This training will teach students how to conduct website assessments using free and open source OWASP tools. Students will learn how to conduct web penetration tests using known methodologies such as the OWASP Testing Guide + PTES and NIST SP800-115.
Using the various methodologies, tools such as OWASP’s OWTF, ASVS and OWASP ZAP will be used introduced in order to demonstrate the lifecycle of web hacking. These tools give you the opportunity to perform and automate stages of penetration testing from reconnaissance, vulnerability analysis, to dynamic application testing and remediation steps to vulnerabilities found.
Who Should Take This Course?
This course is designed to help web developers and security professionals understand how to pentest and secure web applications. Candidates are expected to have basic knowledge of web technologies, but no experience in security is required prior to taking this course. However, security professionals who want to learn more about web security methodologies will benefit from this class.
What Should Students Bring?
Participants are required to bring a laptop (Windows, Mac or Linux) with at least 3 GB of RAM, 20 GB of free disk space,and either VMWare Player (free), VMWare Workstation, VMWare Fusion or Oracle VirtualBox pre-installed with Kali Linux (no version preference). If you want to get a head start, feel free to download and install OWASP ZAP and OWASP OWTF on the Kali Linux virtual machine.
The major cause of web insecurity is the lack of secure software development practices. This highly intensive and interactive course provides essential application security training for web application, webservice and mobile software developers and architects. This class contains a combination of lecture, security testing demonstration and code review and includes the following modules.
Introduction to Application Security - HTTP Basics - SQL and other Injection - Authentication - OAuth Security - Access Control - Cross Site Request Forgery and Clickjacking - Advanced XSS Defense - Content Security Policy - HTTPS/TLS Best Practices - Webservice Security Overview - Mobile Security Overview
About the course
The OWASP Top 10 web application vulnerabilities has done a great job promoting awareness for the developers. Along with many cheat sheets, they provide valuable tools and techniques to web developers. But such a great source of information could be overwhelming for the programmer who wants to learn about security. This course aims at providing all web developers deep hands-on knowledge on the subject.
To achieve this goal, participants will first learn the technical details about each OWASP Top 10 vulnerability. Then the instructor will give demos on how attacks are performed against each of them. After that, participants will use virtual machines and follow step by step procedures to launch attacks against a vulnerable web site. This step is key in understanding how exploitation works so they can later implement effective safeguards in their systems. Our experience is that participants who have had hands-on experience at exploiting vulnerabilities will always remember how to prevent them.
Who should take this course?
This course is designed to help intermediate to expert web developers and security professionals understand how to secure web applications. Candidates are expected to have basic knowledge of web technologies, but no experience in security is required prior to taking this course. However, security professionals who want to learn more about web security will benefit from this class.
The course will cover the following topics
1. OWASP Top 10 web application vulnerabilities:
A1 - Injection Attacks
Command Injection
File Injection
SQL Injection
A2 - Broken Authentication and Session Management
A3 - Cross-Site Scripting (XSS)
A4 - Insecure Direct Object References
A5 - Security Misconfiguration
A6 - Sensitive Data Exposure
A7 - Missing Function Level Access Control
A8 - Cross-Site Request Forgery (CSRF)
A9 - Using Known Vulnerable Components
A10 - Unvalidated Redirects and Forwards
2. Proper Password Management
3. Secure Coding Best Practices
4. Effective Safeguards
Demos from the instructor
1. Session Initialization and Client-Side Validation
Part 1: Web Proxy and Session Initialization
Part 2: Client-Side Validation
2. Online Password Guessing Attack
3. Account Harvesting
4. Sniffing Encrypted Traffic
5. Launching Command Injection Attacks
6. Using a Web Application Vulnerability Scanner
7. Optional Exercise:
Create SSL certificates
Requirements
Participants are asked to bring a laptop (Windows, Mac or Linux) with at least 3 GB of RAM, 20 GB of free disk space and either VMWare Player (free), VMWare Workstation, VMWare Fusion or Oracle VirtualBox pre-installed. They must also have an administrator/root account on their laptop. At the beginning of the course, participants will receive a USB thumb drive containing two pre-configured virtual machines.
From David Rook - <drook@riotgames.com>
This is the formal invite to our meetup in January. I'll have a better idea of how many places we can open up via Eventbrite once people reply to this invite (by close of business 15th December).
I’m contacting you because we’d like to invite you to a security meetup we’re hosting in our Los Angeles office on Monday January 25th. With so many awesome security people coming to Santa Monica for AppSec Cali we thought it would be a good time to arrange a meetup at our office. We'd love to share some of the cool things we've been working on, via talks from a few of our Rioters and hopefully play some awesome games as well.
You are probably thinking, "who is Riot Games and why would I want to see their office?"
