This training will teach students how to conduct website assessments using free and open source OWASP tools. Students will learn how to conduct web penetration tests using known methodologies such as the OWASP Testing Guide + PTES and NIST SP800-115.
Using the various methodologies, tools such as OWASP’s OWTF, ASVS and OWASP ZAP will be used introduced in order to demonstrate the lifecycle of web hacking. These tools give you the opportunity to perform and automate stages of penetration testing from reconnaissance, vulnerability analysis, to dynamic application testing and remediation steps to vulnerabilities found.
Who Should Take This Course?
This course is designed to help web developers and security professionals understand how to pentest and secure web applications. Candidates are expected to have basic knowledge of web technologies, but no experience in security is required prior to taking this course. However, security professionals who want to learn more about web security methodologies will benefit from this class.
What Should Students Bring?
Participants are required to bring a laptop (Windows, Mac or Linux) with at least 3 GB of RAM, 20 GB of free disk space,and either VMWare Player (free), VMWare Workstation, VMWare Fusion or Oracle VirtualBox pre-installed with Kali Linux (no version preference). If you want to get a head start, feel free to download and install OWASP ZAP and OWASP OWTF on the Kali Linux virtual machine.
The major cause of web insecurity is the lack of secure software development practices. This highly intensive and interactive course provides essential application security training for web application, webservice and mobile software developers and architects. This class contains a combination of lecture, security testing demonstration and code review and includes the following modules.
Introduction to Application Security - HTTP Basics - SQL and other Injection - Authentication - OAuth Security - Access Control - Cross Site Request Forgery and Clickjacking - Advanced XSS Defense - Content Security Policy - HTTPS/TLS Best Practices - Webservice Security Overview - Mobile Security Overview
About the course
The OWASP Top 10 web application vulnerabilities has done a great job promoting awareness for the developers. Along with many cheat sheets, they provide valuable tools and techniques to web developers. But such a great source of information could be overwhelming for the programmer who wants to learn about security. This course aims at providing all web developers deep hands-on knowledge on the subject.
To achieve this goal, participants will first learn the technical details about each OWASP Top 10 vulnerability. Then the instructor will give demos on how attacks are performed against each of them. After that, participants will use virtual machines and follow step by step procedures to launch attacks against a vulnerable web site. This step is key in understanding how exploitation works so they can later implement effective safeguards in their systems. Our experience is that participants who have had hands-on experience at exploiting vulnerabilities will always remember how to prevent them.
Who should take this course?
This course is designed to help intermediate to expert web developers and security professionals understand how to secure web applications. Candidates are expected to have basic knowledge of web technologies, but no experience in security is required prior to taking this course. However, security professionals who want to learn more about web security will benefit from this class.
The course will cover the following topics
1. OWASP Top 10 web application vulnerabilities:
A1 - Injection Attacks
Command Injection
File Injection
SQL Injection
A2 - Broken Authentication and Session Management
A3 - Cross-Site Scripting (XSS)
A4 - Insecure Direct Object References
A5 - Security Misconfiguration
A6 - Sensitive Data Exposure
A7 - Missing Function Level Access Control
A8 - Cross-Site Request Forgery (CSRF)
A9 - Using Known Vulnerable Components
A10 - Unvalidated Redirects and Forwards
2. Proper Password Management
3. Secure Coding Best Practices
4. Effective Safeguards
Demos from the instructor
1. Session Initialization and Client-Side Validation
Part 1: Web Proxy and Session Initialization
Part 2: Client-Side Validation
2. Online Password Guessing Attack
3. Account Harvesting
4. Sniffing Encrypted Traffic
5. Launching Command Injection Attacks
6. Using a Web Application Vulnerability Scanner
7. Optional Exercise:
Create SSL certificates
Requirements
Participants are asked to bring a laptop (Windows, Mac or Linux) with at least 3 GB of RAM, 20 GB of free disk space and either VMWare Player (free), VMWare Workstation, VMWare Fusion or Oracle VirtualBox pre-installed. They must also have an administrator/root account on their laptop. At the beginning of the course, participants will receive a USB thumb drive containing two pre-configured virtual machines.
