OWASP Bucharest AppSec Conference 2016 Workshops

Workshop

We will discuss each type of vulnerability described in the OWASP Top 10 project and we will be practicing manual discovery and exploitation techniques. Furthermore, a set of useful security testing tools will be presented and used during the workshop.
This will be a (very) hands-on workshop where we will practice exercises as:

• Discover SQL injection and exploit it to extract information from the database
  
• Find OS command injection and exploit it to execute arbitrary commands on the target server
  
• Discover Cross-Site Scripting and exploit it to gain access to another user’s web session
  
• Spot XML External Entity vulnerabilities and use them to read arbitrary files from the server
  
• Identify Local File Inclusion and exploit it to gain remote command execution
  
• Find Cross-Site Request Forgery and exploit it to gain access to the admin panel
  
• Detect standard components of web apps containing known vulnerabilities and exploit them
  
• Other fun and challenging tasks
  

Of course, we will also present safe ways in which the identified vulnerabilities can be eliminated or mitigated in production environments.
Intended audience: Web application developers, security testers, quality assurance personnel, people passionate about web security
Skill level: Intermediate
Requirements:

• Laptop with a working operating system
  
• At least 2 GB of free disk space and at least 2 GB RAM
  
• Administrative rights on the laptop
  
• VMWare Player installed
  

Seats available: 20 (first-come, first served)
Price: 200 euros/person
Register here

Intended audience: Web application developers, security testers, quality assurance personnel, people passionate about web security
Skill level: Intermediate
Requirements: This course requires moderate Java coding skills, a laptop with a latest JDK, Intellij IDEA or Spring Tool Suite and ZAP installed.

Seats available: 20 (first-come, first served)
Price: 200 euros/person
Register here

In this training we will provide you with the know-how and skills to create shellcodes and construct basic attack vectors using shellcodes. You will better understand how programs and processes work.

The training is highly practical. We will use a Linux environment and common Linux tools for static and dynamic analysis, shellcode creation and exploiting. The training will feature hands-on activities such as:

• Analyzing existing binary shellcode blobs
• Writing shellcodes
• Building shellcodes
• Testing shellcodes
• Injecting shellcodes in vulnerable programs
• Detecting basic vulnerabilties in programs and injecting shellcodes
  

We will present different scenarios for vulnerable programs and then create the shellcode-based attack vectors to exploit them.

Outcome: After this training you will be able to create shellcodes and assembly-based binary blobs and use them for for exploiting or executable hardening. You will increase your skills in using assembly language and in working with binary exploration tools. You will understand shellcode-based attacks and you will gain basic understanding of shellcode-based attack requirements and how to mitigate them.

Intended Audience: System-level developers, security researchers, people interested in runtime appplication security and binary exploitation
Requirements:

• Laptop with a working operating system
• At least 6 GB of free disk space and at least 2 GB RAM
• Administrative rights on the laptop
• VirtualBox installed
  

Seats available: 20 (first-come, first served)
Price: 200 euros/person
Register here

Cryptography mostly operates under the hood — we use it without having to worry about how it works. However, when something in the crypto world cracks, it cracks loudly. Heartbleed, compromised certificate authorities, identity theft, mass surveillance, bitcoin exploits worth millions of dollars — they all originate in the complex layer of cryptographic algorithms and have negative impact on our lives.

In this session, we will take a very practical look at cryptography and see how it works on the Internet. Some of the topics we will cover include:

• authentication mechanisms (PKI, certificates, certificate transparency, password storage);
• secure protocols (SSL, TLS and HTTPS);
• web application security (secure cookies, CSP, key pinning).

The training will feature many guided hands-on activities. These include, but are not limited to: creating certificate hierarchies, configuring custom certificates on clients and servers, modifying security policies, impersonating “seemingly secure” identities, downgrading connections, and extracting information from secure HTTPS sessions.

We'll also explore how easily crypto breaks when used improperly, looking back at notable recent attacks and what made them possible.

Outcome: After this training you will be able to:

• Describe how Public Key Certificates work;
• Adequately protect information against tampering, eavesdropping and extraction attempts;
• Use OpenSSL to issue certificates and configure them on clients and servers;
• Select secure crypto algorithms when presented with the choice;
• Describe how secure browser to server connections are established on the Internet, including possible threats that relate to them;
• Enhance web application security using state of the art browser and server capabilities.
  

Intended Audience: Network and web security engineers, security researchers, web developers

Skill Level: intermediate, basic Linux command line skills, basic knowledge of networking, basic knowledge of HTTP
Requirements:

• Laptop with a working operating system
• At least 6 GB of free disk space and at least 2 GB RAM
• Administrative rights on the laptop
• VirtualBox installed

Seats available: 20 (first-come, first served)
Price: 200 euros/person
Register here