Grade One Homework

Sunday, May 28, 2023

July 2019 Connector

OWASP
Connector

July 2019

Communications | Projects | Events | Community | Membership

COMMUNICATIONS

Letter from the Vice-Chairman:

Since the last Connector, the Foundation has seen an extremely positive response to hosting a Global AppSec conference in Tel Aviv. The event was well attended with great speakers and training, furthering our mission to improving software security on a global level.

Next up we have a Global AppSec conference in both Amsterdam and Washington DC. We have migrated away from the regional naming convention so in previous years these events would have been Europe and US. Planning for both events is well underway with some excellent keynotes being lined up. We hope you can join us at these conferences.

As part of our community outreach, the Board and volunteers will be at BlackHat and DEFCON in Las Vegas next month. The Board will have a two-day workshop two days before the conference, but during the conference will look to talk to and collaborate with as many of the community as possible. We are really looking forward to this.

It is that time of the year again, the global Board of Directors nominations are now open. There are four seats up for re-election: mine (Owen), Ofer, Sherif, and Chenxi. I would ask those who would like to help drive the strategic direction of the Foundation to step forward. If you are not interested in running, why not submit questions to those who are running.

Recently the Executive Director has put forward a new initiative to change the way in which we utilize our funds in achieving our mission. The aim here is to have one pot of money where there will be fewer restrictions to chapter expenses. Funds will be provided to all, albeit as long as they are reasonable. The Board sees this as a positive step in our community outreach.

Finally, I would like to ask those who are interested in supporting the Foundation, reach out to each Board member about assisting in one of the following strategic goals, as set out by the board at the start of the year:

Marketing the OWASP brand
Membership benefits
Developer outreach
- Improve benefits
- Decrease the possibility of OWASP losing relevance
- Reaching out to management and Risk levels
- Increase involvement in new tech/ ways of doing things – dev-ops
Project focus
- Get Universities involved
- Practicum sponsored ideas
- Internships
Improve finances
Improve OWASP/ Board of Directors Perception
Process improvement
Get consistent Executive Director support
Community empowerment

Thanks and best wishes,
Owen Pendlebury, Vice Chair

DC Registration Now Open Sponsorship Available - Registration Opens Soon

UPDATE FROM THE EXECUTIVE DIRECTOR:

Change: If we change nothing, how could we expect to be in a different place a year from now? It has been truly a pleasure these first six months as your Interim Executive Director and I look forward to many years to come. Everyone has done a great job helping me see our opportunities and challenges. And the challenges are real - both internally and our position in the infosec community. I'm biased toward action.

My first task has been to redesign and optimize our operations. This will help staff to be more responsive while also saving the funds donated to the Foundation for our work on projects and chapters. This will also mean changes for you too. Communities work better when everyone always assumes we are all operating with the best of intentions. I can assure you that is the case of our Board, leaders, and staff. Evaluate our changes through this view and we'll save time and our collective sanity.

One big project that is coming to life is our new website. We will soon be entering our 20th year and we needed to not just refresh the look but completely retool it for the next 20 years. We are rebuilding it from the ground up and we can't wait to share our progress. Over the next month or so we will be sharing more information on that project. Stay tuned!

Mike McCamon, Interim Executive Director

OWASP FOUNDATION UPDATE FROM EVENTS DIRECTOR:

OWASP is pleased to announce our newest staff member, Sibah Poede will be joining us as the Events Coordinator and will begin full-time on 1 July.

Sibah is a graduate of London South Bank University where she received a BA (Hons) Marketing Management. Prior to that, she gained a diploma in Market & Economics at the Copenhagen Business School, Neil's Brock, Denmark. After graduation, she launched her career in London working with Hilton International hotels at the Conference and Events department. She eventually moved on to work with Kaplan International Colleges in the marketing department. Later, she joined Polyglobe Group, and then Uniglobe within the travel sector, where she was involved in global exhibitions and events, account management and sales.

She has lived in Denmark, Nigeria, Switzerland, and currently lives in London. In her spare time, she enjoys traveling and learning new cultures. She is also part of the Soup Kitchen Muswell Hill, a charity organization involved in feeding the homeless.
Please join us in welcoming Sibah to the team.

Emily Berman
Events Director

As many of you are aware, the OWASP Foundation has a Meetup Pro account. We are requesting that all Chapters, Projects, Committees, and any other OWASP Meetup pages be transferred to the OWASP Foundation account.

OWASP Foundation will be the Organizer of the Group and all Leaders/Administrators will be Co-Organizers with the same edit rights.

