Den 25:e augusti genomförde OWASP Göteborg sitt första riktiga möte. Det blev en succé med över 50 deltagare. Jätteroligt tycker vi på OWASP Göteborg.

Nu är det dags för nästa möte och denna gång har vi lyckats få hit både Martin Holst Swende och Stefano Di Paola. Hela mötet hålls på engelska.

Alla är givetvis välkomna att registrera sig till mötet - det enda som krävs är att man är medlem i OWASP Sweden. Att bli medlem är enkelt och gratis - du behöver du bara gå med i mailinglistan.

Kvällens sponsor, Adecco, bjuder på enklare mat och dryck innan mötet och tillser att det finns möjlighet för en avslutande diskussion över en öl efter mötet.

The whole meeting is held in english.

Agenda

17.00 - 17.30 Startup migle with food and some drinks

We start 17.00 and our sponsor offer some food to eat.

17.30 - 17.45 Community update

A short presentation from the latest news in the community.

17.45 - 18.30 OWASP Hatkit (presented in english)

Martin Holst Swende is a security consultant at the Swedish company 2Secure, where he primarily is involved with application security testing, but also does network penetration testing, IT forensics and source code auditing. Martin has a background as an Ms.C in Computer Science and Engineering from Linköping University and worked as a software developer for among others Yahoo before entering the field of security. Martin is the project leader for the Owasp Hatkit and the Owasp Hatkit Datafiddler projects.

The Hatkit Project was created to provide a framework for web application security testing. It consists of two parts; the Hatkit Proxy and the Hatkit Datafiddler. The proxy is a minimalist intercepting proxy which records data to a MongoDB database, while the Datafiddler is a tool to view, sort, filter, aggregate, replay and analyse data through a lot of different mechanisms, with the aim of providing a highly customizable framework which can be used to analyse modern complex web applications. The tools became Owasp projects in 2011.

18.30 - 18.45 Short break

18.45 - 19.45 DOMinator (presented in english)

Stefano Di Paola is the CTO and a cofounder of Minded Security, where he is responsible for the Research and Development Lab. Prior to founding Minded Security, Stefano was a freelance security consultant, working for several private and public companies. He also worked in collaboration with University of Florence at the Faculty of Computer Engineering. Stefano is recognized as one of the top application security researchers. In past years he released several cutting edge security advisories and researches presented at several international events (Flash application security testing, Subverting Ajax). He is the Research & Development Director of OWASP Italian Chapter and contributor to several chapters of the OWASP testing guide.

Cross Site Scripting is one of the most difficult issues to fix since it involves several contexts on different platforms. And it is well known. With the advent of complex web application with heavy client side programming, DOM based Cross Site Scripting is becoming more and more interesting in the application security field. The difference between vanilla Xss and the latter is how hard is to find issues among thousands of JavaScript lines of code, and how contexts and attacks move from classical HTML format and client side execution to programming logic and paradigms. This talk will try to fill the emptiness of awareness about DOM Xss by showing new attacks and a new analysis technique whose implementation is a tool named "DOMinator". DOMinator is a Firefox based application that can ease the pain of finding DOM based Cross Site Scripting issues by using runtime tainting analysis at JavaScript level.

[19.45 - 20.30 After event mingle]

Lets have a beer and talk security!