Monday, August 18, 2008

OWASP NYC is coming!

The OWASP 2008 Application Security Conference is September 24th & 25th 2008
in New York City.

With over 50 APPSEC speakers, 6 training classes and a Capture the Flag
event. This event is the largest web application security focused conference
anywhere, don't miss it!

Event agenda and registration :

Monday, August 11, 2008

SurfJacking: HTTPS will not save you, but "secure" will

There is a lot of talk out there about a new tool for "SurfJacking". The basic premise is that an attacker can compromise your session even if you are using SSL. This sounds scary, and it is bad. If you get lazy about reading papers, as I sometimes do, here is the primary fix. Use the "secure" flag for your cookies.

What is the secure flag?
a cookie whose value is critical for the integrity of the session should have this flag enabled in order to allow its transmission only in an encrypted channel to deter eavesdropping. - OWASP

Don't get hung up on the "critical for the integrity part". If you went to the effort to create a cookie for the user, its probably important. Go ahead and set the secure flag.

Haven't heard of SurfJacking? Look here
New Tool to Automate Cookie Stealing from Gmail, Others. Washing Post
SurfJacking.pdf from

Since we are setting flags, go ahead and also set the httpOnly flag. This is unrelated to the above issue, but its a good move and will help prevent against XSS cookie theft.

-Michael Coates

Chicago OWASP Event

The next Chicago OWASP meeting is just around the corner. I highly recommend you attend if you weren't planning to already.

When: Thursday, August 21st, 2008 at 6pm CDT.
Where: Bank of America Plaza at 540 W. Madison, Downtown Chicago, 23rd floor.
RSVP: RSVP to jason{AT} by 8/19/2008 if you plan to attend.


6:00 Refreshments and Networking
6:15 Bad Cocktail: Spear Phishing + Application Hacks - Rohyt Belani, Managing Partner, Intrepidus Group
7:15 Get Rich or Die Trying - Making Money on The Web, The Black Hat Way - Jeremiah Grossman, Founder & CTO of Whitehat Security

See you there.
-Michael Coates

Friday, August 1, 2008

Heading to Black Hat

I'll be heading to Black Hat this weekend. Stop by the Advanced Web Application Penetration Testing and say hello. Otherwise I'll be at the OWASP/WASC event on Wednesday and of course attending the sessions on Wednesday/Thursday.

Looking forward to a good conference...

-Michael Coates