, they forgot to lock down two of the fields in my profile. Upon further experimentation, I found that each field had a max length of 255 characters and could hold a persistent Cross-Site Script. Nice!

Although some very interesting feats could be accomplished with this vulnerability, I sat on this info for awhile – the Goloco site was new, with only about 1000 users at that time. There wasn't much glory to be had in creating another Samy worm on this site.

But two weeks later I received an email from Robin Chase. She laid down a challenge – the first Goloco user to exceed her in number of friends would win a free t-shirt. It was almost like she was asking to be XSSed!

I started by inserting some AJAX code into my profile that would make the person viewing it automatically POST a request to become my friend. In order to get more people to view my profile, I posted a trip from Boston to California. Most of the site's users are from Boston, so they would see this trip listed on their homepage upon logging in. Clicking on the Trip Details link would bring up my profile, which would cause the user to unknowingly make the friendship request.

I expected to start receiving lots of friendship request emails, but was disappointed at first. An average of just one or two requests came in per day, which reflected the low amount of traffic on this site and the fact that a user would have to click on my link out of a list of about 20 trips in order to be hit with the XSS. Clearly I needed to re-think my approach.

A little more exploration of the site led me to the breakthrough that I was hoping for. It turns out that the trip location names were also Cross-Site Scriptable, and the destination location name is what showed up on the homepage after a user logs in. This means that users no longer had to click on my link to get hit with the XSS – all they needed to do was log into the site and they'd immediately request to become my friend. I did not attempt to make the XSS payload wormable because I did not want to do anything that would cause damage to other peoples' profiles or trips.
After this new, improved XSS was put in place, the friendship requests started pouring in at a rate of about 15 per day, which for this particular site was impressive. A nice, unexpected side-effect is that I would receive an email every time a user logged into the site. I quickly got to learn the usage habits of various people – for example, one of the employees of the site had a strange tendency to log in at 4:00 AM. I also experienced another unintended side-effect. The site had no controls in place to prevent duplicate friendship requests from the same person, so I began to get spammed with duplicate requests as the same user hit the homepage multiple times. This became annoying after awhile, so I modified my XSS to drop a cookie on the user's machine to track whether or not they had submitted a friendship request already – ah, much better!

While waiting for the friendship requests to come in, I explored the site a bit further, this time looking for interesting HTML comments. I discovered that the site's developers were displaying private communications between members in HTML comments. I was able to obtain lots of interesting info this way, including the names of all of the site's developers and CEO Robin Chase's cell phone number. This would come in handy later.

After three days, I had built up enough friendship requests to exceed Robin. And in fact, the last person to get hit with my XSS was none other than Robin Chase herself, who logged in bright and early at 6:45 AM. I removed the XSS, accepted all of the friendship requests that had queued up, and counted my friends – sure enough, I was ready to claim my prize.

Later that morning I called Robin and claimed my t-shirt. Interestingly, she didn't ask me how I obtained her cell phone number or how I had acquired so many friends so quickly. But she congratulated me and told me she'd send me the t-shirt.

Shortly after that, I got in touch with the people in charge of development for the site and told them about the security issues, which they quickly addressed. Today, Goloco is integrated with Facebook, so I suspect that it is a bit harder to hack than it used to be. And Robin, if you're reading this I just want to remind you that I'm still waiting for my t-shirt!


My experience at BlackHat and DefCon

I came back from blackhat and defcon last Sunday. I was there for the entire 9 days (combined blackhat and defcon) and when i came back, I realized why people said 9 days of Vegas are toooo long. It was my first time to Vegas so I didn’t see it earlier but now i have learnt my lesson. :)

It had been a very enjoyable experience. Though the party really took off on Tuesday night when most of the people started to come in for briefings. I had dinner with Mozilla guys along with several other webappsec professionals. I was talking to Dan from Mozilla and to my surprise; he asked me “What kind of security features would you like to see in firefox”. They also had a discussion with RSnake, Jeremiah Grossman and I am sure with some other webappsec professionals too. I am impressed by firefox’s approach. They are reaching out to the webappsec community and asking for their support and advice in making their browser more secure. I think it’s a great start and I know they will get flooded with suggestions, most of which they won’t be able to include until the next decade but at least they are sincere and making an effort(or so it appears, we’ll find out soon enough).

