Difference between revisions of "Cork"

Venue Address: Western Road, Cork
Venue Map: Google Maps
(Registration. Register here)

TBD - Placeholder only

TBD - Placeholder only

Venue Address: Western Road, Cork
Venue Map: Google Maps
(Registration. Register here)

A3 - Cross Site Scripting (XSS) & A10 - Unvalidated Redirects and Forwards

Detecting and Preventing XSS, the Most Common Web App Security Flaw.

On Thursday, September 10th, we are having the fourth of our free series of workshops based on OWASP's most well known flagship project, the OWASP Top 10 (2013) https://www.owasp.org/index.php/Top10. The goal of these workshops is to learn by doing, which is usually the best approach to learning anything. In that light, we will speak a little about each of the areas from the Top 10, then take that learning to the next level by attacking vulnerable sites and investigating vulnerable code and configurations.

This month our guest speaker, Damilare Fagbemi, will mainly be investigating Cross Site Scripting (XSS) which claims the third highest spot (A3) in the top 10 and will also touch on A10 - Unvalidated Redirects and Forwards.

Damilare is a software engineer and information security professional with expertise in Software Security and Data Analytics. He is a software security engineer in the Partner team at Intel Security Group where is responsible for developing strategies to improve security in the software development process while ensuring that software products built and shipped for Intel Security's partners are secure.

damilarefagbeni.com

@damilarefagbemi

Note: During the previous workshops we set up our machines to be ready for web penetration testing. Anyone who has done this can continue as such, but if you have not, no problem, we can help you set up the one or two main tools that we will need for that night. That should only take a couple of minutes. If you would like some assistance in getting set-up then we will be there from 18:45 to help. Alternatively, you can contact one of the organisers (Fiona or Darren) in advance and we will let you know what you need.

If you would like to have ZAP installed on your machine you can get it here: ZAP Install. Having a machine isn't a requirement for attending, there will be talks and demos as well as the practical elements.

This month's workshop will be divided into three phases:

1. Top 10 2013 - A3 - Cross Site Scripting (XSS)

This important vulnerability can result in your application allowing arbitrary code to be run in the unsuspecting browsers of your users, putting those users at risk.

We will discuss how to identify XSS vulnerabilities in your application, highlight the risks associated with injection flaws, provide some mitigation techniques and demonstrate how this all works.

https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_(XSS)

2. Top 10 2013 - A10 - Unvalidated Redirects and Forwards

An open redirect is a parameter which is accepted and used by the application to redirect a user to a URL of their choosing without any validation. This vulnerability is often used to facilitate phishing attacks.

We will discuss how to identify these vulnerabilities in your application, highlight the associated risks , provide some mitigation techniques and demonstrate how this all works.

https://www.owasp.org/index.php/Top_10_2013-A10-Unvalidated_Redirects_and_Forwards

3. Practical Hands On Workshop

This section of the night will invoke our learning from the first phase and put it to practical use. We take our testing environment and use it to exploit some of both types of vulnerabilities on a safe, intentionally vulnerable website.

After giving some time for individually attempting to carry out the exploitation, a walk-through of the exploit technique will be given for each of the examples outlined. The OWASP team will be at hand to help with any issues that might arise through this phase.

The practical elements will allow you attack a vulnerable site from a malicious attacker or software tester's perspective. You will leave with not only an understanding of the issues but also having had hands on practice.

Chapter meetings are provided free of charge although OWASP membership is encouraged and besides supporting the organisation, will provide the holder with benefits in other areas such as free/discounted entry to conferences, etc.

Venue Address: Western Road, Cork
Venue Map: Google Maps
(Registration. Register here)

A1 - SQL Injection (SQLi)

Tuesday July 28 will see the third of our free series of workshops based on OWASP's most well known flagship project, the OWASP Top 10 (2013) https://www.owasp.org/index.php/Top10. The goal of these workshops is to learn by doing, which is usually the best approach to learning anything. In that light, we will speak a little about each of the areas from the Top 10, then take that learning to the next level by attacking vulnerable sites and investigating vulnerable code and configurations.

We will also be having our summer social event, with some free food and beer, after the talks - see below for more details.

This month we will be looking at Injection flaws which are #1 in the top 10. This is the top item as successful exploitation can lead to complete control of your systems by a malicious user.

