Core Security Experts detail widespread web applications vulnerability at OWASP conference

CORE SECURITY EXPERTS detail widespread web applications vulnerability at OWASP conference

Leading Vulnerability Researchers to Demonstrate Pervasive
Cross-Site Scripting Issue

WASHINGTON, D.C. – Nov 9, 2009 - Core Security Technologies, provider of CORE IMPACT solutions for comprehensive enterprise security testing, today announced that one of its industry leading CoreLabs security researchers will serve as a featured presenter at the OWASP AppSec DC 2009 conference being held at the Walter E. Washington Convention Center Nov. 10-13.

CoreLabs WebApps Exploit Writer Matias Blanco will demonstrate cutting-edge “User Input Piercing” exploitation techniques that allow for the automatic discovery and exploitation of cross-site scripting vulnerabilities to be carried out against arbitrary web applications. In addition to presenting algorithms and techniques for performing the technique, Blanco will submit heuristic methods that can determine if such a cross-site scripting attack can be used to execute scripting code on a compromised browser and will also present an algorithm to address potential encoding issues. CoreLabs WebApps Exploit Writer Federico Muttis co-authored the research.

Much as with CoreLabs’ highly-acclaimed presentations at Black Hat USA 2009 and CanSecWest Conference, which garnered significant interest from both the media and larger vulnerability research community, Blanco’s presentation will break new ground in illustrating the readily available and exploitable nature of this serious security exposure affecting ubiquitous web application technologies. The CoreLabs expert will also demonstrate how, when combined with CORE IMPACT’s patented agent technology, this technique can be used to assess the impact of XSS vulnerabilities in an automated fashion.
What: “User input piercing for Cross-site Scripting Attacks
When: Thursday, Nov. 12, 2009; 4:50 p.m. - 5:55 p.m. ET
Where: OWASP AppSec DC 2009, Walter E. Washington Convention Center
Who: Matias Blanco, Core Security Exploit Writer

Presentation Details:
Cross-site scripting, or XSS, represents one of the most widespread and available forms of potential web application exploitation on the Internet today, with attackers taking advantage of the opportunity on an increasingly regular basis.

Traditionally, XSS vulnerability fuzzing techniques have focused primarily on black-box analysis using a static set of vectors and encoding to unearth exploitable flaws. Using a different approach that employs cookie reflection and encoding analysis to determine the information needed to exploit XSS vulnerabilities, CoreLabs will illustrate a dangerous new method that attackers could assail to compromise many common web applications.
Topics covered in the User Input Piercing presentation will include:

  • User Input Piercing XSS analysis
  • Potential injection point discovery
  • XSS vectors (including remote)
  • XSS encoding detection

The Open Web Application Security Project (OWASP) has grown to become the most influential online application security research organization in the world, and CoreLabs is honored to continue to contribute to its advancement, while being recognized for its own pioneering work in the field.

Organizations of every kind benefit from the further illustration of exploitable web applications vulnerabilities that can leave their IT operations and electronic data at risk to targeted and sophisticated attacks from cybercriminals.

Core Security continues to feed the intelligence garnered via its CoreLabs research directly into its CORE IMPACT family of automated penetration testing solutions to ensure that organizations have access to security assessment products that allow them to determine their own exposure to such widely available vulnerabilities.
CoreLabs exploit writers Matias Blanco and Federico Muttis are credited as the original authors of the User Input Piercing research project, aided by colleagues Fernando Russ, Aureliano Calvo and Eduardo Arias.

For more information about the presentation or to schedule meetings with Core Security’s experts at OWASP AppSec DC 2009, please contact Tim Whitman or Lauren O’Leary at 781-684-0770 or via email at:  

About Core Security Technologies
Core Security Technologies is the leader in comprehensive penetration testing software solutions that IT executives rely on to expose vulnerabilities, measure operational risk and assure security effectiveness. The company’s CORE IMPACT product family offers a comprehensive approach to assessing the security of network systems, endpoint systems, email users and web applications against complex threats. All CORE IMPACT security testing solutions are backed by trusted vulnerability research and leading-edge threat expertise from the company’s Security Consulting Services, CoreLabs and Engineering groups. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at

Tim Whitman or Lauren O’Leary
Schwartz Communications 
781 684-0770

Mon, November 09