Registration, Breakfast, and Vendor Expo
Security@ addresses across the internet are experiencing a surge in activity as organizations embrace collaboration with the security researcher community through vulnerability disclosure programs. In our journey to uncover the perfect approach, one thing became certain: every organization is wildly unique and there is no one size fits all answer. To understand what exactly contributes to a successful program, we've analyzed aggregate Security@ data from over 500 organizations and devised a weighted index across six dimensions:
* Researcher Breadth
* Researcher Depth
* Vulnerabilities Found
* Response Efficiency
* Reward Competitiveness
* Signal Ratio
Millions of cars with tens of millions of lines of code are already on the road talking to servers and very soon, talking to each other. Clearly a lot can go wrong. Connectivity carries significant risks which must be addressed as soon as possible. This session will address the trade-off between safety, security and convenience as well as the steps that need be taken by the automotive manufacturers before we can trust our cars to let the transportation ecosystem deliver the promised benefits of connected services.
Key Take-Aways:
- Examples and a deeper appreciation of the security and privacy challenges of connected vehicular commerce
- Insights into the growing role being played by the US government
- Some comfort that many of the lessons learned in the traditional IT world are applicable to cars
ClickOnce is a deployment solution that enables fast, easy delivery of packaged software. It is commonly used by organizations to deploy both internal and production-grade software packages along with their respective updates. By allowing end-users to accept the requested permissions of the software package without the intervention of an administrator, ClickOnce simplifies the deployment and use of robust software solutions.
It also provides an excellent opportunity for malicious actors to establish a foothold in your network.
In this talk, I will discuss how I combined ClickOnce technology and existing phishing techniques into a new methodology for establishing an initial presence in an environment. By minimizing user interaction, we only require that the user is fooled for "one click" - after that, we already have a foothold in their environment and are ready to pivot and escalate further.
While many threats to web applications such as SQLi and XSS can be mitigated through generic framework solutions, enforcing authorization remains a complex task for developers. Proper enforcement of access controls requires unique design considerations for each application and can be difficult to get right. Detecting vulnerabilities in authorization can be just as challenging, as these issues are generally difficult to map and test for. Due to the complexity in an application's architecture, pen-testers must frequently use their limited time and resources developing custom tools specific to a single application's authorization model.
In this presentation we take you through the process of designing a tool capable of simplifying this testing methodology to reduce the redundancy between testing unique targets. We will discuss some of the common authorization insecurity patterns seen in web applications and services, consider the common challenges faced by pen-testers when testing for these issues, and present effective methods for mapping the intricacies of these models. Additionally, we will introduce AuthMatrix, a new extension to the Burp Suite testing utility designed to simplify authorization test cases in a clear and reproducible manner.
We begin by taking a high level view of the vulnerability landscape over the past year, from anonymized data gathered from the edgescan vulnerability management SaaS. This data-set provides a snapshot of vulnerabilities in thousands of servers and web applications across the globe.
From this data, we provide our opinion and insight on why we think some of the trends are present and that traditional static approaches to dynamic problems, is producing diminishing results. We ask, what is the ultimate goal, application security or risk? Protecting applications or protecting businesses and data? We note the trend towards a continual approach to application security and see the benefits of ‘pushing left’.
Testing methodology is a sore subject for most pentesters. Everyone has their own way to do things, and 3 people testing the same thing often end up with different results—especially when constrained for time.
The ASTM project has two goals: 1) allow testers to consistently find the best vulnerabilities in the shortest amount of time, and 2) provide a framework for community improvement of the methodologies.
ASTM combines a time restraint with a quick technology detection step to build a customized testing methodology for that specific website given how much time you have to test it.
