Mario Heiderich – An Abusive Relationship with AngularJS – About the Security Adventures with the ”Super-Hero” Framework

Some voices claim that ”Angular is what HTML would have been if it had been designed for building web applications”. While this statement may or may not be true, is certainly accounts as one of the bolder ones a JavaScript web framework can ever issue. And where boldness is glistening like a German Bratwurst sausage in the evening sun, a critical review from a grumpy old security person shouldn’t be too far away. This talk will have a stern, very stern look at AngularJS in particular and shed light on the security aspects of this ever-popular tool. Did the super-hero framework do everything right and follow its own super-heroic principles? Does AngularJS increase or rather decrease the attack surface of a web application? How does AngularJS play along with the Content Security Policy, and was it a good idea to combine this kind of security with futuristic feature creep? And what about AngularJS version 2.0? Beware that we won’t stop at glancing at the code itself, investigating security best practices, and verifying compatibility and other common things that contribute to robust security (or lack thereof). We will cross the moral border and see if the AngularJS team could notice rogue bug tickets. A pivotal question that everyone is wondering about is: Have they successfully kept evil minds like yours truly speaker here from introducing new security bugs into the code base? This talk is a reckoning with a modern JavaScript framework that promises a lot and keeps even more, not necessarily for the best for developers and users. We will conclude in deriving a general lesson learnt and hopefully agree that progress doesn’t invariably mean an enhancement.

An Abusive Relationship with AngularJS – About the Security Adventures with the ”Super-Hero” Framework. Dr. Mario Heiderich, handsome heart-breaker, bon-vivant and (as he loves to call himself) ”security researcher” is from Berlin, likes everything between lesser- and greater-than. He leads the small yet exquisite pen-test company called Cure53 and pesters peaceful attendees on various 5th tier conferences with his hastily assembled PowerPoint-slides and a lot of FUD.

Marie Moe: Unpatchable – Living with a Vulnerable Implanted Device

My life depends on the functioning of a medical device, a pacemaker that generates each and every beat of my heart. This computer inside of me may fail due to hardware and software issues, due to misconfigurations or network-connectivity.

Yes, you read that correctly. The pacemaker has a wireless interface for remote monitoring and I am forced to become a human part of the Internet-of-Things. As a seasoned security-professional I am worried about my heart’s attack surface.

This talk will be focused on the problem that we have these life critical devices with vulnerabilities that can’t easily be patched without performing surgery on patients, my personal experience with being the host of such a device, and how the hacker community can proceed to work with the vendors to secure the devices.

Marie Moe (@MarieGMoe):
Marie Moe is passionate about incident handling and information sharing, she cares about public safety and securing systems that may impact human lives, this is why she has joined the grassroots organisation “I Am The Cavalry”. Marie is a research scientist at SINTEF ICT, and has a Ph. D. in information security. She has experience as a team leader at NorCERT, the Norwegian national CERT. Marie also teaches a class on incident management and contingency planning at Gjøvik University College in Norway. Marie loves to break crypto protocols, but gets angry when its in her own body.

Martin Johns: Your Scripts in My Page – What Could Possibly Go Wrong?

When it comes to web security, there is the one policy to rule them all: The Same-origin Policy. Thanks to this policy, sites hosted on disjunct origins are nice and cleanly separated, thus preventing the leakage of sensitive information into the hands of unauthorized parties. Unfortunately, HTML predates the Same-origin Policy and, thus, was not designed with the origin-based security model in mind. In consequence, HTML tags can freely reference cross-domain locations and include cross-domain content in their hosting web pages.

In this talk, we will present an attack, resulting from this circumstance, that has been widely overlooked in the past but affects a surprisingly high number of Web sites: Information leakage via cross-domain script inclusion.

Modern web sites frequently generate JavaScript on-the-fly via server-side scripting, incorporating personalized user data in the process. Thanks to HTML’s general ignorance of the Same-origin Policy, an attacker is able to include such dynamic scripts into web pages under his control using script-tags pointing to the vulnerable site. This, in turn, allows him to learn many of the secrets contained in these scripts, through the scripts interaction with the page it is included in. In our experiments, we were able to obtain personal information such as name & address of the logged-in user, leak CSRF tokens, read the users emails, and occasionally fully compromise the user’s account. All possible by simply including a script-URL into one of our web pages.

