Dan Amodio

With over 5 Billion mobile devices presently in use, mobile applications enable new threats and attacks which introduce significant risks to organizations. As such, it is imperative that we perform our normal application security procedures on all mobile applications, including pen testing and code reviews. Pen testing mobile applications has proven to be difficult when typical application security testing practices are employed. Proxying mobile traffic for examination and modification is… Show more

With over 5 Billion mobile devices presently in use, mobile applications enable new threats and attacks which introduce significant risks to organizations. As such, it is imperative that we perform our normal application security procedures on all mobile applications, including pen testing and code reviews. Pen testing mobile applications has proven to be difficult when typical application security testing practices are employed. Proxying mobile traffic for examination and modification is anything but straightforward and every application presents its own, unique challenges. David and Dan will explain the issues that arise when trying to proxy mobile application traffic. Join Dan and Dave as they provide guidance and a roadmap so that you may overcome these obstacles.

Slides: https://www.aspectsecurity.com/uploads/downloads/2012/10/2012-Mobile_Applications_and_Proxy_Shenanigans.pdf
Video: http://vimeo.com/54227158 Show less

In 2011, Stefano Di Paola of Minded Security and Arshan Dabirsiaghi from Aspect Security discovered an interesting pattern in the Spring Framework, which Stefano coined Expression Language (EL) Injection. Their discovery revealed that certain Spring tags which double interpret Expression Language can be used to expose sensitive data stored on the server. This is because Spring provides EL support independent of the JSP/Servlet container, as a means for backwards compatibility, since, prior to… Show more

In 2011, Stefano Di Paola of Minded Security and Arshan Dabirsiaghi from Aspect Security discovered an interesting pattern in the Spring Framework, which Stefano coined Expression Language (EL) Injection. Their discovery revealed that certain Spring tags which double interpret Expression Language can be used to expose sensitive data stored on the server. This is because Spring provides EL support independent of the JSP/Servlet container, as a means for backwards compatibility, since, prior to JSP 2.0, Expression Language wasn’t supported. This functionality is currently turned on by default, and applications that use the patterns described herein are vulnerable.

The original impact of this issue related to information disclosure, but I’ll illustrate how it can actually be used for remote code execution on Glassfish and potentially other EL 2.2 containers. Show less