Once the Meetup page is transferred to our account, the Foundation will be funding the cost of the Meetup page. If you do not want to continue being charged for your Meetup subscription account, you should then cancel it. Thereafter no Chapter, Project, etc. will be billed for Meetup. Going forward the Foundation will no longer approve any reimbursement requests for Meetup.

For instructions on how to move your Meetup group to the OWASP Foundation account please see https://www.owasp.org/index.php/OWASP_Meetup_Information

OWASP Members visit our website for $200 savings on Briefing passes for BlackHat USA 2019.

EVENTS

You may also be interested in one of our other affiliated events:

REGIONAL AND LOCAL EVENTS

Event	Date	Location
OWASP Auckland Training Day 2019	August 10, 2019	Auckland, New Zealand
OWASP security.ac.nc-Wellington Day 2019	August 24, 2019	Wellington , New Zealand
OWASP Portland Training Day	September 25, 2019	Portland, OR
OWASP Italy Day Udine 2019	September 27, 2019	Udine, Italy
OWASP Portland Day	October 16,2019	Wroclaw, Poland
BASC 2019 (Boston Application Security Conference)	October 19,2019	Burlington, MA
LASCON X	October 24-25,2019	Austin, TX
OWASP AppSec Day 2019	Oct 30 - Nov 1, 2019	Melbourne, Australia
German OWASP Day 2019	December 9-10, 2019	Karlsruhe, Germany

PARTNER AND PROMOTIONAL EVENTS

Event	Date	Location
BlackHat USA 2019	August 3-8,2019	Las Vegas, Nevada
DefCon 27	August 8-11,2019	Las Vegas, Nevada
it-sa-IT Security Expo and Congress	October 8-10, 2019	Germany

PROJECTS

Project Reviews from Global AppSec Tel Aviv 2019 are still being worked on. Thank you to the reviewers that helped with it. If you have time to help finalize the reviews, please contact me (harold.blankenship@owasp.com) and let me know.

We continue to push forward with Google Summer of Code. First and student evaluations are past and we are in our third work period. Final evaluations are due 19th August!

The Project Showcase at Global AppSec DC 2019 is shaping up to be a fantastic track. Please note the following schedule.

	Schedule
Time	Thursday, September 12
10:30	Secure Medical Device Deployment Standard	Christopher Frenz
11:30	Secure Coding Dojo	Paul Ionescu
1:00 p.m. Lunch Break
15:30	API Security Project	Erez Yalon
16:30	Defect Dojo	Matt Tesauro
Time	Friday, September 13
10:30	Dependency Check	Jeremy Long
11:30	SAMM	John Ellingsworth, Hardik Parekh
1:00 p.m. Lunch Break
15:30	SEDATED	Dennis Kennedy
16:30	<open>

New Release of ESAPI # 2.2.0.0:

On June 25, a new ESAPI release, the first in over 3 years, was uploaded to Maven Central. The release # is 2.2.0.0. The release includes over 100 closed GitHub Issues and over 2600 additional unit tests. For more details, see the release notes at:
https://github.com/ESAPI/esapi-java-legacy/blob/esapi-2.2.0.0/documentation/esapi4java-core-2.2.0.0-release-notes.txt

A special shout out to project co-leader Matt Seil, and major contributors Jeremiah Stacey and Dave Wichers for their ongoing invaluable assistance in this effort.
-- Kevin Wall, ESAPI project co-lead
OWASP ESAPI wiki page and the GitHub project page.

COMMUNITY

Welcome New OWASP Chapters

Indore, India
Panama City, Panama
Medellin, Colombia
Cartagena, Colombia
Aarhus, Denmark
Dhaka, Bangladesh
Edmonton, Canada
Lincoln, Nebraska
Sanaa, Yemen
Noida, India
Mumbai, India

MEMBERSHIP

We would like to welcome the following Premier and Contributor Corporate Members.

Contributor Corporate Members

Join us

Donate

Our mailing address is:
OWASP Foundation
1200-C Agora Drive, # 232
Bel Air, MD 21014

Unsubscribe

This email was sent to *|EMAIL|*
why did I get this? unsubscribe from this list update subscription preferences
*|LIST:ADDRESSLINE|*

Testing SAML Endpoints For XML Signature Wrapping Vulnerabilities

A lot can go wrong when validating SAML messages. When auditing SAML endpoints, it's important to look out for vulnerabilities in the signature validation logic. XML Signature Wrapping (XSW) against SAML is an attack where manipulated SAML message is submitted in an attempt to make the endpoint validate the signed parts of the message -- which were correctly validated -- while processing a different attacker-generated part of the message as a way to extract the authentication statements. Because the attacker can arbitrarily forge SAML assertions which are accepted as valid by the vulnerable endpoint, the impact can be severe. [1,2,3]

Testing for XSW vulnerabilities in SAML endpoints can be a tedious process, as the auditor needs to not only know the details of the various XSW techniques, but also must handle a multitude of repetitive copy-and-paste tasks and apply the appropriate encoding onto each message. The latest revision of the XSW-Attacker module in our BurpSuite extension EsPReSSo helps to make this testing process easier, and even comes with a semi-automated mode. Read on to learn more about the new release!

