A recap of the 2nd OWASP conference

Type threatpost
Reporter Christian Heinrich
Modified 2013-05-03T18:05:39


The second Open Web Application Security Project (OWASP) Conference held on the Gold Coast is regarded as the leading Web Application Security conference within the Asia Pacific region attracting both Australian and overseas speakers and attendees.

The conference continued its community atmosphere with open discussions and sharing of ideas on Web Application Security during the various social events each night including a gala dinner.

Related Posts

Netflix Sleepy Puppy Awakens XSS Vulnerabilities in Secondary Applications

September 2, 2015 , 2:21 pm

Google Patches Clickjacking Bug

May 4, 2015 , 1:13 pm

OWASP Releases Latest App Sec Guide

September 18, 2014 , 2:24 pm


The keynote delivered by Roger Thornton provided a historical timeline from when companies relied on a firewall to protect their insecure mail servers and web servers to the state of the art today where security is incorporated during the development of these server applications and their associated clients.

Andrew van der Stock, who is the major contributor to the OWASP Developer Guide and widely known OWASP Top Ten, argued that incorporating application security testing during development resulted in more vulnerabilities being removed from the software prior to shipping then conducting penetration testing once the software is developed.

Brett Moore demonstrated various OWASP Top Ten Vulnerabilities in a number of decoy web sites with the appearance of New Zealand security entities.

Sumit Siddharth demonstrated his “bsqlbf” tool to exploit Blind SQL Injection vulnerabilities and concluded with an SQL Injection within Oracle to leverage a Web Proxy to exploit another SQL Injection within Microsoft SQL Server on the same network.


Adi Sharabani demonstrated active Man in the Middle (MitM) scenarios to attack web applications with “Surf Jacking” and “Sidejacking” once the password has finished transmitting over a secure connection and then reverted back to sending application communication in the clear during his keynote.

Alex Kouzemtchenko exploited the Cross Site Scripting (XSS) Filter in Internet Explorer 8 to obtain Cookies, including authentication Cookies used in Cross Site Request Forgery (CSRF).

Pravir Chandra, leader of the OWASP “CLASP” Project, presented the free Software Assurance Maturity Model (SAMM) which provides a well-defined way for organizations to iteratively improve security in software development.


In keeping with the sprit of openness fostered within the OWASP community, the slides and their associated video of each presentation are available online.

Overall, the conference provided the best value for money over any other security conference held on the Gold Coast in which to learn the state of the art from speakers and socialize with other attendees.

* Christian Heinrich is the OWASP “Google Hacking” project lead.