OWASP Netherlands Chapter Meeting, 12 Oktober 2017

OWASP Foundation is a professional association of global members and is open to anyone interested in learning more about application security. Local chapters are run independently and governed by the Chapter Leader Handbook. As a 501(c)(3) non-profit professional association.

OWASP Netherlands Chapter

<P>OWASP Netherlands Chapter Meeting October 12th, 2017</P>
<P>https://www.owasp.org/index.php/Netherlands_October_12th,_2016</P>
<H2><SPAN CLASS="mw-headline">Programme</SPAN></H2>
<UL>
<LI>18:00 - 19:00 Registration &amp; Pizzas</LI>
<LI>19:00 - 19:15 Welcome &amp; OWASP update</LI>
<LI>19:15 - 20:00 <A STYLE="color: #0b0080; background-image: none;" TITLE="Netherlands October 12th, 2016" HREF="https://www.owasp.org/index.php/Netherlands_October_12th,_2016#Playing_in_the_Sandbox:_Bypassing_Adobe_Flash_Input_Validation" DATA-MSYS-CLICKTRACK="0" REL="nofollow noopener noreferrer">Playing in the Sandbox: Bypassing Adobe Flash Input Validation</A> by <A STYLE="text-decoration: none; color: #0b0080; background-image: none; background-position: initial initial; background-repeat: initial initial;" TITLE="Netherlands October 12th, 2016" HREF="https://www.owasp.org/index.php/Netherlands_October_12th,_2016#Bj.C3.B6rn_Ruytenberg" DATA-MSYS-CLICKTRACK="0" REL="nofollow noopener noreferrer">Björn Ruytenberg</A></LI>
<LI>20:00 - 20:15 Break</LI>
<LI>20:15 - 21:00 <A STYLE="text-decoration: none; color: #0b0080; background-image: none; background-position: initial initial; background-repeat: initial initial;" TITLE="Netherlands October 12th, 2016" HREF="https://www.owasp.org/index.php/Netherlands_October_12th,_2016#How_to_rob_a_bank" DATA-MSYS-CLICKTRACK="0" REL="nofollow noopener noreferrer">How to rob a bank</A> by <A STYLE="text-decoration: none; color: #0b0080; background-image: none; background-position: initial initial; background-repeat: initial initial;" TITLE="Netherlands October 12th, 2016" HREF="https://www.owasp.org/index.php/Netherlands_October_12th,_2016#Pieter_Ceelen" DATA-MSYS-CLICKTRACK="0" REL="nofollow noopener noreferrer">Pieter Ceelen</A></LI>
<LI>21:00 - 21:30 Networking</LI>
</UL>
<H2><SPAN CLASS="mw-headline">Presentations</SPAN></H2>
<H3 STYLE="background-image: none; margin: 0.3em 0px 0px; overflow: hidden; padding-top: 0.5em; padding-bottom: 0px; border-bottom-style: none; font-size: 1.2em; line-height: 1.6; font-family: sans-serif;"><SPAN ID="Playing_in_the_Sandbox:_Bypassing_Adobe_Flash_Input_Validation" CLASS="mw-headline">Playing in the Sandbox: Bypassing Adobe Flash Input Validation</SPAN></H3>
<P STYLE="margin: 0.5em 0px; line-height: inherit; color: #252525; font-family: sans-serif; font-size: 14px;">Sandboxing is a popular technique used by vendors to minimize damages that applications might potentially inflict on a system. Dictated by so-called sandbox policies, legitimate and malicious code alike are restricted in their trust boundaries, preventing unauthorized actions.</P>
<P STYLE="margin: 0.5em 0px; line-height: inherit; color: #252525; font-family: sans-serif; font-size: 14px;">Input validation plays an important role in enforcing sandbox policies. With input validation, context often matters: given some policy set, some input may be allowed, while the same input may be invalid given another. File paths are a notable example. In Adobe Flash Player, the "remote" sandbox prohibits local file system access but enables remote connections, while the "local-with-filesystem" sandbox enables the opposite use case.</P>
<P STYLE="margin: 0.5em 0px; line-height: inherit; color: #252525; font-family: sans-serif; font-size: 14px;">While being a seemingly simple input format, validating file paths becomes increasingly complicated when considering the entire picture. With Flash constituting the intermediate glue between operating systems and a range of host environments - web browsers, Microsoft Office, PDF readers - one has a diverse landscape of path schemes to consider. This leads to challenges in proper input validation, and as it turns out, subtle but unforgiving mistakes.</P>
<P STYLE="margin: 0.5em 0px; line-height: inherit; color: #252525; font-family: sans-serif; font-size: 14px;"><B>This talk examines two sandbox escape vulnerabilities I have recently found in Adobe Flash.</B></P>