I met with a lot of great guys from the webappsec community including from google, TiVo, verisign, iSECPartners, Outpost24, ebay, Breach, Aspect Security, Ounce Labs, and many more. Some of them I didn’t know before, some of them I had interacted with emails earlier and some of them I did a reflection on, but it’s great to meet them in person (RSnake, Ryan Barnett, Ivan Ristic, Alex Stamos, Robert Auger, Andrew Van der Stock, Jeff Williams, Dinis Cruz). I spent sometime with id from He takes time in opening up but when he does, he is actually a very nice guy (that is only if you are not planning to take his laptop away from him).

I also got a chance to meet the ex-L0pht guys, now they are running their own company (SafeLight). Rob Cheyne (the guy who wrote LC4 and also the CEO of SafeLight) handed me his business card in a sleeve. Interesting, why is that? Actually the sleeve is a radio frequency blocking sleeve to protect your RF enabled credit cards from being stolen even when they are in safely tucked in your wallet.

Bubba Gump was another guy I can recall very well since he had a very interesting story to share which I will publish as a separate post as it is well worth the read.

The most hilarious presentation of Blackhat and Defcon award goes to Jeff Moss. Jeff Moss made a presentation titled “Cisco Gate” (his experience with the Cisco IOS flaw presentation fiasco). The content of-course was interesting since everyone wanted to know “behind the scenes” story but I think his content delivery was equally good. We could not stop laughing through the entire length of the presentation.

Last but not the least; the OWASP-WASC party was a huge success. There were over 350 people who came to the party. The feedback I got from several people was that it was the best party of Blackhat. Many thanks to Heather Cason of Breach Security, who did an excellent job in organizing the whole show. She also sent me the pictures of the party which you can see below.

Monday, July 02, 2007

Reflection on Dinis Cruz

In the last episode of reflection, we have someone who has become a pillar of OWASP. Dinis Cruz is a chief OWASP evangelist and a part of the OWASP board. At OWASP, he organizes events such as the OWASP Autumn of Code, delivers keynotes and advanced technical presentations on OWASP Conferences and leads the OWASP .Net Project where (amongst others) he created the tools: OWASP Report Generator, OWASP Site Generator, SAM'SHE (Security Analyzer for Microsoft's Shared Hosting Environments) and Asp.Net Reflector. Dinis Cruz is a Security Consultant based in London specialized in Penetration Testing, ASP.NET Application Security, Source-Code Security reviews, Reverse Engineering and Security Curriculum Development. On his reflection, Dinis shares with us how he started in web application security. In his own words

“When I was 10 years old and started programming assembly on my brother’s ZX Spectrum 48k. I remember being very happy by using PEEK and POKE to manipulate pixels on the screen (I also remember translating by hand Assembly Code into Bytes since at the time I had a book on assembly but had no compiler (ahhhh, these kids today have it so easy).

I then went though an Amiga phase (probably the best computer ever, which was at that time miles ahead of everybody else), trying to write games and cool demos (again there was no Internet available).

After that came the BBS world with 2400 baud modems, followed by a super fast 14440 Modem and big phone bills. Once the Internet arrived I couldn’t get enough of it.

I started with Web Application Security about 6 years ago when I become fascinated on how easy it was to remotely 0wn computers. I then decided to shift my professional focus into security and have not looked back since.

I think my programming background was a big help since once I understood the issues with security I was able to use those skills to find vulnerabilities (and propose solutions)

On security, my first experiments where with first Edition of Hacking Exposed which taught me the basics of Network Security, followed by a special focus on ASP Classic and .NET Framework security.

My journey with OWASP started with an email that I sent to Mark Curphey in October 2003 about my research on the security implications of running ASP.NET code in Full Trust. Mark replied with the challenge "Hey!, why don’t you publish this material on OWASP and manage the OWASP .Net project?", which I accepted and have since dedicated considerable amount of energy to it. OWASP is a very empowering, open organization where motivated and focused individuals can find their place and shine. OWASP was a perfect match for my values and professional objectives. I published most of my .NET Research and eventually become the Chief OWASP Evangelist.”

Based out of London, UK, Dinis is 32 years old. Below is a list of his contributions to the community.