Note: During the previous workshops we set up our machines.

Anyone who has set up their machines during the last workshop can continue to use that and will have all tools in place, but if you have not, no problem, we can just set up the one or two main tools that we will need for that night. If you would like some assistance in getting set-up then we will be there from 18:45 to help. Alternatively, you can contact one of the organisers (Fiona or Darren) in advance and we will let you know what you need.

If you would like to have ZAP installed on your machine you can get it here: ZAP Install. Having a machine isn't a requirement for attending, there will be talks and demos as well as the practical elements.

This month's workshop will be divided into two phases with a networking event after the talks:

1. Top 10 2013 - A1 - Injection

Fiona Collins

Injection flaws, such as SQL, OS, and LDAP injection occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization. The result of this being that an attacker can by-pass any application level controls in place and gain full remote control of the application or database server which can in turn be used to access other systems on your network.

We will discuss how to identify injection vulnerabilities in your application, highlight the risks associated with injection flaws, provide some mitigation techniques and demonstrate how this all works.

https://www.owasp.org/index.php/Top_10_2013-A1-Injection

2. Practical Hands On Workshop

This section of the night will invoke our learning from the first phase and put it to practical use. We take our testing environment and use it to exploit some injection vulnerabilities on a safe, intentionally vulnerable website.

After giving some time for individually attempting to carry out the exploitation, a walk-through of the exploit technique will be given for each of the examples outlined. The OWASP team will be at hand to help with any issues that might arise through this phase.

The practical elements will allow you attack a vulnerable site from a malicious attacker or software tester's perspective. You will leave with not only an understanding of the issues but also having had hands on practice.

3. Summer Networking Event

After the workshop we will go along to the Woolshed bar where we would like to treat you to some food, drinks and chats: (http://www.woolshedbaa.com/cork/)

Chapter meetings are provided free of charge although OWASP membership is encouraged and besides supporting the organisation, will provide the holder with benefits in other areas such as free/discounted entry to conferences, etc.

Venue Address: Western Road, Cork
Venue Map: Google Maps
(Registration. Register here)

Cross Site Request Forgery (CSRF)
Using Insecure Components

Thursday 25 June will see the second of our free series of workshops based on OWASP's most well known flagship project, the OWASP Top 10 (2013) https://www.owasp.org/index.php/Top10. The goal of these workshops is to learn by doing, which is usually the best approach to learning anything. In that light, we will speak a little about each of the areas from the Top 10, then take that learning to the next level by attacking vulnerable sites and investigating vulnerable code and configurations.

Note: During the previous workshop we set up our machines.

Anyone who has set up their machines during the last workshop can continue to use that and will have all tools in place, but if you have not, no problem, we can just set up the one or two main tools that we will need for that night. If would like some assistance in getting set-up then we will be there from 18:45 to help. Alternatively, you can contact one of the organisers (Fiona or Darren) in advance and we will let you know what you need.

Having a machine isn't a requirement for attending, there will be talks and demos as well as the practical elements.

This month's workshop will be divided into two phases:

1. Top 10 2013 - A8 - Cross-Site Request Forgery (CSRF)

Vincent Ryan

A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request, including the victim’s session cookie and any other automatically included authentication information, to a vulnerable web application. This allows the attacker to force the victim’s browser to generate requests the vulnerable application thinks are legitimate requests from the victim.

We will discuss what this issue is, a number of varieties of this issue along with methods for avoiding it in your application code and a demo of how you would examine a defence using burp.

https://www.owasp.org/index.php/Top_10_2013-A8-Cross-Site_Request_Forgery_(CSRF)

2. Top 10 2013 - A9 - Using Components with Known Vulnerabilities

Darren Fitzpatrick

Components, such as libraries, frameworks, and other software modules, almost always run with full privileges. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications using components with known vulnerabilities may undermine application defenses and enable a range of possible attacks and impacts.

We will discuss how know vulnerabilities can be identified in a system and used to get access to other systems and data in your network. Mitigation techniques will also be discussed.

https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities

3. Practical Hands On Workshop

This section of the night will invoke our learning from the first phase and put it to practical use. We take our testing environment and use it to exploit some CSRF & component vulnerabilities on a safe, intentionally vulnerable website.

