|
|
| (4 intermediate revisions by the same user not shown) |
| Line 1: |
Line 1: |
| − | {{2016_BASC:Header_Template | Training}}
| + | [[2016 BASC Workshops]] |
| − | | |
| − | | |
| − | __FORCETOC__
| |
| − | We would like to thank our speakers for donating their time and effort to help make this conference successful.
| |
| − | | |
| − | {{2016_BASC:Presentaton_Info_Template|Highlights from the Matasano Crypto Challenges|Matt Cheung| | | }}
| |
| − | | |
| − | {{2016_BASC:Presentaton_Info_Template|Painless Web and Mobile Hacking 101|Apoorv Munshi| | | }}
| |
| − | | |
| − | In this hands-on workshop, I will help the participants to set up an “efficient” environment for fast web and mobile application penetration testing. Instead of using traditional ready-to-go penetration testing distributions like Kali Linux, I will focus on setting the environment in Windows and Mac OS. After all , a browser and an intercepting proxy is all we need for most manual penetration testing tasks. Setting up a virtual machine and getting it working correctly can be difficult for beginners. I want to keep this simple and painless!
| |
| − | | |
| − | The topics that will be covered are:
| |
| − | | |
| − | # Preparing Chrome browser by creating a separate pen-testing profile and then installing foxyproxy for quickly switching proxies. I will also talk about how they can use Chrome’s extremely powerful developer tools for getting insights about the application.
| |
| − | # Installing and setting up OWASP ZAP to start intercepting and modifying the traffic. This section involves installing the root CA certificate in the browser’s certificate store. I will also cover Burp Suite if time permits. The reason I am focusing on OWASP ZAP is because it's free, awesome and some features which are really necessary for painless pen-testing are not present in free edition of Burp Suite. For mobile, I will talk about steps in setting up an Android device for penetration testing mobile apps. (Live demo for Android if time permits)
| |
| − | # The third step involves demonstration on a real world application listed on a bug bounty program and then helping the participants understand the traffic. I will show some tricks for focusing on important traffic such as setting up scope using the “context” feature in ZAP, using filters etc.
| |
| − | # The last and most important section will focus on sharing resources that I have gathered over last 2 years from twitter and security blogs. For people completely new to this domain, I will suggest a “study path”. I will talk about awesome books, blogs, bug bounty programs and some more tricks for painless pen-testing like using Gmail’s alias for creating test accounts and password managers for managing passwords.
| |
| − | | |
| − | {{2016_BASC:Footer_Template | Training}}
| |
