Unicode Transformations: Finding Elusive Vulnerabilities OWASP AppSecDC November 2009
Chris Weber [email protected] Casaba Security What’s this about?
• Visual spoofing and counterfeiting • Text transformation attacks
OWASP AppSecDC - November 2009 www.casabasecurity.com © 2009 Chris Weber What will you learn?
• Why you should care about Visual Integrity… – Branding – Identity – Cloud Computing – URI’s!
OWASP AppSecDC - November 2009 www.casabasecurity.com © 2009 Chris Weber What will you learn?
• Good techniques for finding bugs – Web-apps and clever XSS – Test cases for fuzzing
OWASP AppSecDC - November 2009 www.casabasecurity.com © 2009 Chris Weber What about tools?
• Watcher – Microsoft SDL recommended tool – Passive Web-app testing for free – http://websecuritytool.codeplex.com/
• Unibomber – Deterministic auto-pwn XSS testing
OWASP AppSecDC - November 2009 www.casabasecurity.com © 2009 Chris Weber Can you tell the difference?
OWASP AppSecDC - November 2009 www.casabasecurity.com © 2009 Chris Weber How about now?
OWASP AppSecDC - November 2009 www.casabasecurity.com © 2009 Chris Weber The Transformers When good input turns bad