The Security-Zone is as far as I know, the most important and biggest security event in Switzerland and like last year I was there to present some stuff. Also like the last time, I wasn’t alone, there where Pascal Mittner from Astalavista IT Engineering and Pascal C. Kocher from Defcon Switzerland (I’ll write something about this very soon ). It was the first time, that there was a workshop at a Security-Zone and so we where quiet exited but we also thought, that this would be easy stuff. First, a 20min slot for each of us three to just talk and afterwards, about three hours of really presenting stuff and also let people getting some hand-on experience. Unfortunately, the first part about how to write an exploit for an FTP server by Pascal C. Kocher failed because something I still don’t know about. There where just a few lines of Perl code but for any reason, the final exploit didn’t work. Also the last part about using a security management system to identify and track risks on your systems failed because of the participants weren’t able to test the virtual machines Pascal Mittner brought to the security zone. Even there we’re not sure what was the problem but we think it could have been a problem of by switch or some crappy Ethernet wires. Anyway, this means, that my part was the only one, that worked without any problems (thanks at this point to the FSM ). I was first presenting a simple XSS but not only the standard alert(123) no, I wanted to show the attending people, that you can do much more an so I decided to show a website defacement. Afterwards, I bypassed a login mechanism by a standard SQL Injection and last but not least, I presented something which was quiet a bit complicated (a combination of XSS and CSRF) but I’ll write another blog posting (hopefully) during the next days about this demo.
For me it was good to see once more, that still many people are interested in the basic stuff and it makes me very happy if I’ve got the chance just like at the Security-Zone to help people to understand, what web application security is about and why it’s important.