sqrl – steve gibson @owasp gbg

Last week I attended my first OWASP-event and the event was hold i Gothenburg, Sweden. Before I read about this event I hadnt heard about SQRL (Secure Quick Reliable Login) but the enthusiastic presentation by the author himself, Steve Gibson got me hooked. I really like the idea of SQRL as a replacement for username and passwords and hopefully we will see and use this system everywhere in the future.

If you are not familiar in how SQRL works and why it is so good you can now watch the presentation on OWASP GBGs Youtube channel. It’s better to watch the author talk about it than me trying to explain it. So bring some popcorn and watch it.

Security Fest 2019

This year’s amazing Security Fest has now come to an end. I’ve had two really great days where I learned a lot and got new inspiration and ideas to work with.

Picture from Shira Shamban’s great talk about cyber warfare

Christoffer Jerkeby – Load Balancer with RCE, Hacking F5

My favorite talk from this conference that I want to write a bit about was the super interesting talk by Christoffer Jerkeby about Remote Code Execution in F5’s Load Balancer, called Big-IP. Big-IP has a feature in the Local Traffic Manager that is called iRule which can be used to manage the network traffic. The language that is used for defining these iRules is a fork of the language TCL-8.4.

Christoffer provided two demos to show how these flaws can be exploited. It can lead to MITM(Man-in-the-Middle), the ability to set and remove any HTTP header, intercept and inject user traffic for any session and termination of HTTPS.

This language has a few flaws that are not well known and they are related to how the language expands variables and options. If the iRules are not written correctly, which they in many cases aren’t because the lack of knowledge of these flaws, the code will not work as expected to say the least.

Since the flaws are in how the language was built it’s not something that F5 can fix and no patch will or can be released that will mitigate this. This means that the people who configure these load balancers need to analyze their code in depth. It’s not easy to do that but Christoffer shared some great tools that can be used to help with the clean-up process and help you find out if your code is vulnerable.

You can find the tools and read more about them on github:

If you want to watch the whole presentation you can watch it below. It will be well worth your time:

Various pictures from the conference:

Cool attendee badge this year.
Funny challenge from a sponsor. Internet of Trash is exactly what it is.

Security Fest have uploaded all the presentations on their Youtube channel so if you are interested you can watch all presentations from both days on their channel:

Did you attend to Security Fest this year? How did you like it?

Copyright © 2022