Roadmap to a Partial Trust Managed Code world

‘Security Awareness Modes’ & the ‘day Microsoft changes’

On Microsoft’s lack of Partial Trust Managed Code (PTMC) focus and ideas for the future

I give up, no more posts to Full-Disclosure and DailyDave about Full Trust and .Net /Java Sandboxes

An 'Asp.Net' accident waiting to happen

Microsoft must deliver secure environments not tools to write secure code
Full Trust Asp.Net Security Vulnerabilties, and Microsoft's current position,_and_Microsoft

What are the 'Real World' security advantages of the .Net Framework and the JVM?

.NET research from OWASP .NET Project

Rooting The CLR (demo files available on request)

Buffer OverFlow in ILASM and ILDASM

Full Trust CLR Verification issue: changing the Method Parameters order

Full Trust CLR Verification issue: changing the return address order

Full Trust CLR Verification issue: Changing Private Field using Proxy Struct

Full Trust CLR Verification issue: Exploiting Passing Reference Types by Reference

Manipulating private method behavior by overriding public virtual methods in public classes

CSharp readonly modifier is not enforced by the CLR (when in Full Trust)

ANSI/UNICODE bug in System.Net.HttpListenerRequest

Tools written by him:-

DN_BOFinder (DotNet Buffer Overflow Finder)

OWASP Site Generator

OWASP Report Generator

.NET Assembly Analyzer

New version (v2.0) of Foundstone's HacMe Bank (with Web Services)

Video of above is located here

Foundstone's CodeScout (basic Source code analysis tool)

Foundstone's .NETMon (Flow Trace Tool for .NET)

HttpModule for Foundstone’s Validator.NET

OWASP’s SAMSHE (Security Analyzer for Microsoft's Shared Hosting Environments)
is a part of

OWASP’s ANSA (Asp.Net Security Analyser)

Online Active Directory User Management System

Multi-lingual website Content Management System (COTS application)

Windows Security Log Analysis solution

Relational Database for London University Researchers
Back end for travel agency website

E-Commerce system for music publisher selling custom CDs online

Online website Content Management System


Created and organized the OWASP Autumn of Code 2006

OWASP Spring of Code 2007

Participation as a speaker in several Security Conferences (including Keynote presentations at OWASP conferences)

Buffer Overflows on the .Net Framework, 2006 Seattle

Panel: "The role of frameworks (e.g., .Net, Java, Enterprise Library, Struts, JaCorb) in 'forcing' developers to create and deploy 'secure' applications" , 2006 Seattle

Keynote OWASP 2.0 - Enabling organizations to develop, maintain, and acquire applications they can trust, 2006 Europe (Leuven) and 2006 Seattle

Panel: "The role of Sandboxing in creating secure .Net and Java applications.”, 2006 Europe ( Leuven )

Rooting the CLR, 2005 Washington DC

The Fog of Software, 2005 London

OWASP DotNet Security tools: DefApp, ANBS, SAM'SHE, ASP.NET Reflector, Beretta, .NETMon , 2005 London

Full Trust Asp.Net Insecurity, 2004 NYC


FSTV (Foundstone TV) Interview on '.NET, web security tools, the future of OWASP, and ‘Open Source Software' , BlackHat 2006

Attacking Web and Windows Apps ( UK 's DDD3 on Jun 2006)

Attacking Web and Windows Applications (presented in the DDD2 on Oct 2005)

Rooting the CLR, OWASP conference in DC's NISC, Oct 2005


Advanced Asp.Net Exploits and Countermeasures (IOActive):

London (July 17th/18th)

Black Hat in Las Vegas (July 28th/29th and July 30th/31st )

Advanced Asp.Net Security (Security Compass)

Writing Secure ASP.NET Code (IOActive)

Writing Secure Code - ASP.NET (C#) (Foundstone)

Writing Secure Code Boot Camp ( Intense School / Vigilar)



Company working for:-

Dinis has a main contract with Ounce Labs but continue to do other projects and training (for example the Black Hat training in Las Vegas for IOActive)

Companies worked for:-

Dinis has been the director of his UK based company for 10 years now, and have worked (under direct contract) for companies like: Ounce Labs, ABN AMRO, IOActive, Foundstone, Vigilar, Infosys, Security Compass, UK’s Defence Science and Technology Laboratory, UK’s Department for Transport, UK’s Competition Commission and many others.