To systematically investigate the issue, we conducted a study on its prevalence in a set of 150 top-ranked domains, in which we observed that a third of the examined sites utilize dynamic JavaScript. Using our attack techniques, we able to leak sensitive data from more than 80% of these sites via remote script inclusion. In the talk we will present the study in general, and the most interesting cases in detail, showing the wide range of possible attack variations along with a bag of tricks how the including page can be prepared to efficiently leak a script’s secrets. Furthermore, we present an efficient detection mechanism, in the form of a browser extension, as well as defensive measure, which enable robust protection.

Martin Johns (@datenkeller)
Dr. Martin Johns is a research expert in the Security and Trust group within SAP SE, where he leads the Web application security team. Before joining SAP, Martin studied Mathematics and Computer Science at the Universities of Hamburg, Santa Cruz (CA), and Passau. During the 1990s and the early years of the new millennium he earned his living as a software engineer in German companies. He is board member of the German OWASP chapter, holds a Diploma in Computer Science from University of Hamburg and a Doctorate from the University of Passau. Martin is a regular speaker at international security conferences, incl. Black Hat, the OWASP AppSec series, ACSAC, ESORICS, PacSec, HackInTheBox, RSA Europe, or the CCC Congress.

Michele Orrù (@antisnatchor) – Dark FairyTales from a Phisherman Vol III

Phishing and client-side exploitation DevOps for all your needs. Combine BeEF, PhishingFrenzy and your fishy business to automate most of the usual phishing workflow while minimizing human interaction. Multiple real-life phishing engagements will be discussed, together with the shiny new BeEF Autorun Rule Engine.

Michele Orrù a.k.a. antisnatchor is the lead core developer and smart-minds-recruiter for the BeEF project. Michele is also the co-author of the ”Browser Hacker’s Handbook.” He has a deep knowledge of programming in multiple languages and paradigms, and is excited to apply this knowledge while reading and hacking code written by others. Michele loves lateral thinking, black metal, and the communist utopia (there is still hope!). He also enjoys speaking and drinking at a multitude of hacking conferences, including CONFidence, DeepSec, Hacktivity, SecurityByte, AthCon, HackPra AllStars, OWASP AppSec USA, 44Con, EUSecWest, Ruxcon, InsomniHack, PXE, BlackHat and more we just cant disclose. Besides having a grim passion for hacking and programming, he enjoys leaving his Mac alone, while fishing on saltwater and praying for Kubricks resurrection.


OWASP Göteborgs animerade intro

Ett sätt att höja intrycket av en video är att sparsamt använda logotyper och animationer.  Finns de inte alls, så får man känslan av att det bara är någon som filmat och slängt upp. Är de överanvända så känns det som om man surfat in tillbaka i tiden och fått se någons galna hemsida med blink, MIDI-ljud, frames och gud vet vad. Men rätt sparsamt använt så får man lite känslan av att de höjer produktionen, ser lite ut som ett TV-program om 2-3 sekunder intro-animation kommer samtidigt som ljudet går igång.

Så det animerade OWASP GBG logot är tänkt att användas så. Det skall bara vara med en kort stund, tanken är att t.ex. ha fade out eller cross over till vad som skall visas sen. Exempel på hur det är att användas kan ses här:

För att göra en animation så behöver man den grafiken som ingår. I mitt fall så är det:

Sen så skall man göra någon sorts animation. Jag valde After Effects, som jag nästan inte alls kan, men exakt vad man gör och hur är inte så noga. after effects bygger på att man gör effekter lager i lager, lite som Premiere Pro eller Photshop. Så ändrar man om tills man är nöjd. Man får animation genom att låta värden ändra sig över tiden. Man behöver absolut inte vara något ess på After Effects för att göra något liknande, jag är själv rätt ovan vid AE.

1_all shown

Understa lagren i min animation är OWASP GBG lagret som är en helt statisk ikon, och en vit bakgrund som går från osynlig till synlig runt ungefär en sekund in i introt

2_white solid transition

Lager 4 är det mest avancerade lagret; jag leker med Turbulent Displace och Radial Blur för att få lagret att ha en abstrakt och diffus skepnad.  Jag får det att falla in i den andra logotypen genom att ändra på scale och opactity. För att ge en färgstark effekt är Blending Mode satt till Vivid Light.