Here at Riot, we have developed a game (League of Legends) that is being enjoyed by a global audience.
To provide some context, League of Legends currently:
The event will have two security talks from myself and two of my Riot colleagues. We hope these talks will provide useful insight into how we approach application security at Riot. Diarmaid McManus and I will talk about our application security culture, Riot application security data and some custom tools we’ve developed to help our engineers to produce secure code. The second talk will be delivered by a Riot software engineer and will focus on how he’s levelled up his application security knowledge. This will talk will focus on things he feels all engineers should know and when they should work with application security engineers.
Finally, it wouldn’t be a Riot Games event if it didn’t involve playing some games! If you’d like to stay around to play games with Rioters in our PC Bang and arcade. If you aren't a League player, don't worry we have board games and an arcade with some of everyone's favourite vintage games to play as well.
The event will start at 6:30pm and finish around 11pm. We will be moving to the PC Bang at 9:30pm to play games with anyone who’d like to join us. We will be providing food and drinks for all attendees.
If you are interested in popping in, please let me know by close of business Tuesday 15th December. I look forward to seeing you soon!
Dave Rook
Registration, Breakfast, and Vendor Expo
Security@ addresses across the internet are experiencing a surge in activity as organizations embrace collaboration with the security researcher community through vulnerability disclosure programs. In our journey to uncover the perfect approach, one thing became certain: every organization is wildly unique and there is no one size fits all answer. To understand what exactly contributes to a successful program, we've analyzed aggregate Security@ data from over 500 organizations and devised a weighted index across six dimensions:
* Researcher Breadth
* Researcher Depth
* Vulnerabilities Found
* Response Efficiency
* Reward Competitiveness
* Signal Ratio
Millions of cars with tens of millions of lines of code are already on the road talking to servers and very soon, talking to each other. Clearly a lot can go wrong. Connectivity carries significant risks which must be addressed as soon as possible. This session will address the trade-off between safety, security and convenience as well as the steps that need be taken by the automotive manufacturers before we can trust our cars to let the transportation ecosystem deliver the promised benefits of connected services.
Key Take-Aways:
- Examples and a deeper appreciation of the security and privacy challenges of connected vehicular commerce
- Insights into the growing role being played by the US government
- Some comfort that many of the lessons learned in the traditional IT world are applicable to cars
ClickOnce is a deployment solution that enables fast, easy delivery of packaged software. It is commonly used by organizations to deploy both internal and production-grade software packages along with their respective updates. By allowing end-users to accept the requested permissions of the software package without the intervention of an administrator, ClickOnce simplifies the deployment and use of robust software solutions.
It also provides an excellent opportunity for malicious actors to establish a foothold in your network.
In this talk, I will discuss how I combined ClickOnce technology and existing phishing techniques into a new methodology for establishing an initial presence in an environment. By minimizing user interaction, we only require that the user is fooled for "one click" - after that, we already have a foothold in their environment and are ready to pivot and escalate further.
While many threats to web applications such as SQLi and XSS can be mitigated through generic framework solutions, enforcing authorization remains a complex task for developers. Proper enforcement of access controls requires unique design considerations for each application and can be difficult to get right. Detecting vulnerabilities in authorization can be just as challenging, as these issues are generally difficult to map and test for. Due to the complexity in an application's architecture, pen-testers must frequently use their limited time and resources developing custom tools specific to a single application's authorization model.
In this presentation we take you through the process of designing a tool capable of simplifying this testing methodology to reduce the redundancy between testing unique targets. We will discuss some of the common authorization insecurity patterns seen in web applications and services, consider the common challenges faced by pen-testers when testing for these issues, and present effective methods for mapping the intricacies of these models. Additionally, we will introduce AuthMatrix, a new extension to the Burp Suite testing utility designed to simplify authorization test cases in a clear and reproducible manner.
We begin by taking a high level view of the vulnerability landscape over the past year, from anonymized data gathered from the edgescan vulnerability management SaaS. This data-set provides a snapshot of vulnerabilities in thousands of servers and web applications across the globe.
From this data, we provide our opinion and insight on why we think some of the trends are present and that traditional static approaches to dynamic problems, is producing diminishing results. We ask, what is the ultimate goal, application security or risk? Protecting applications or protecting businesses and data? We note the trend towards a continual approach to application security and see the benefits of ‘pushing left’.
Testing methodology is a sore subject for most pentesters. Everyone has their own way to do things, and 3 people testing the same thing often end up with different results—especially when constrained for time.
The ASTM project has two goals: 1) allow testers to consistently find the best vulnerabilities in the shortest amount of time, and 2) provide a framework for community improvement of the methodologies.
ASTM combines a time restraint with a quick technology detection step to build a customized testing methodology for that specific website given how much time you have to test it.