Dinis.Cruz at




Dinis has 50% of a degree from the Portuguese’s University of Algarve in ‘Computing Systems and Analysis’ (where he completed 3 out of five years) and have 50% of a degree from the UK ’s University of Westminster in ‘Commercial Music’ (where he completed 1 and ½ of 3 years).

So basically he has a degree in ‘Computing Commercial Systems and Music Analysis’

Dinis uses both Apple and Windows and prefer to program in C#. When he is not in front of a computer, he likes to spend time with his family, play football, golf, guitar and drums.

With this the reflection project comes to an end. I would like to thank everyone who participated in it and spent time with me in putting all the information together. It has been truly a fantastic experience.

Last Week - Cesar Cerrudo

Monday, June 25, 2007

Reflection on Cesar Cerrudo

This week on reflection we have someone who has done a lot of database research and published several advisories and presented at Blackhat, CanSecWest and other conferences on database security. Cesar Cerrudo works for his own company “Argeniss” and has contributed a lot to some of the databases to be more secure today. He has also identified a lot of vulnerabilities in Microsoft Windows, Microsoft Commerce Server, etc. He is passionate about application security and a big believer in open source community both for software and books. Cesar shares his journey with application security in his own words

"I think I always have had "hacker mind" for calling it in some way, I remember being a child and breaking things to look inside. When I was 10 or so I got my first computer a CZ Spectrum (I don't remember the exact model) but it ran BASIC. when I wanted to learn how to use it and to code in BASIC, I went to a place for kids but got bored after many days of being taught PRINT "HOLA MUNDO" only, so I used that computer for games (games were stored on a audio cassette tape and loading them required playing it in a cassette player). I learnt few tricks looking at the guy from a store that recorded games so I started to modify screens when the games were loading, I also hacked multilevel games by loading parts of one level and the rest from a different level, which for my age was a big deal. After a couple of years I stopped using that computer and I didn’t do anything computer related for several years apart from taking few boring classes of MS DOS, QPRO, Lotus, etc. When I was 19 I started to study Computer Science but I didn't have a PC (they were a bit expensive on this side of the planet earth) so I only read old books available at the university and played with a friend's computer, on those days the challenge was to try running cool games on old computers, I became an expert in MS DOS :)

I remember one day being very excited because I found the assembly code from a MS DOS virus in one of the PC at the university, I spent several hours with an old assembly book (thanks Norton-Socha!) until I learnt how the virus worked (in the process I learnt some x86 assembler without coding it in a PC). After some time I started to work on a client/server software for a couple of different local companies and one of the companies had internet access so I started using Internet and since I always liked hacking, Internet was a really good source of information so I started to learn something about hacking for the first time, I was lucky since I had a good academic background on programming, computers, etc. so I didn't end up reading and learning stupid things, but because I had an old PC and no Internet access at home I couldn't test much of the stuff I learnt. Then I took up a new job where I started using Internet frequently and started trying things in free time, this was like 7 years ago and that was when I started with webappsec. I had worked a lot with MS SQL Server so when I first read about SQL Injection I was really amazed with it and I started to create my own techniques, tools, etc.

That’s when I started to play with MS SQL Server and after some time I found my first vulnerability, then the next one and so on when I realized I had found dozen of vulnerabilities on MS SQL Server, I also learnt how to code exploits and new techniques for finding vulnerabilities, since then I have found several vulnerabilities on MS Windows, Oracle Database Server, etc. I have also created new exploitation and attack techniques. Few years ago I designed and wrote a complete web application scanner for a security company, the scanner at that time was better than other available web app scanners but because of some patent issues the product was stop being sold (hurray for Watchfire!!!). Currently I do research on application security mostly focused on database security and in my spare time I like to hack MS Windows :)

I always try to keep big vendors improving on security, I don't care if I have to publish 0day vulnerabilities or controversial papers in order to accomplish that. I have been offered to write books but the only way I can write or contribute in a book is if it will be available for free in some way (electronic, etc.), I know what is not having resources for learning, all people should have easy access to knowledge, books only makes money for the editors and people without money can't get them."

