OWASP Belgium Chapter Meeting #3

by admin Email

This was the third chapter meeting this year and took place on 12th of September. The sildeshows for the presentation can be found here: https://www.owasp.org/index.php/Belgium


First talk: You are what you include: remote JavaScript inclusions

 A talk by Steven Van Acker about the dangers of including JavaScript from remote hosts in web pages.

There are three parties involved:

  •  The user browsing the website who potentially gets served malware
  •  The website owner who is responsible for including the offensive scripts
  •  The third party that is hosting the offensive script

All three parties can take actions to prevent misuse, for this I refer to the presentation itself or the excellent paper co-authored by Steven Van Acker.

The attack is very interesting, it works as follows:

  • Find a company that hosts JavaScript to other websites (e.g. google analytics) and that is used by a lot and/or high traffic websites
  •  Compromise the server and add malware to the JavaScript, make sure the functionality remains so no suspicion is raised
  •  Watch the explosion in compromised systems from unsuspecting surfers

This talk just confirmed my resolve in blocking as many scripts as possible in my browser using the excellent NoScript plugin.

Second talk: Modern information gathering

A talk by Dave van Stein.

The main focus of the talk was the techniques in information gathering that have no contact with the target system/server. A lot of tools were discussed, some of these aggregate the results of different other tools and find relations between them.

Check out the presentation to see the tools used, many are well known but some were new to me and looked very promising.

Trackback address for this post

Trackback URL (right click and copy shortcut/link location)

Feedback awaiting moderation

This post has 31 feedbacks awaiting moderation...