After giving some time for individually attempting to carry out the exploitation, a walk-through of the exploit technique will be given for each of the examples outlined. The OWASP team will be at hand to help with any issues that might arise through this phase.

Venue Address: Western Road, Cork
Venue Map: Google Maps
(Registration. Register here)

Setting Up a Hacking Environment
Direct Object Reference & Broken Functional Access Control

Thursday 28 May will see the first of our free series of workshops based on OWASP's most well known flagship project, the OWASP Top 10 (2013) https://www.owasp.org/index.php/Top10. The goal of these workshops is to learn by doing, which is usually the best approach to learning anything. In that light, we will speak a little about each of the areas from the Top 10, then take that learning to the next level by attacking vulnerable sites and investigating vulnerable code and configurations.

Note: To get the most out of these workshops, it would be best to bring your own laptop. This should have >1 GB of RAM, >5 GB of free storage and a reasonably fast processor. Failing these laptop requirements we could probably work around it, but this would be best for following the standard approach that will be taken by most.

This month's workshop will be divided into three phases:

1. Setting Up Your Test Environment

To start the night we will define test environments at a high level and then help you to configure VirtualBox with a hacking / penetration testing specific virtual machine, namely Kali Linux. Kali will provide a tailored, pre-configured environment for testing and comes pre-populated with a vast array of tools for all your hacking needs! If you just bring your laptop, we will have the files ready for you to install, or if you are a paranoid security person ;) you can download in advance from here:

https://www.virtualbox.org/wiki/Downloads

https://www.kali.org/downloads/ (32 bit iso)

2. Top 10 2013 - A4 - Insecure Direct Object References

Insecure direct object reference occurs when a web application allows the user to choose the target data for their transaction without correctly restricting to the data to which they should be privy. In a secure configuration, the target data for retrieval would be based on the particular user session, however often the data retrieval decisions are based on parameters which the user can access. E.g. you access your on-line bank account details, but manipulate the incorrectly implemented request to have the application think that you are another user, and return that other user's details.

We will discuss a number of varieties of this issue along with methods for avoiding it in your application code.

https://www.owasp.org/index.php/Top_10_2013-A4-Insecure_Direct_Object_References

3. Practical Hands On Workshop

This section of the night will invoke our learning from the first two phases and put it to practical use. We take our new testing environment and use it to exploit some direct object reference vulnerabilities on a safe, intentionally vulnerable website.

After giving some time for individually attempting to carry out the exploitation, a walk-through of the exploit technique will be given for each of the examples outlined. The OWASP team will be at hand to help with any issues that might arise through this phase.

Practical elements will cover the following two perspectives so that you leave with not only an understanding of the issues but also having had hands on practice in these areas:

1. Defensive - Seeing vulnerable code / configurations and investigating how the issues could be rectified.

2. Offensive - Attacking vulnerable sites from a malicious attacker or software tester's perspective.

On March 24th we held a joing security event with CorkSec, ISACA, and (ISC)2. Slides from the talks are available here:
Securing Innovation
The Weakest Link

Chapter meetings are provided free of charge although OWASP membership is encouraged and besides supporting the organisation, will provide the holder with benefits in other areas such as free/discounted entry to conferences, etc.

Venue Address: Western Road, Cork
Venue Map: Google Maps
(Registration. Register here)

The next OWASP Cork Chapter meeting is taking place on Thursday December 11th in UCC (Western Gateway Building, WGB G04) at 7PM.

Hope to see you there. There are two talks lined up:

Talk 1: Eoin Carroll - Android Webview Exploitation

Bio:

Eoin Carroll is an IT Security Engineer and member of OWASP since 2009. Based in Cork and works on all things security with keen interests in the Android Stack, Threat Modeling, HTML5, Cryptanalysis, Reversing and Exploitation.

Eoin has 13 years’ experience spanning across the IT, Semi-Conductor and Medical Device industries, working as an Electronic Engineer for 10 yrs and in Security for the last 3 years.

Android Webview Exploitation

This talk will focus on the AddJavascriptInterface which is remotely exploitable leading to Shell and Cross Application Scripting (XAS). Eoin will discuss the importance of Threat Modeling with cross platform development frameworks such as Phonegap/Cordova as well as security tools such as Drozer and AFE (Android Exploitation Framework).

