April 14 OWASP Sweden hosts its first chapter meeting in Gothenburg. All members of OWASP Sweden are welcome, but we'd especially like to reach out to everyone in Gothenburg interested in application security – join us! The event will be in English since we have guest speakers from abroad.

If you're not an OWASP Sweden member yet, just subscribe to the mailing list.

Omegapoint will sponsor refreshments before the seminar and beers afterwards – thanks! The Dept of Computer Science and Engineering at Chalmers is providing the venue. Don't miss the chance to mingle with the community.

Agenda

Nick Nikiforakis, Katholieke Universiteit Leuven: Abusing Locality in Shared Web Hosting

The increasing popularity of the World Wide Web has made more and more individuals and companies to identify the need of acquiring a Web presence. The most common way of acquiring such a presence is through Web hosting companies and the most popular hosting solution is shared Web hosting.

In this talk we investigate the workings of shared Web hosting and we point out the potential lack of session isolation between domains hosted on the same physical server. We present two novel server-side attacks against session storage which target the logic of a Web application instead of specific logged-in users.

Due to the lack of isolation, an attacker with a domain under his control can force arbitrary sessions to co-located Web applications as well as inspect and edit the contents of their existing active sessions. Using these techniques, an attacker can circumvent authentication mechanisms, elevate his privileges, steal private information and conduct attacks that would be otherwise impossible. Finally, we test the applicability of our attacks against common  open-source software and evaluate their effectiveness in the presence of generic server-side countermeasures.

Andrei Sabelfeld, Chalmers University of Technology: Tracking Information Flow in Web Applications

This talk discusses a principled approach to web application security through tracking information flow in web applications. Although the agile nature of developments in web application technology makes web application security much of a moving target, we show that there are some fundamental challenges and tradeoffs that determine possibilities and limitations of automatically securing web applications. We address challenges related to mutual distrust on the policy side (as in web mashups) and tracking information flow in dynamic web programming languages (such as JavaScript) to provide a foundation for practical web application security.

Martin Johns, SAP Research: Biting the hand that serves you: A closer look at client-side Flash proxies for cross-domain requests

Client-side Flash proxies provide an interface for JavaScript applications to utilize Flash’s cross-domain HTTP capabilities. However, the subtle differences in the respective implementations of the same-origin policy and the insufficient security architecture of the JavaScript-to-Flash bridge lead to potential security problems. In this talk, we comprehensively explore these problems, present a survey of five existing proxy implementation, and show how Flash proxies can be utilized to subvert the security of their hosting Web application. Furthermore, we propose techniques to avoid the identified security pitfalls and to overcome the untrustworthy interface between Flash and JavaScript.

John Wilander, Co-Leader OWASP Sweden: The Open Web Application Security Project

This talk will be a short introduction of OWASP, where the community is at today, and where we're headed the coming year – globally as well as within the Swedish chapter. Connected to this we'll have a discussion on starting an OWASP Gothenburg chapter. Diskussionen kan vi mycket väl ha på svenska.