Welcome to OWASP AppSec 2018 USA we look forward to seeing you in San Jose, CA

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Regency Ballroom 1 [clear filter]
Thursday, October 11


Identity Theft: Attacks on SSO Systems
SAML is often the trust anchor for Single Sign-On (SSO) in most modern day organizations. This presentation will discuss a new vulnerability discovered which has affected multiple independent SAML implementations, and more generally, can affect any systems reliant on the security of XML signatures. The issues found through this research affected multiple libraries, which in turn may underpin many SSO systems.

The root cause of this issue is due to the way various SAML implementations traverse the XML DOM after validating signatures. These vulnerabilities allow an attacker to tamper with signed XML documents, modifying attributes such as an authenticating user, without invalidating the signatures over these attributes. In many cases, this allows an attacker with authenticated access to a SAML Identity Provider to access services as an entirely different user - and more easily than you’d expect.

This talk will also discuss another demonstrated class of vulnerabilities in user directories that amplify the impact of the previously mentioned vulnerability, and in some cases, can enable authentication bypasses on their own.

avatar for Kelby Ludwig

Kelby Ludwig

Principal AppSec Engineer, Duo

Thursday October 11, 2018 11:45am - 12:20pm
Regency 1
  • NEW FIELD 1 Track 1


Defense in depth with semantic static analysis
Facebook employs a defense-in-depth approach to product security; we use a range of preventative and detection-based approaches to help ensure that our Hack/PHP codebase and its myriad backend services behave as intended. In this context, ‘preventative’ might refer to secure-by-default libraries for doing privacy-aware data fetching. ‘Detection’ might refer to the manual review by a security engineer, automated static analysis before the code is employed in production, runtime detection (e.g. Invariant Detector), or our bug bounty program.

In this talk, I will discuss a static analyzer that we built to surface potential security and privacy issues in the facebook.com codebase. We have developed a bottom-up, inter-procedural, abstract interpreter that focuses on security issues that are difficult to prevent using the type system (i.e., Hack) or secure libraries and frameworks. We designed the tool based on guidance from Facebook’s security engineering teams. When a new class of vulnerabilities is discovered, we evaluate whether it is amenable to static analysis. If that is the case, we prototype the new rule, refine it based on feedback from security engineers, and then evaluate the rule against the whole codebase. In some cases, we are able to generate a patch automatically. Concurrently, we run this tool on every code change, thus preventing the reintroduction of this type of issue.

I will also describe some of the advances in the static analysis that enable the tool to scale to thousands of changes per day in a codebase that measures tens of millions of lines of code with a very low ratio of false positives. 

avatar for Francesco Logozzo

Francesco Logozzo

Software Engineer, Facebook
I am a static analysis junkie. I wrote static analyzers for Facebook and Microsoft, published Academic papers full of Greek symbols, and gave keynote speeches at major conferences.I am also a theoretical and experimental cyclist.

Thursday October 11, 2018 3:30pm - 4:05pm
Regency 1
  • NEW FIELD 1 Track 1
Friday, October 12


Better Deserialization Vulnerability Remediation with Automated Gadget Chain Discovery
Although vulnerabilities stemming from the deserialization of untrusted data have been understood for many years, unsafe deserialization continues to be a vulnerability class that isn't going away. Attention on Java deserialization vulnerabilities skyrocketed in 2015 when Frohoff and Lawrence published an RCE gadget chain in the Apache Commons library and as recently as last year's Black Hat Muñoz and Miroshis presented a survey of dangerous JSON deserialization libraries. While much research and automated detection technology has so far focused on the discovery of vulnerable entry points (i.e. code that deserializes untrusted data), finding a "gadget chain" to actually make the vulnerability exploitable has thus far been a largely manual exercise. In this talk I present a new technique for the automated discovery of deserialization gadget chains in Java, allowing defensive teams to quickly identify the significance of a deserialization vulnerability. This allows developers to properly prioritize remediation and weigh the tradeoff of potential exploits against refactoring an application's entire RPC mechanism. In this talk I will also present a FOSS toolkit developed to utilize this methodology and which has already been used to evaluate deserialization vulnerabilities in both internal applications and open source projects. 

avatar for Ian Haken

Ian Haken

Senior Security Software Engineer, Netflix
I'm a senior security software engineer at Netflix where I work on the platform security team to develop tools and services that defend the Netflix platform. Before working at Netflix, I spent two years as security researcher at Coverity where I developed defensive application security... Read More →

Friday October 12, 2018 10:15am - 10:50am
Regency 1
  • NEW FIELD 1 Track 1