Check out the new USENIX Web site.
2005 USENIX Annual Technical Conference


Overview | By Day (Sunday, Monday, Tuesday, Wednesday, Thursday) |
All in One File | By Instructor
Thursday, April 14, 2005
R1 Hacking & Securing Web-based Applications

David Rhoades, Maven Security Consulting, Inc.
9:00 a.m.–5:00 p.m.

Who should attend: People who are auditing Web application security, developing Web applications, or managing the development of a Web application.

Is your Web application secure? CD Universe,, and others have found out the hard way: encryption and firewalls are not enough. Numerous commercial and freeware tools assist in locating network-level security vulnerabilities. However, these tools are incapable of locating security issues for Web-based applications.

With numerous real-world examples from the instructor's years of experience with security assessments, this informative and entertaining course is based on fact, not theory. The course material is presented in a step-by-step approach, and will apply to Web portals, e-commerce (B2B or B2C), online banking, shopping, subscription-based services, or any Web-enabled application.

Students will learn:

  • The primary risks facing Web applications
  • Exposures and vulnerabilities in HTML and JavaScript, authentication, and session tracking
  • Tools, techniques, and methodologies required to locate weaknesses
  • Recommendations for mitigating exposures found
  • Best practices for Web application security
Students will be shown several target Web applications. Some of these applications are real applications with known security issues. Others are mock applications designed by Maven Security to simulate real security issues. At each step, the instructor will demonstrate the tools needed and the required techniques. All software demonstrated will be publicly available freeware.

Topics include:

  • Foundational security
    • OS vulnerabilities
    • Web server security highlights
  • Web server and Web application output
    • HTTP headers
    • HTML and JavaScript
    • Encryption ciphers
    • Error messages
    • Caching
  • Authentication
    • Authentication: digital certificates; form-based; HTTP basic
    • Threats to authentication
  • Sign-on
    • User name harvesting
    • Brute-force password guessing
    • Password harvesting
    • Resource exhaustion
  • Session issues
    • Session tracking mechanisms
    • Session ID best practices
    • Session cloning
  • Transaction issues
    • Malicious user input
    • Hidden form elements
    • GET vs. POST
    • JavaScript filters
    • Improper application logic
    • Cross-site scripting (XSS)
  • Third-party products
  • Testing procedures
  • Methodology and safety

David Rhoades (R1) is a principal consultant with Maven Security Consulting, Inc. David Rhoades Since 1996, David has provided information protection services for various FORTUNE 500 customers. His work has taken him across the US and abroad to Europe and Asia, where he has lectured and consulted in various areas of information security. David has a B.S. in computer engineering from the Pennsylvania State University and has taught for the SANS Institute, the MIS Training Institute, and ISACA.

R2 Network Security Monitoring with Open Source Tools NEW!
Richard Bejtlich,
9:00 a.m.–5:00 p.m.

Who should attend: Engineers and analysts who detect and respond to security incidents. Participants should be familiar with TCP/IP. Command-line knowledge of BSD, Linux, or another UNIX-like operating system is a plus. A general knowledge of offensive and defensive security principles is helpful.

This tutorial will equip participants with the theory, tools, and techniques to detect and respond to security incidents. Network Security Monitoring (NSM) is the collection, analysis, and escalation of indications and warnings to detect and respond to intrusions. NSM relies upon alert data, session data, full content data, and statistical data to provide analysts with the information needed to achieve network awareness. Whereas intrusion detection cares more about identifying successful and usually known attack methods, NSM is more concerned with providing evidence to scope the extent of an intrusion, assess its impact, and propose efficient, effective remediation steps.

NSM theory will help participants understand the various sorts of data that must be collected. This tutorial will bring theory to life by introducing numerous open source tools for each category of NSM data. Attendees will be able to deploy these tools alongside existing commercial or open source systems to augment their network awareness and defensive posture.

