Export or edit this event...

OWASP Chapter Meeting

New Relic
111 SW 5th Avenue, Suite 2700
Portland, Oregon 97204, United States (map)
Public WiFi

Access Notes

Check in at the security desk to get access to the 27th floor. This usually isn't required for official events and meetups.



Tim Morgan will be presenting: What You Didn't Know About XML External Entities Attacks

The eXtensible Markup Language (XML) is an extremely pervasive technology used in countless software projects. Certain features built into the design of XML, namely inline schemas and document type definitions (DTDs) are a well-known source of potential security problems. Despite being a publicly discussed for more than a decade, a significant percentage of software using XML remains vulnerable to malicious schemas and DTDs. This talk will describe a collection of techniques for exploiting XML external entities (XXE) vulnerabilities, some of which we believe are novel. These techniques can allow for more convenient file content theft, sending of arbitrary data to arbitrary internal TCP services, uploads of arbitrary files to known locations on a vulnerable system, as well as several possible denial of service attacks. We hope this talk will raise awareness about the overall risk associated with XXE attacks and will provide recommendations that developers and XML library implementors can use to help prevent these attacks.

Tim Morgan is credited with the discovery and responsible disclosure of several security vulnerabilities in commercial off-the-shelf and open source software including: IBM Tivoli Access Manager, Real Networks Real Player, Sun Java Runtime Environment, Google Chrome Web Browser, OpenOffice, and Oracle WebLogic Application Server. Tim develops and maintains several open source forensics tools as well as Bletchley, an application cryptanalysis tool kit. Tim regularly speaks and delivers technical training courses, his next of which will be on cryptography for developers at AppSecUSA 2014.

The Open Web Application Security Project (OWASP) is a 501c3 not-for-profit worldwide charitable organization focused on improving the security of application software. To sign up for future meeting notes and to discuss security topics with local gurus, sign up on the OWASP Portland mailing list: https://lists.owasp.org/mailman/listinfo/owasp-portland

Meetings are free and open to the public.