This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "OWASP Bucharest AppSec Conference 2018 Training2"

From OWASP
Jump to: navigation, search
m (Fix typos for the Advanced Web Hacking and Secure Coding)
 
Line 6: Line 6:
 
| colspan="0" style="width:25%" valign="middle" height="30" bgcolor="#CCCCEE" align="center" | '''Trainers'''
 
| colspan="0" style="width:25%" valign="middle" height="30" bgcolor="#CCCCEE" align="center" | '''Trainers'''
 
| colspan="0" style="width:40%" valign="middle" height="30" bgcolor="#CCCCEE" align="center" | '''Description'''
 
| colspan="0" style="width:40%" valign="middle" height="30" bgcolor="#CCCCEE" align="center" | '''Description'''
|-
 
| colspan="0" style="width:10%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" | 2 days training <br> 24th and 25th of October <br> daily: 9:00 - 17:00<br><br>
 
| colspan="0" style="width:25%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" | Secure Web Applications in Java
 
| colspan="0" style="width:25%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" | [http://ro.linkedin.com/in/scrissti Cristian Serban] and [https://ro.linkedin.com/in/luciansuta Lucian Suta]
 
| colspan="0" style="width:40%" valign="middle" height="30" bgcolor="#CCEEEE" align="justify" | '''Description:''' <br>Everybody is familiar with OWASP Top 10, but how is that applicable when you write Java web applications and web services using the Spring Framework? In this course we will look at the security features built into this commonly-used Java framework, how security holes in your application look from the point of view of a hacker, and how to apply security principles such as ‘defense in depth’ in order to build robust applications. Together we will build a web application in stages, adding successive layers of functionality and security, and in the process we will develop secure coding testing skills, uncover and protect against some of the most common vulnerabilities in Java code.
 
Topics covered:
 
Day 1:
 
* Simple REST API, database access, subresource integrity, CSP, parameter validation, output encoding, form-based login, access control, method security, CSRF
 
Day 2:
 
* Remember me functionality, LDAP login, OAuth 2.0 login, custom authentication, CORS, SSL, self-signed certificates, Let’s Encrypt, hashing, encryption
 
<br>
 
'''Intended audience:''' software developers, security people with some programming experience<br>
 
'''Skill level: '''HTTP (intermediate), Java programming (intermediate)<br>
 
'''Requirements: '''laptop, JDK 8+, Maven, ZAP, GIT, some text editor such as Visual Studio Code
 
<br>
 
'''Seats available: '''20 (first-come, first served)<br>
 
'''Price: 650 euros/person'''<br>
 
[https://www.eventbrite.com/e/owasp-bucharest-appsec-conference-2018-tickets-47960216298#tickets Register here]
 
 
|-
 
|-
 
| colspan="0" style="width:10%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" | 2 days training <br> 24th and 25th of October <br> daily: 9:00 - 17:00<br><br>
 
| colspan="0" style="width:10%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" | 2 days training <br> 24th and 25th of October <br> daily: 9:00 - 17:00<br><br>

Latest revision as of 09:00, 16 October 2018

Training

Time Title Trainers Description
2 days training
24th and 25th of October
daily: 9:00 - 17:00

 Advanced Web Hacking and Secure Coding Vikram Salunke Description: Web applications are becoming more complex and targets are become more hardened to penetrate. Nowadays Load Balancers, Web Application Firewalls (WAF) are very common in infrastructure. So, as a pentester, we should improve our skills to defeat modern access controls mechanisms.

This hands-on training covers both offensive and defensive approaches to web applications. You’ll learn how to identify vulnerabilities of web applications, how to execute exploit against that vulnerability, how the attacks works, and how to prevent them in the future. This training closes that gap between web application attack and defense. Because as they say - if you want to stop attacker from stealing you data then you must think like one.
This training starts with the basic web app hacking and then moves into more advanced stuff such as bypassing Filters, bypassing Web Application Firewalls(WAF), HTML5 attacks and recent vulnerabilities such as Shellshock, Heartbleed, POODLE, Serialization, SSL Strip etc. You’ll learn how to get shell on the box using web application vulnerabilities as well as how to write secure code so you can avoid that attack.
This training covers both offensive and defensive approach towards web applications. Firstly, the training would cover how to use certain attack on a web application and then how does this attack happened. So it covers where the developer went wrong and how to write secure code, so that the attack would not have happened. It covers various mistakes made by developers who wrote vulnerable code. This training covers how to write secure code in multiple languages such as PHP, Java, C# etc. Lab contains multiple CMS such as Wordpress, Drupal, Joomla and multiple databases such as MySql, SQL Server, MongoDB etc. Also, the training contains various client side attacks as well as server side attacks such as XSS, CSRF, SQL Injections etc.
Training will teach attendees how to gain shell on the box and how to chain multiple attacks to pwn the entire infrastructure. Training follows Capture The Flag (CTF) approach to attack web applications and compromise the machines.
After this training, attendees will be able to successfully identify and avoid insecure code and test their web applications for vulnerabilities. Attendees will get to know the difference between vulnerable code and secure code.
This training contains over 50 labs and 30+ challenges which are inspired by real world vulnerabilities and case studies.
Day 1:

  • Introduction
  • Spidering Web Applications and analyzing results
  • Fuzzing
  • Input Validation
  • User Enumeration
  • Bypassing Password Verification
  • Information Leakage
  • HTTP Verb Tampering
  • Injection - HTML, iFrame, LDAP, CSS, JSON
  • Advanced Cross Site Scripting (XSS) - XSS to system compromise
  • Advanced client side exploitation with BeEF
  • Extending Burp Proxy
  • Clickjacking
  • Insecure direct object reference (IDOR) and Open Redirects
  • Server Side Request Forgery (SSRF)
  • Server Side Includes Injection (SSI Injection)
  • JavaScript Validation Bypass
  • Advanced SQL Injection - SQL Injection to system compromise
  • JSON Hijacking
  • Session Management and Cookie Stealing
  • HTML5

Day 2:

  • Advanced XML Attacks
  • JSON Web Token
  • API Attacks
  • Insecure System/Service configuration - FTP, NTP, VNC, SNMP, WebDav, Samba etc.
  • Database Security - MySql, SQL Server, MongoDB etc.
  • Remote Command Injection
  • Local File Inclusion (LFI) and Remote File Inclusion (RFI)
  • RCE via serialization/deserialization
  • Serialization Attacks
  • HTTP Response Splitting
  • SSL Strip attack
  • CMS Attacks and Defenses - Wordpress, Drupal, Joomla
  • Recent Vulnerabilities Case Study - Shellshock, Heartbleed, POODLE, Struts, PHPMailer RCE, SSL Strip attack
  • Logical Flaws
  • Detection of Web Application Firewall and Load Balancers
  • Filter Evasion and Bypassing Web Application Firewalls (WAF) - Tricks to Penetrate Firewall
  • OWASP Top 10 Attacks
  • OWASP Secure Coding Practices
  • and more ...

Intended audience: software developers, security people with some programming experience
This course requires following pre-requisites:

  • Basic knowledge on HTTP, HTML
  • Basic Web Application Penetration Skills
  • Reading and understanding of PHP

Seats available: 20 (first-come, first served)
Price: 650 Euro / person
Register here

Retrieved from "https://wiki.owasp.org/index.php?title=OWASP_Bucharest_AppSec_Conference_2018_Training2&oldid=244279"