<P STYLE="margin: 0.5em 0px; line-height: inherit; color: #252525; font-family: sans-serif; font-size: 14px;">Tracked as CVE-2016-4271, the first vulnerability details a local sandbox escape through bypassing input validation, enabling to exfiltrate local data and obtain Windows user credentials. The second vulnerability, dubbed CVE-2017-3085, extends the vulnerability to include a remote sandbox escape, showing by extension that Adobe's patch for the first vulnerability incompletely solved the issue. In analyzing these vulnerabilities, we review the underlying causes that rendered them possible: arbitrary definitions of what constitutes "remote" and "local", insufficient input validation schemes, and unmitigated platform-specific vulnerabilities. Finally, in light of recent efforts to deprecate Adobe Flash, we also discuss how Flash will remain important in the short and long term - as an attack vector, and as an object of study.</P>
<H3 STYLE="background-image: none; margin: 0.3em 0px 0px; overflow: hidden; padding-top: 0.5em; padding-bottom: 0px; border-bottom-style: none; font-size: 1.2em; line-height: 1.6; font-family: sans-serif;"><SPAN ID="How_to_rob_a_bank" CLASS="mw-headline">How to rob a bank</SPAN></H3>
<P STYLE="margin: 0.5em 0px; line-height: inherit; color: #252525; font-family: sans-serif; font-size: 14px;">We are going to digitally rob a bank. Not for profit, but as a friendly match against the security team of this bank. We believe that only perfect practice makes perfect: by simulating an attack as realistically as possible, an organisation is optimally prepared for real incidents. Expect a very practical presentation about modern hacker techniques combined with lessons learned from security teams in defending against targeted attacks.</P>
<H2><SPAN CLASS="mw-headline">Speakers</SPAN></H2>
<H3 STYLE="background-image: none; margin: 0.3em 0px 0px; overflow: hidden; padding-top: 0.5em; padding-bottom: 0px; border-bottom-style: none; font-size: 1.2em; line-height: 1.6; font-family: sans-serif;"><SPAN ID="Bj.C3.B6rn_Ruytenberg" CLASS="mw-headline">Björn Ruytenberg</SPAN></H3>
<P STYLE="margin: 0.5em 0px; line-height: inherit; color: #252525; font-family: sans-serif; font-size: 14px;">Björn Ruytenberg is an Information Security student at Eindhoven University of Technology and Radboud University. Being a technology enthusiast, he has graduated in the field of Electrical Engineering, and cum laude in the field of Computer Science. His special interests include hardware and software security, in particular when the case at hand stretches across the former disciplines. Aside from his work as a software developer, he is an active participant in bug bounty programs.</P>
<H3 STYLE="background-image: none; margin: 0.3em 0px 0px; overflow: hidden; padding-top: 0.5em; padding-bottom: 0px; border-bottom-style: none; font-size: 1.2em; line-height: 1.6; font-family: sans-serif;"><SPAN ID="Pieter_Ceelen" CLASS="mw-headline">Pieter Ceelen</SPAN></H3>
<P STYLE="margin: 0.5em 0px; line-height: inherit; color: #252525; font-family: sans-serif; font-size: 14px;">Pieter’s first ‘hack’ was adjusting the sprites in Space Invaders on his MSX and claiming that the aliens now looked like his little sister. 15 Years later he later turned his hobby into profession at KPMG, hacking and advising multinational companies (instead of Space Invaders). In 2016, together with three other experts, Pieter founded Outflank: a company specialised in red teaming and attack simulations. Besides being a very experienced hacker and pentester, Pieter brings years of incident response, forensics and threat intelligence knowledge to the table. This allows him to tune his attacks and use the tools and techniques employed by real attackers in red teaming and attack simulations.</P>
<H2>Location</H2>
<P>Beta-faculty Huygensgebouw<BR> Heyendaalseweg 135, 6525 AJ Nijmegen<BR> Parkeergarage P11</P>
<H2>Sponsors</H2>
<P>The OWASP Netherlands Chapter is sponsored by:</P>
<P><IMG ALT="200x60 netsparker logo.png" SRC="https://www.owasp.org/images/8/88/200x60_netsparker_logo.png" HEIGHT="75" WIDTH="250"><IMG ALT="VeraCode logo.png" SRC="https://www.owasp.org/images/3/34/VeraCode_logo.png" HEIGHT="39" WIDTH="250"><IMG ALT="Vest.jpg" SRC="https://www.owasp.org/images/6/67/Vest.jpg" HEIGHT="101" WIDTH="250"><IMG ALT="Intigriti verticaal.jpg" SRC="https://www.owasp.org/images/5/54/Intigriti_verticaal.jpg" HEIGHT="71" WIDTH="250"><IMG ALT="Ecurify-2016.png" SRC="https://www.owasp.org/images/9/92/Ecurify-2016.png" HEIGHT="69" WIDTH="250"><IMG ALT="HPE logo 250.png" SRC="https://www.owasp.org/images/e/e3/HPE_logo_250.png" HEIGHT="105" WIDTH="250"><IMG ALT="Logo Informatiebeveiliging-200.png" SRC="https://www.owasp.org/images/thumb/9/9a/Logo_Informatiebeveiliging-200.png/250px-Logo_Informatiebeveiliging-200.png" HEIGHT="44" WIDTH="250"><IMG ALT="Nixu-logo.png" SRC="https://www.owasp.org/images/5/50/Nixu-logo.png" HEIGHT="106" WIDTH="250"><IMG ALT="Logo xebia.jpg" SRC="https://www.owasp.org/images/f/f9/Logo_xebia.jpg" HEIGHT="82" WIDTH="250"></P>