SAML XSW-Attacker

After a signed SAML message has been intercepted using the Burp Proxy and shown in EsPReSSO, you can open the XSW-Attacker by navigating to the SAML tab and then the Attacker tab. Select Signature Wrapping from the drop down menu, as shown in the screenshot below:

To simplify its use, the XSW-Attacker performs the attack in a two step process of initialization and execution, as reflected by its two tabs Init Attack and Execute Attack. The interface of the XSW-Attacker is depicted below.

XSW-Attacker overview

The Init Attack tab displays the current SAML message. To execute a signature wrapping attack, a payload needs to be configured in a way that values of the originally signed message are replaced with values of the attacker's choice. To do this, enter the value of a text-node you wish to replace in the Current value text-field. Insert the replacement value in the text-field labeled New value and click the Add button. Multiple values can be provided; however, all of which must be child nodes of the signed element. Valid substitution pairs and the corresponding XPath selectors are displayed in the Modifications Table. To delete an entry from the table, select the entry and press `Del`, or use the right-click menu.

Next, click the Generate vectors button - this will prepare the payloads accordingly and brings the Execute Attack tab to the front of the screen.

At the top of the Execute Attack tab, select one of the pre-generated payloads. The structure of the selected vector is explained in a shorthand syntax in the text area below the selector.
The text-area labeled Attack vector is editable and can be used to manually fine-tune the chosen payload if necessary. The button Pretty print opens up a syntax-highlighted overview of the current vector.
To submit the manipulated SAML response, use Burp's Forward button (or Go, while in the Repeater).

Automating XSW-Attacker with Burp Intruder

Burp's Intruder tool allows the sending of automated requests with varying payloads to a test target and analyzes the responses. EsPReSSO now includes a Payload Generator called XSW Payloads to facilitate when testing the XML processing endpoints for XSW vulnerabilities. The following paragraphs explain how to use the automated XSW attacker with a SAML response.

First, open an intercepted request in Burp's Intruder (e.g., by pressing `Ctrl+i`). For the attack type, select Sniper. Open the Intruder's Positions tab, clear all payload positions but the value of the XML message (the `SAMLResponse` parameter, in our example). Note: the XSW-Attacker can only handle XML messages that contain exactly one XML Signature.
Next, switch to the Payloads tab and for the Payload Type, select Extension-generated. From the newly added Select generator drop-down menu, choose XSW Payloads, as depicted in the screenshot below.

While still in the Payloads tab, disable the URL-encoding checkbox in the Payload Encoding section, since Burp Intruder deals with the encoding automatically and should suffice for most cases.
Click the Start Attack button and a new window will pop up. This window is shown below and is similar to the XSW Attacker's Init Attack tab.

Configure the payload as explained in the section above. In addition, a schema analyzer can be selected and checkboxes at the bottom of the window allow the tester to choose a specific encoding. However, for most cases the detected presets should be correct.

Click the Start Attack button and the Intruder will start sending each of the pre-generated vectors to the configured endpoint. Note that this may result in a huge number of outgoing requests. To make it easier to recognize the successful Signature Wrapping attacks, it is recommended to use the Intruder's Grep-Match functionality. As an example, consider adding the replacement values from the Modifications Table as a Grep-Match rule in the Intruder's Options tab. By doing so, a successful attack vector will be marked with a checkmark in the results table, if the response includes any of the configure grep rules.

Credits

EsPReSSO's XSW Attacker is based on the WS-Attacker [4] library by Christian Mainka and the original adoption for EsPReSSO has been implemented by Tim Günther.
Our students Nurullah Erinola, Nils Engelberts and David Herring did a great job improving the execution of XSW and implementing a much better UI.

---

[1] On Breaking SAML - Be Whoever You Want to Be
[2] Your Software at My Service
[3] Security Analysis of XAdES Validation in the CEF Digital Signature Services (DSS)
[4] WS-Attacker