Based out of Parana, Entre Rios, Argentina, Cesar is 31 years old. Below is a list of his contribution to the community


Hacking databases for owning your data

Practical security audit: Oracle case

WLSI-Windows Local Shellcode Injection

Story of a dumb patch

Demystifying MS SQL Server & Oracle Database Server security

Hacking Windows Internals

Auditing ActiveX Controls

Hunting Flaws in SQL Server

Manipulating Microsoft SQL Server Using SQL Injection

Tools written by him:-


Shared section tools


WASC - Web Security Threat Classification


Microsoft Windows Kernel GDI local privilege escalation procedure

Oracle Database Server Directory traversal

COM+ Vulnerability

COM Structured Storage Vulnerability

Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege

Vulnerability in Windows LSASS Could Allow Elevation of Privilege

Multiple vulnerabilities in Oracle Database Server

Vulnerability in Utility Manager Could Allow Code Execution

Utility Manager Vulnerability

Biztalk Server Vulnerabilities

Buffer Overflow in Windows Troubleshooter ActiveX Control Could Allow Code Execution

Symantec Security Check RuFSI ActiveX Control Buffer Overflow Vulnerability
Yahoo! Chat and Messenger Hostname Buffer Overflow Vulnerability

Multiple buffer overflows in DBCC and SQL Injections

BULK INSERT buffer overflow

Encoded password written by service pack

Microsoft SQL Server: Buffer Overflows in numerous extended stored procedures

xp_dirtree Buffer Overflow

Heterogenous Queries Buffer Overflow


Hacking databases for owning your data - Black Hat Europe 2007

Practical security audit: Oracle case - Black Hat DC 2007

DataTheft - How databases are hacked and how to protect them - No cON Name 2006

WLSI - Windows Local Shellcode Injection - Black Hat Europe 2006

WLSI - Windows Local Shellcode Injection - EUSecWest/core06 conference

Database Hacking and Security - Web Application Security and Hacking

Demystifying Microsoft SQL Server & Oracle Database Server security - Black Hat USA 2005

Hacking Windows Internals - cansecwest/core05 conference

Hacking Windows Internals - Bellua Cyber Security Asia 2005

Hacking Windows Internals - Black Hat Europe 2005

Auditing ActiveX Controls - Black Hat Windows 2004

Hunting Flaws in MS SQL Server - Black Hat Windows 2003

Company working for:-


Companies worked for:-

Application Security Inc.





Analyst programmer

Cesar is very driven and passionate about application security. One of the best in database security. Though he doesn't have a blog right now but you can get all the information on his website along with the whitepapers and latest on database security.

Last Week – Alex Stamos

Next Week – Dinis Cruz

Monday, June 18, 2007

Reflection on Alex Stamos

This week on reflection we have Alex Stamos from iSEC Partners Inc. Alex has been involved in webappsec for sometime now and has presented at Blackhat, ToorCon, OWASP, ISACA, etc. He is a founder and Vice President of Professional Services at iSEC. He is a leading researcher in the field of web application and web services security and is also a co-author of an upcoming book Hacking Exposed Web 2.0. Alex shares with us how he got started in webappsec field. In his own words

"Back in 2001 I started working at Loudcloud, which was basically a large ISP/ASP made famous by the fact that Mark Andreessen was a founder. While there, I ended up with the primary security responsibility for about 50 Fortune-500 web applications. Through a series of late night pages, self-exploration through our customer's code, and a couple of hairy incidents, I decided that web app security was way more important to these apps than double-checking the firewall rulesets or slightly decreasing how fast we patched OpenSSH.

At @stake, a major focus of my work was penetration testing of web applications and teaching classes to web app developers on how to stop making the same mistakes others had already made. Since we started iSEC about three years ago, web application and web services security has been a major focus of my research and work with clients, although I also dabble in other security areas such as forensics. "

Based out of San Francisco, CA, US, Alex is only 28 years old. Below is a list of his contribution to the community.


