Direkt zum Hauptbereich

OWASP AppSec EU 2015: my Three Favourite Talks

Two weeks ago, we visited the OWASP AppSec Europe 2015 conference. This conference is intended for security developers and penetration testers who want to get some new high-quality knowledge. Since the conference contains also research talks, according to me it is also well suited for security researchers working in academia.Thus, I am excited to present you my favourite three talks from the conference. *

I have to explicitly mention that I really enjoyed all the talks that I visited, not only the talks summarized here.

Disclaimer: On the first day, I was visiting only the HackPra talks. This is because our institute is the organizer of HackPra (http://nds.rub.de/teaching/hackpra/), our company (www.3curity.de) partially supported this event...and there was free beer from GData.

Mario Heiderich: Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-application XSS

My first favourite talk was presented by Mario (heart-breaker, bon-vivant and security researcher from Berlin, see here for more superfluous descriptions http://owaspappseceurope2015.sched.org/speaker/mario_heiderich.1tmieewz). People, who already met Mario, probably know that he always presents some crazy XSS stuff. This was also the case for AppSec.

In his talk, Mario presented what can go wrong when you copy your texts from rich text editors or office documents and paste them directly to your browser, for example to your gmail client. In that case, the browser gets not only the text, but accepts also addition style descriptions and elements. And these styles are usually described by some parsable language, e.g. XML.

One example gives us Open Office that stores the styles in a styles.xml document:

If we copy a text from such an Open Office document to the browser, the browser also accepts the above styles.xml file...and it tries to parse it. Mario managed to break several applications with this new approach and misused several rich text editors. See here for more information, in his slides: http://www.slideshare.net/x00mario/copypest

Btw, Mario cooperated in his research with a famous musician, who is also depicted on his slides, a few times (just do not be confused when you see him).