3_logo zoomin in 3

Märkligt nog så har jag ett laget 3 som är mer eller mindre identiskt med lager 3. Jag minns inte om det var avsiktligt eller om det är ett klipp-å-klistra fel, men jag testar och ser att effekten blir starkare/snyggare än när man har bara en kopia av effekten. (whatever works, works)

Lager 2 är ett en enkel vit bakgrund som är osynlig men som blinkar till precis när lager 3&4 animationen försvinner, så att man lixom får känslan av att det blixtrar till när logot försvinner in i det andra logot.


Lager 1 är mycket subtil och syns knappt när alla lager är på plats. Det är inte ens tänkt att man skall märka den. Den har den subtila effekten att lite format ljus (Vivid Light blend mode) spelar slumpmässigt (evolution = wiggle(5,200)) över logotypen. Utan den så känns det som en statisk bild, med den känns det lite mer levande. Jag hoppas att de flesta kommer aldrig se / notera den animationen, men att den undermedvetet höjer deras upplevelse av kvalitén på introt.


(Almost) Everything OWASP Won’t Teach You – Per Thorsheim

Per Thorsheim – OWASP has some wonderful guidelines on sending, storing and resetting passwords. However there are still challenges that cannot be addressed through technical measures, they need to be addressed by humans, and not just developers. Through color & font selections, association elements, password managers, human pattern analysis and more, this talk will discuss what we are still doing wrong, the risks associated with bad passwords, and give some advice on what we need to do in order to improve our online security.

Per Thorsheim is the founder & main organizer of the Passwords conferences (, a conference fully dedicated to passwords & PINs. He’s been working, examining, playing, dreaming and discusssing passwords for more than 14 years, and is still going strong. He publicly disclosed the hacking of Linkedin in june 2012, and has been interviewed and quoted around the world on his excessive interest in passwords. During daytime he tries to solve challenges for his customers through security awareness training & security advisory services. Some say he’s good at explaining advanced topics to regular humans. He is certified CISA, CISM and CISSP-ISSAP.

One Time Passwords – Klas Lindfors

One Time Password solution, February 18 2014, OWASP Gothenburg. One time passwords are being deployed by larger websites including Google, Facebook, GitHub, LinkedIn etc but they have their ups and downs. What type of OTP should you use; the YubiKey OTP, OATH HOTP, or OATH TOTP? How would you validate the OTP; building your own server and protecting the secrets, or rely on a cloud service like Yubico’s YubiCloud or VeriSign VIP? The talk will also cover the future of two-factor authentication with the FIDO Universal 2nd Factor (U2F) protocol.
Klas Lindfors is a software developer at Yubico, working with one time passwords at all layers: firmware, personalization & validation.

Säkerhetspodcasten – Intervjuavsnitt #4 – John Wilander

Jag & podcastgänget intervjuar John Wilander i hans sista timmar i scenljuset för ett tag framöver. Med mycket varierad erfarenhet inom applikationssäkerhet, och med ett mycket stort fokus på att bygga applikationer (och få dem säkra) representerar John något som för Sverige (och även internationellt) är mycket ovanligt.

10-20 år från nu kommer man se tillbaka på vår tid och konstatera hur oansvarigt det var att vi inte massivt profilerade många utvecklare med denna kompetens.

Säkerhetspodcasten Intervjuavsnitt #4 – John Wilander!


iTunes | mp3


Detta är det fjärde intervjuavsnittet av Säkerhetspodcasten i vilket panelen intervjuar John Wilander, co-leader för OWASP Stockholm och doktor i datalogi. Följ John på@johnwilander!

Inspelat: 2013-05-03. Längd: 00:40:53.

Säkerhetspodcasten – Intervjuavsnitt #3 – Mario Heiderich

Jag och vännerna intervjuar javascript/xss gurun .mario efter OWASP Gothenburg’s event. Säkerhetspodcasten Intervjuavsnitt #3!


iTunes | mp3


Detta är det tredje intervjuavsnittet av Säkerhetspodcasten i vilket panelen intervjuar Mario Heiderich, en säkerhetsresearcher och pentester som bland annat ligger bakom mXSS och många andra klientsidesårbarheter. Följ .mario på @0x6D6172696F.

Inspelat: 2013-05-16. Längd: 00:29:24.