Co-authored - Hacking Exposed Web 2.0 (to be released soon)

Tools written by him:-

Alex has worked on a few SOAP security tools with Scott Stender and Jesse Burns, and is releasing some new file and file system fuzzing tools to attack forensic software at BlackHat this summer.
All the tools can be found on ISEC website


Upcoming - "Breaking Forensics Software: Weaknesses in Critical Evidence Collection"
BlackHat USA 2007

"Vulnerabilities 2.0 in Web 2.0: Next Generation Web Apps from a Hacker's Perspective" - Web 2.0 Expo, BlackHat USA, BlackHat Japan, ToorCon, ACM Reflections/Projections, OWASP SF

Cyber Crime- Security, Strategy & Solutions - ISACA Silicon Valley Annual Conference

"Cross-Domain Request Forgery and Web Crimes" - SF Bay Infraguard with Jesse Burns

Attacking Web Services - BlackHat USA, CanSecWest, OWASP App Sec, SyScan





Company working for:-

Founder and Vice President of Professional Services at iSEC
Partners, Inc. (




Companies worked for:-

@stake, Loudcloud, E.O. Lawrence Berkeley National Laboratory


BS in Electrical Engineering and Computer Science- University of
California, Berkeley.

Last Week – pdp
Next Week – Cesar Cerrudo

Monday, June 11, 2007

Reflection on pdp

This week on reflection we have Petko D Petkov (popularly known as pdp). pdp has been active in the webappsec community for sometime now. He has written many articles and published many tools. Two of his more popular tools are Attack API and Technika (firefox extension). He is also a co-author of the book XSS Exploits: Attacks and Defense. Recently he presented on Advanced Web Hacking Revealed in OWASP Appsec Conference in Italy 2007. In his reflection pdp shares with us how he got started in webappsec field. In his own words

“I have always been fascinated by the power of Web but it was around year 2000 when I got into web application security. Other then that, my interests towards IT security has been growing since 1995. Funny enough, it was "Hackers", the movie that sort of inspired me to spend my time on solving interesting problems with my not-so-advance for that time PC, rather then wasting time on games. Back then, I had 286 MHz "Pravetz", produced in Bulgaria. One of the first projects of mine was a simple calculator that was also password protected. When I finished the project, I also learned how to trick the password protection mechanism by modifying the jumper inside the program binary. That was fun. The Bulgarian underground scene used to be a great resource for me to learn. I started reading an online-zine called Phreadom. I am still looking for the old issues but I guess they are somehow lost forever.

I started hacking from the time I learned how to program. My Dad told me that programming is one of the few professions out there that teaches you about the world in general since programmers try to reflect real world problems into easy to maintain and use software products. That made me start thinking outside the box. I define myself as a life-hacker. I guess this is the reason why I am where I am today. When I came to UK I didn't wanted to waste time so I did a lot of security related projects. This is when my IT Security career started. I was 18 I was doing the stuff that I wanted to do all my life.”

Based out of london, UK, pdp is only 22 years old. Below is a list of his contributions to the webappsec community.


XSS Attacks: Exploits and Defense


The Web has Betrayed Us

Persistent CSRF and The Hotlink Hell

Preventing CSRF

Sex, Candies and Bookmarklet Exploits

The Machine is Using Us

Playing in Large

Universal PDF XSS After Party

Danger Danger Danger

Web OS

Cross-site Request Forgery

The 0XSS Credo

The Backdooring Series:

The XSSing the Lan Series:


Advanced Web hacking revealed

Tools written by him:-

Some of the tools published by him

JavaScript YPipes Spider

JavaScript TinyURL Filesystem

Google Hacking Database Interface

JavaScript Port Scanner

Greasemonkey Backdoor

Exploit Development Environment for Firefox

Geo position Zombies on a map

Attack Framework for controlling zombies

simple JavaScript tesing framework

powerful JavaScript based attack library

The Cross-site Scripting database

Powerful and very customizable attack communication channel

Set of utilities useful when performing enumeration attacks

Company working for:-






Companies worked for:-


Pdp has a vast knowledge of different technologies and frameworks available on the internet. If you are not already following his blog, then I would recommend doing so. He brings up some good points for webappsec community.

Last Week – Saumil Shah
Next Week – Alex Stamos

Wednesday, June 06, 2007

WASC meetup in Blackhat USA 2007

OWASP and WASC have joined hands to have a combined meetup at Blackhat USA 2007 in Las Vegas which was earlier planned as a WASC meetup. Breach Security has stepped forward to sponsor the event. Please click on the image to see a larger version of the invite. Come and join us for a drink and meet other like minded people from the industry.
NOTE: Those who have already RSVPed need not to RSVP again.

Tuesday, June 05, 2007

Any java developers in bay area?

Any java developers in bay area who are interested in working together on some of the research ideas i have in web application security.

Most of the development would be in java. Knowledge of javascript is a plus. Knowledge of webapp security field is optional.

