This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

OWASP Bucharest AppSec Conference 2016 Workshops

From OWASP
Revision as of 17:29, 10 August 2016 by Oana Cornea (talk | contribs)

Jump to: navigation, search

Workshop

Time Title Trainers Description
9:00 - 17:00

 OWASP Top 10 vulnerabilities – discover, exploit, remediate
 		Adrian Furtună – Founder & Ethical Hacker – VirtualStorm Security
Ionuţ Ambrosie – Security Consultant – KPMG Romania 		Description:The purpose of this workshop is to increase the participants’ awareness on the most common web application vulnerabilities and their associated risks.

We will discuss each type of vulnerability described in the OWASP Top 10 project and we will be practicing manual discovery and exploitation techniques. Furthermore, a set of useful security testing tools will be presented and used during the workshop.
This will be a (very) hands-on workshop where we will practice exercises as:

  • Discover SQL injection and exploit it to extract information from the database
  • Find OS command injection and exploit it to execute arbitrary commands on the target server
  • Discover Cross-Site Scripting and exploit it to gain access to another user’s web session
  • Spot XML External Entity vulnerabilities and use them to read arbitrary files from the server
  • Identify Local File Inclusion and exploit it to gain remote command execution
  • Find Cross-Site Request Forgery and exploit it to gain access to the admin panel
  • Detect standard components of web apps containing known vulnerabilities and exploit them
  • Other fun and challenging tasks

Of course, we will also present safe ways in which the identified vulnerabilities can be eliminated or mitigated in production environments.
Intended audience: Web application developers, security testers, quality assurance personnel, people passionate about web security
Skill level: Intermediate
Requirements:

  • Laptop with a working operating system
  • At least 2 GB of free disk space and at least 2 GB RAM
  • Administrative rights on the laptop
  • VMWare Player installed

Seats available: 20 (first-come, first served)
Price: 200 euros/person
Register here

9:00 - 17:00

 Secure Web Applications in Java
 		Cristian Serban- AppSec Architecture Manager
Lucian Suta - Software Security Trainer and Consultant 		Description: Everybody is familiar with OWASP Top 10, but how is that applicable when you write Java web applications using the Spring Framework, JSP, or FreeMarker templates? What are the security features built into the most common Java frameworks and how to apply security principles such as ‘defense in depth’ in order to build robust applications. Together we will build secure coding and secure code review skills, uncover and protect against some of the most common vulnerabilities in Java code.

Intended audience: Web application developers, security testers, quality assurance personnel, people passionate about web security
Skill level: Intermediate
Requirements: This course requires moderate Java coding skills, a laptop with a latest JDK, Intellij IDEA or Spring Tool Suite and ZAP installed.

Seats available: 20 (first-come, first served)
Price: 200 euros/person
Register here


9:00 - 17:00

 Shellcode Development and Exploiting
 		Razvan Deaconescu- Assistant Professor at University POLITEHNICA of Bucharest
Mihai Țigănuș - Master Student at University POLITEHNICA of Bucharest 		Description: Shellcodes are small pieces of executable code that provide arbitrary functionality to a given program. They are usually obtained from assembly source code and used in runtime application security to exploit a vulnerability in the program and alter the execution flow, i.e. arbitrary code execution attack.

In this training we will provide you with the know-how and skills to create shellcodes and construct basic attack vectors using shellcodes. You will better understand how programs and processes work.

The training is highly practical. We will use a Linux environment and common Linux tools for static and dynamic analysis, shellcode creation and exploiting. The training will feature hands-on activities such as:

  • Analyzing existing binary shellcode blobs
  • Writing shellcodes
  • Building shellcodes
  • Testing shellcodes
  • Injecting shellcodes in vulnerable programs
  • Detecting basic vulnerabilties in programs and injecting shellcodes

We will present different scenarios for vulnerable programs and then create the shellcode-based attack vectors to exploit them.

Outcome: After this training you will be able to create shellcodes and assembly-based binary blobs and use them for for exploiting or executable hardening. You will increase your skills in using assembly language and in working with binary exploration tools. You will understand shellcode-based attacks and you will gain basic understanding of shellcode-based attack requirements and how to mitigate them.

Seats available: 20 (first-come, first served)
Price: 200 euros/person
Register here

Retrieved from "https://wiki.owasp.org/index.php?title=OWASP_Bucharest_AppSec_Conference_2016_Workshops&oldid=220305"