Radboud Universiteit Nijmegen

Onze {communityGuidelinesLink} beschrijven wat voor content verboden is op Eventbrite. Als je denkt dat een evenement deze schendt, meld dit dan aan ons, zodat wij het kunnen onderzoeken.

Om andere categorieën van verboden of illegale content te rapporteren, verzend je {link}

OWASP Netherlands Chapter Meeting, 12 Oktober 2017

Meer evenementen van OWASP Netherlands Chapter

Ontdek meer evenementen van OWASP Netherlands Chapter, van Wetenschap en tech tot andere ervaringen die je misschien leuk vindt.

Nog op zoek naar het juiste evenement?

Ontdek alle evenementen in Nijmegen en filter op datum, categorie en meer om de perfecte match te vinden.

OWASP Netherlands Chapter Meeting, 12 Oktober 2017

Meer evenementen van OWASP Netherlands Chapter

Ontdek meer evenementen van OWASP Netherlands Chapter, van Wetenschap en tech tot andere ervaringen die je misschien leuk vindt.

Meer Wetenschap en tech evenementen

Blader door meer Wetenschap en tech-evenementen met verschillende datums, prijzen en formats om je volgende geweldige ervaring te vinden.

Nog op zoek naar het juiste evenement?

Ontdek alle evenementen in Nijmegen en filter op datum, categorie en meer om de perfecte match te vinden.