The session will finish with a MITM demo exploiting the AddJavascriptInterface.

Slides are available here: OWASP Android Webview Explotiation

Talk 2: Eoin Keary & Rahim Jina - 2014 EdgeScan Vulnerability Stats Report

Eoin Keary - BCC Risk Advisory / OWASP

Eoin is international board member and vice chair of OWASP, The Open Web Application Security Project (owasp.org), and during his time in OWASP he has lead the OWASP Testing and Security Code Review Guides and also contributed to OWASP SAMM, and the OWASP Cheat Sheet Series. Eoin is a well-known technical leader in industry in the area of software security and penetration testing, and has led global security engagements for some of the world's largest financial services and consumer products companies. He was a senior manager, responsible for penetration testing in EMEA for a “big 4” professional services firm for 4.5 years. He is the CTO and founder of BCC Risk Advisory Ltd (bccriskadvisory.com) an Irish company who specialise in secure application development, advisory, penetration testing, Mobile & Cloud security and training. Eoin has delivered security training and talks for OWASP to over 600 developers in the past year including events such as RSA (2013), RSA Europe, OWASP EU (2013), OWASP Dublin 2013.

Rahim Jina - BCC Risk Advisory / OWASP

Rahim is a member of OWASP and has contributed to many open source security projects over the past 8 years such as the OWASP Testing and Security Code Review Guides and also OWASP SAMM. Previously Rahim was a senior consultant at a “big 4” professional services for and the head of security for a large VoIP/IPT company in Los Angeles, USA and now works as the Director of information security for BCC Risk Advisory (bccriskadvisory.com). His is also responsible for the security architecture of the edgescan.com vulnerability management solution.

We will go along to the Woolshed bar for some drinks and chats after the talk: (http://www.woolshedbaa.com/cork/)

Chapter meetings are provided free of charge although OWASP membership is encouraged and besides supporting the organisation, will provide the holder with benefits in other areas such as free/discounted entry to conferences, etc.

Venue Address: Western Gateway Building, UCC, Western Rd, Cork, Ireland
Venue Map: Google Maps
(Registration. Register here)

The next OWASP Cork Chapter meeting is taking place on Monday September 22nd in UCC (WGB G.14) at 7PM.

We would like to treat all attendees to some beer and pizza after the talks in the Woolshed bar (Mardyke - http://www.woolshedbaa.com/cork/)

Hope to see you there.

There are two talks lined up:

Talk 1: Introduction to OWASP ZAP

Overview of the OWASP ZAP tool.

The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications.

It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing.

ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.

Talk 2: Mark Denihan - OWASP Security Shepherd

The OWASP Security Shepherd project has been designed and implemented with the aim of fostering and improving security awareness among a varied skill set demographic. Shepherd covers the OWASP Top Ten web app risks and has recently been injected with totally new content to cover the OWASP Top Ten Mobile risks as well. Many of these levels include insufficient mitigations and protections to these risks, such as blacklist filters, atrocious encoding schemes, barbaric security mechanisms and poor security configuration. The modules have been crafted to provide not only a challenge for a security novice, but security professionals as well. In this presentation we're going to look at the Shepherd platform itself from both a learning and teaching perspective. Some of Shepherd's lessons and challenges will be demonstrated and we'll also walkthrough how easy it is to stand up a Security Shepherd instance and how it can be tailored to suit any web/mobile app sec teaching environments.

Chapter meetings are provided free of charge although OWASP membership is encouraged and besides supporting the organisation, will provide the holder with benefits in other areas such as free/discounted entry to conferences, etc.

OWASP September Event

Everyone is welcome to join us at our chapter meetings.

Other OWASP Chapters in Ireland

OWASP Dublin

https://www.owasp.org/index.php/Ireland-Dublin

• Chapter Lead Owen Pendlebury +353876605277
  
• Board Member/Global Board Member Eoin Keary
  
• Board Member Fabio Cerullo +353877817468
  
• Board Member Mark Denihan
  

OWASP Limerick

https://www.owasp.org/index.php/Limerick

• Chapter Lead Marian Ventuneac