Interested? contact me on

Monday, June 04, 2007

Reflection on Saumil Shah

This week on reflection we have Saumil Shah from net-square Solutions. Saumil has been involed in webappsec community for a long time and is a regular presenter at Blackhat. He focuses on researching vulnerabilities with various e-commerce and web based application systems, system architecture for Net-Square's tools and products, and developing short term training programmes. He specializes in ethical hacking and security architecture. In his reflection, Saumil shares with us how he got involed in webappsec. In his own words

“My original interest in security has always been Unix hacking and reverse engineering. In 1998, when I joined Ernst & Young as a penetration testing specialist, we used to have a field day with systems wide open on the Internet. NetBIOS and SunRPC made our day. Not to mention a slew of other services like open database ports, terminal ports, and more. By the end of 1999, the only ports we could find open on the Internet were 80 and 443. Not to be outdone, I ended up finding out ways to compromise systems, this time using HTTP and the application behind it.

Leaving apart the whole idiotic debate on hacking vs. cracking, I shall say that I truly started hacking at the age of 11. My first few "hacks" were to spot programming errors in home computer magazines, for the ZX Spectrum and the BBC Micro, fixing them while keying in long listings in BASIC, and enjoying the games until I had to unplug the power. The only storage medium was cassette tape back in 1984.”

Based out of Ahmedabad, India, Saumil is only 33 years old and is a co-author of "Web Hacking: Attacks and Defense" (Addison Wesley, 2002) and is the author of "The Anti-Virus Book" (Tata McGraw-Hill, 1996). He has served as a technical editor for "Hacking Exposed 2nd Ed", and has contributed to "Know your Enemy - the Honeynet Project" book. Saumil has also presented at Blackhat, CNET eDevCon,, EUSecWest, and many more. Below are a list of his contributions to the webappsec community.


Web Hacking - Attacks and Defense

The Anti Virus Book


Saumil did a monthly column for two years on C-NET, titled ”Security Issues”, along with Chris Prosise.

One Way Web Hacking

An Introduction to HTTP fingerprinting

Tools written by him:-

httprint - Advanced HTTP Fingerprinting


One of the very early members of The Honeynet Project in 2000.


Web Hacking


The Exploit Laboratory: Analyzing Vulnerabilities and Writing Exploits
(Black Hat Europe 2006 Briefings and Training, Black Hat USA Training 2006)

Defeating Automated Web Assessment Tools

HTTP Fingerprinting and Advanced Assessment Techniques – (BH Europe 2004, BH Asia 2003, BH Federal 2003, BH Windows 2004)

HTTP: Advanced Assessment Techniques

Top Ten Web Attacks

One-Way SQL Hacking: Futility of Firewalls in Web Hacking

Writing Metasploit Plugins - From Vulnerability to Exploit

CNET eDevCon 2000: "Hacking Exposed: Ecommerce - Live!

Company working for:-

Net-Square - Founder and CEO

Companies worked for:-

Ernst & Young, Foundstone





M.S. Computer Science, Purdue University, USA - graduated in 1998
B.E. Computer Engineering, Gujarat University, India - graduated in 1995

Saumil has also been doing pre-conference training since past 6 years at Blackhat, and have also taught classes at CanSecWest and Hack in the Box. I am sure we will see a lot more contribution from him going forward.

Last Week – Stefano Di Paola

Next Week – pdp

Monday, May 28, 2007

Reflection on Stefano Di Paola

This week on reflection we have Stefano Di Paola who caught everyone’s attention through his paper Subverting Ajax which talked about acrobat reader plugin vulnerability and javascript prototype exploit. Those of you who remember, there was a lot of commotion on WASC mailing list at the beginning of this year. Tons of emails going back and forth on a vulnerability which was identified in acrobat reader plugin and had the potential of infecting almost all the websites hosting PDF files (Universal XSS).

Stefano has released several advisories including the ones that are not publicly disclosed but patched. He has also contributed to OWASP testing guide and is a also a Research & Development Director of OWASP Italian Chapter. Today he shares with us how he started with web application security. In his own words

”When I was 9 or 10 years old, I began to hack my 45 rpm portable record player in order to control the angular speed and play with my childhood songs in a funnier way. Then I realized I didn't know how to remount my opened player, I asked my parents to buy me another one with the promise to not break it again. I kept that promise… or at least for a while. A couple of years later I decided to hack my tape recorder and I succeeded in mixing voice recording while playing music (my mother never knew I recorded my voice on her music tapes).

