This blog is created to keep track of my activities and place holder for sharing. Enjoy!
Saturday, November 08, 2008
DeepSec 2008 - Training & Research
Training on Enterprise Secure Application Coding
Sunday, October 05, 2008
HITB 2008 ...
We are conducting training and speaking on Web 2.0 Attacks at HITB in Malaysia. They have great trainings and talks lined up this year as well. I look forward to meet lot of folks out there.
Training
Talk
Friday, August 15, 2008
More on it.
Sunday, July 20, 2008
One Day Workshop Series
More information here.
Tuesday, June 24, 2008
AppCodeScan 1.2 - Posted...
Link to tools page
Wednesday, June 11, 2008
Secure Application Coding Training at Syscan Singapore
[1st July 2008] Syscan - Singapore
Secure Application Coding Training
Application source code, independent of languages and platforms, is a major source for vulnerabilities. One of the CSI surveys on vulnerability distribution suggests that 64% of the time, a vulnerability crops up due to programming errors and 36% of the time, due to configuration issues. According to IBM labs, there is a possibility of at least one security issue contained in every 1,500 lines of code. To avoid these sort of security issues one needs to follow sound secure coding and design principals. It is also imperative to know code review methodologies and strategies to assess the quality of code before deploying to the production. The course is designed by the author of "Web Hacking: Attacks and Defense", “Hacking Web Services” and “Web 2.0 Security – Defending Ajax, RIA and SOA” bringing his experience in application security and research as part of curriculum.
Secure Coding course for Applications is hands-on class. The class features real life cases, hands one exercises, code scanning tools and defense plans. Participants would be methodically taken down to the source code level and exposed to the flaws in design and coding practices. The class would then focus on what are the proper ways of writing secure code and analyze the code base. This class addresses popular languages and platforms like VB/C# (.NET), Java(J2EE), PHP, ASP etc.
Friday, May 30, 2008
Paper on Blind SQL injection
This paper describes technique to deal with blind SQL injection spot with ASP/ASP.NET applications running with access to XP_CMDSHELL. It is possible to perform pen test against this scenario though not having any kind of reverse access or display of error message. It can be used in completely blind environment and successful execution can grant remote command execution on the target application with admin privileges.
Download - PDF
Read here in HTML
Thursday, March 20, 2008
HackInTheBox & RSA 2008- Blueinfy Training and Research
Introduction and adaptation of new technologies like Ajax, Rich Internet Applications and Web Services has changed the dimension of Application Hacking. We are witnessing new ways of hacking web based applications and it needs better understanding of technologies to secure applications. The only constant in this space is change. In this dynamically changing scenario in the era of Web 2.0 it is important to understand new threats that emerge in order to build constructive strategies to protect corporate application assets. Application layers are evolving and lot of client side attack vectors are on the rise like Ajax based XSS, CSRF, Widget injections, RSS exploits, Mashup manipulations and client side logic exploitations. At the same time various new attack vectors are evolving around SOA by attacking SOAP, XML-RPC and REST. It is time to understand these advanced attack vectors and defense strategies.
Presentation Title: Securing Next Generation Applications – Scan, Detect and MitigatePresentation Details:
McKinsey’s recent global survey suggested that 80% of companies are investing in Web 2.0 technologies. Web 2.0 technologies are no longer restricted to social networking site but forming backend to enterprise level applications. This evolution is giving rise to next generation application hacking and attack vectors. It is imperative to understand these new attacks and scanning methods to detect vulnerabilities. This presentation will be full of real life cases, live demonstrations, new tools and techniques along in-depth coverage on the latest concepts and methodologies.
Presenting Research at RSA 2008
Session Code: SOA-202
Session Title: Web 2.0 Security Chess: Combat Strategies and Defense Tactics
Scheduled Date/Time: Wednesday, April 09 09:10 AM
RED ROOM 310
Session Abstract: Ajax, web services and rich Internet (Flash) are redefining moves on the security chessboard. Attack strategies are emerging like cross-site scripting with JSON or cross-site request forgery with XML. This session will cover Web 2.0 attacks, tools for assessment, and approaches for code analysis with demonstrations. Professionals can apply knowledge in real life to a secure Web 2.0 application layer.
Agenda
Thursday, March 13, 2008
Infosecworld 08 - Presentations on iHTTPModule and CSRF
[CSRF]
[.NET iHTTPModule - Interesting stuff]
Sunday, March 09, 2008
InfosecWorld - iHTTPModule and CSRF
Monday, March 03, 2008
Workshop in Dubai - Application Security
Having 2 days workshop for ISACA in Dubai. Look forward to meet some of UAE folks. Cheers!
If you are interested in joining - More Detail
Saturday, February 16, 2008
BLackhat DC - On Web 2.0 Scanning
Scanning Applications 2.0 - Next generation scan, attacks and tools
Ajax, Web Services and Rich Internet (Flash) are redefining application security scanning challenges and strategies. We are witnessing some emerging attack vectors like Cross Site Scripting with JSON, Cross Site Request Forgery with XML, WSDL scanning, XPATH injection with XML streams etc. This presentation will cover Web 2.0 attacks, new scanning tools for assessment and approaches for Web 2.0 code analysis with demonstrations. Professionals can apply knowledge in real life to secure Web 2.0 application layer.
This presentation will focus on core Web 2.0 security issues along with assessment toolkit developed by the presenter. 1.) It is imperative to analyze Web 2.0 application architecture with security standpoint. We will evaluate real life vulnerabilities with Google, MySpace and Yahoo. 2.) Web 2.0 technology fingerprinting is very critical step to determine application security posture. 3.) Crawling Ajax driven application is biggest challenge and we will cover approaches to address this critical issue by dynamic DOM event management with Ruby. 4.) Scanning Web 2.0 application for security holes is an emerging issue. It needs lot of JavaScript analysis with DOM context to discover XSS and XSRF vulnerabilities in Ajax and Flash with new attack vectors hidden in payload structures like JSON, XML, JS-Arrays etc. 5.) Addressing assessment methods and tools to discover security lapses for SOAP, REST and XML-RPC based Web Services along with innovative fuzzing.