Topics include:

  • NSM theory
  • Building and deploying NSM sensors
  • Accessing wired and wireless traffic
  • Full content tools: Tcpdump, Ethereal/Tethereal, Snort as packet logger
  • Additional data analysis tools: Tcpreplay, Tcpflow, Ngrep, Netdude
  • Session data tools: Cisco NetFlow, Fprobe, Flow-tools, Argus, SANCP
  • Statistical data tools: Ipcad, Trafshow, Tcpdstat, Cisco accounting records
  • Sguil (
  • Case studies, personal war stories, and attendee participation
Material in the class is supported by the author's book The Tao of Network Security Monitoring: Beyond Intrusion Detection (Addison-Wesley, 2005;

Richard Bejtlich (R2) is technical director for specialized security monitoring in ManTech International Richard BejtlichCorporation's Computer Forensics and Intrusion Analysis division. He was previously a principal consultant at Foundstone, performing incident response, emergency network security monitoring, and security research. Prior to joining Foundstone in 2002, Richard served as senior engineer for managed network security operations at Ball Aerospace & Technologies Corporation. From 1998 to 2001 Richard defended global American information assets as a captain in the Air Force Computer Emergency Response Team (AFCERT). He led the AFCERT's real time intrusion detection mission, supervising 60 civilian and military analysts. He is the author of The Tao of Network Security Monitoring: Beyond Intrusion Detection and the co-author of the forthcoming Real Digital Forensics, both published by Addison-Wesley. He also wrote original material for Hacking Exposed, 4th Edition, and Incident Response, 2nd Edition, both published by McGraw-Hill/Osborne. He acquired his CISSP certification in 2001 and CIFI credentials in 2004. His home page is and his popular Web log resides at

R3 Configuration Management with Cfengine NEW!
Mark Burgess, Oslo University College
9:00 a.m.–5:00 p.m.

Who should attend: System administrators with a basic knowledge of scripting who wish to get to grips with cfengine to automate the maintenance and security of their systems. UNIX administrators will be most at home in this tutorial, but cfengine can also be used on Windows 2000 and above. This tutorial works as a guide to the extensive documentation, focusing pragmatically on the key issues and filtering out details.

Cfengine is a tool for setting up and maintaining a configuration across a network of hosts. It is sometimes called a tool for "Computer Immunology"—your computer's own immune system. You can think of cfengine as a very high-level language, much higher-level than Perl or shell, together with a smart agent. The idea behind cfengine is to create a single "policy" or set of configuration files that describes the setup of every host on your network, without sacrificing their autonomy.

Cfengine runs on every host and makes sure that it is in a policy-conformant state; if necessary, any deviations from policy rules are fixed automatically. Unlike tools such as rdist, cfengine does not require hosts to open themselves to any central authority nor to subscribe to a fixed image of files. It is a modern tool, supporting state-of-the-art encryption and IPv6 transport, that can handle distribution and customization of system resources in huge networks (tens of thousands of hosts). Cfengine runs on hundreds of thousands of computers all over the world.

Topics include:

  • The components of cfengine and how they are used
  • How to get the system running
  • How to develop a suitable policy, step by step
  • Security
  • Organizing configuration files (updating and configuring)
  • Ordering issues in configuration management
  • Cfservd security and key deployment
  • Searching for data with filters
  • Special functions and arrays
  • Alerts and persistent classes
  • Multi-homed host issues
  • IPv6 issues
  • Methods and modules and when to use them
  • Host monitoring with FriendStatus
  • Anomaly detection and response with cfenvd
  • What is coming in cfengine?

Mark Burgess (R3) is a professor at Oslo University College and is the author of Mark Burgess cfengine. He has been researching the principles of network and system administration for over ten years and is the author of Principles of Network and System Administration (John Wiley & Sons). He is frequently invited to speak at conferences.


?Need help? Use our Contacts page.

Last changed: 31 March 2005 ch