I started to practice with computer security when I bought a 486 in 1997; I was a student at the Computer Engineering Faculty at the University of Florence. The first thing I read about hacking was about reverse engineering and cracking shareware software protections. It was quite funny but when I managed to install my first linux 2.0 on my PC, the approach and the vision were going to change inside me. I had already worked on Sun Solaris and AIX at the University, but linux was my first Unix love. The research and the study about linux configurations tutorials brought me to Phrack and "Smashing the Stack for Fun and Profit" by Aleph1. The first time I applied all the theory I had learned was when I urgently needed root privileges on a SGI Workstation at the university while I was finishing my master degree thesis. As the sysadmin was sick I decided to get root by myself and accomplish my tasks. After a couple of days I warned the sysadmin about my privilege escalation and I told him how to fix the issue.

It was in 1999 the first time I stumbled upon and I was amazed by the quantity of information about hacking old style CGI web pages and search engines. Since large number of web servers where on *nix OS flavors at that time, my background on linux, Sun Solaris and AIX helped me a lot. I realized it was quite easy for me to find flaws on CGI scripts (most of all system execution vulnerabilities). As a consequence of my hacking research activity, I began to think about web application firewalls but since it was early days of web application security and no information on WAF was available on the net, so I gave up. But it was in the 2004 that I decided to work as web application security consultant and released my first public advisory.

I've been working as a freelance in Italy from 2000 to early 2007 then I founded MindedSecurity(an Application Security Company with the mission to build a Center of Excellence on Web Application Security in order to give high quality services).”

Based out of Florence, Italy, Stefano is 35 years old and works as a freelance ICT security consultant and software architect for several companies and public institutions in Italy. Below is a list of his contributions to the webappsec community.


Universal Cross Site Scripting (Internet Magazine - Italy)

The Owasp Testing Guide (Hackin9)

Several sections in the Owasp Testing Guide v 2.0

XML Injection

Xpath Injection

LDAP Injection

Mysql Injection

Ajax Testing


Research & Development Director of Owasp Italian Chapter.

Tools written by him:-

PassBroker - a php extension which dispatch secrets which are often embedded in clear inside php web pages (ie. sql username and password.)

HMAUTH - A Html form authentication using HMAC

Anti Tamper Module for Apache 2.0 - It is a tool which parses every outbound html page and add a sign to every static link and to cookies, in order to prevent malicious users from tampering GET parameters and cookies.

Rul-o-matic - a web agent for white list mod_security rules generation.

Company working for :-

Co-founder of Minded Security ( ).






Web Security By Example - SMAU (Italy)

Subverting Ajax - 23rd CCC (Germany)

Ajax Security - Infosecurity (Italy)

Testing Flash Applications - 6th Owasp AppSec Conference (Italy)

Lectures (University of Florence):-

Secure Software Development Life Cycle(2007) - Phd Course Faculty of Software Eng.

Web Developing Security(2005/2006) - Course of 'Databases', Faculty of Software Eng.


Php RFC1867 Arbitrary File Upload (10/2004)

Php shmop safemode bypass and write to arbitrary locations (10/2004)

MySQL Server CREATE FUNCTION libc arbitrary code execution (03/2005)

MySQL Server CREATE FUNCTION mysql.func table arbitrary library injection (03/2005)

MySQL Server insecure temporary File Creation (03/2005)

MySQL Server COM_TABLE_DUMP Information Leakage and Arbitrary command execution.(04/2006)

MySQL Server Anonymous Login Handshake Information Leakage. (04/2006)

Acrobat Reader Plugin Multiple Vulnerabilities (01/2007)

Php import_req_var globals overwrite Advisory (03/2007)

IE and Firefox Digest Authentication Request Splitting (04/2007)


Masters in Software Engineer (University of Florence)
Certified Lead Auditor ISO 27001.

Stefano had recently released a paper on Flash vulnerabilities in OWASP Europe conference and is also working on some new interesting research ideas. For all those who are in webappsec community should definitely keep an eye on him.

Last Week – Ryan Barnett
Next Week – Saumil Shah