This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "OWASP EU Summit 2008 Training (Courses to be Approved)"
RoganDawes (talk | contribs) (→Uncovering WebScarab's Secret Treasures) |
(Added 'Practical Penetration Testing: ...') |
||
| Line 251: | Line 251: | ||
Please bring your own laptop with your choice of web proxy and browser installed if you wish to participate. Participation is optional. | Please bring your own laptop with your choice of web proxy and browser installed if you wish to participate. Participation is optional. | ||
| + | |||
| + | == Practical Penetration Testing: Think Like an Attacker to Stop Attacks == | ||
| + | |||
| + | '''Instructors''' | ||
| + | |||
| + | Lann Martin and Lebbeous Fogle-Weekley | ||
| + | |||
| + | '''Duration''' | ||
| + | |||
| + | 4 hours | ||
| + | |||
| + | '''Summary''' | ||
| + | |||
| + | This class will demonstrate how an attacker approaches potentially | ||
| + | vulnerable web applications, taking advantage of both poor server | ||
| + | configuration and poor application implementation to discover and exploit | ||
| + | vulnerabilities of several types. | ||
| + | |||
| + | '''Audience''' | ||
| + | |||
| + | Web application developers and penetration testers of intermediate | ||
| + | skill. | ||
| + | |||
| + | '''Table of Contents''' | ||
| + | |||
| + | ''This table of contents is a work in progress'' | ||
| + | * The trouble with verbose error messages | ||
| + | * The right way and the wrong way to escape input to prevent SQL injection | ||
| + | * The right way and the wrong way to encode output to prevent XSS | ||
| + | * More bad practices to avoid | ||
| + | * More good practices to maintain | ||
| + | |||
| + | '''Course Specifics''' | ||
| + | |||
| + | Bring your own laptop to participate in attacks on sample | ||
| + | web applications. Firefox is the preferred browser for exploiting web | ||
| + | applications. Automated scanning tools are out of scope for this class. | ||
== Course Name {template} == | == Course Name {template} == | ||
Revision as of 15:54, 6 October 2008
Upon detail completion and board approval courses will be moved towards the main agenda.
- 1 Source Code Review
- 2 Advanced Phishing and Social Engineering Training
- 3 OWASP ESAPI
- 4 Web Services and SOA Security
- 5 Advanced Web Application Security Testing
- 6 Uncovering WebScarab's Secret Treasures
- 7 Testing Guide Training
- 8 AJAX Security
- 9 Practical Penetration Testing: Think Like an Attacker to Stop Attacks
- 10 Course Name {template}
Source Code Review
Instructor
Eoin Keary and Daniel Cuthbert (TBC)
Duration
0.5 day
Summary
An introduction to secure code review from an OWASP standpoint. Covering how to approach the review, tips and leading practice on how to get the best from a source code review. A look at the OWASP tools that support the code review guide.
Audience Anyone that would like to learn more about secure code review.
Table of Contents
TBD Course Specifics
TBD
Advanced Phishing and Social Engineering Training
Instructor
Joshua Perrymon
Duration
1 day
Summary
Please enter the text here.
Audience
Please enter the text here.
Table of Contents
This class is designed to illustrate hands-on methods used in the real world attacking the human layer. This includes a focus on spear-phishing using the newly introduced OWASP phishing framework (LUNKER). Attendees will identify target emails using a variety of methods, identify potential phish sites, create a spoofed email and send the attack all in a locally ran test environment in Vmware or LiveCD.
Upon completion of this course, attendees will have an in-depth understanding of the latest techniques used to perform these type of attacks. The class will also include additional social engineering attack methods such as impersonation, authority attacks, pre-text attacks, and much more. Advanced topics such as Email Payloads and 2nd Factor token MITM attacks will be covered as well.
1. Introduction to Social Engineering
2. Understanding the Human Aspect of Security
3. Review of aggressively vertical hacking methodology
4. Analysis of attack trending over the years (Up the OSI Model)
5. Review of public Social Engineering Attacks in the media
6. Hands on: Spear Phishing Demo using the Lunker Framework
a. Understanding the Social Engineering Scope of work
b. Setup Client Info
c. Gather Email addresses/targets
d. Identify potential phishing sites
e. Creation of spoofed emails
i. Custom footers
ii. Attack Scenarios
iii. Email header options
f. Test Environment: Review the spoofed email and phishing site
g. Send attack
h. Monitor: Discuss steps to take at this point once the users send in credentials.
i. Advanced Phishing Attacks: Recon, XSS/CSRF/Browser Exploit/Trojan payloads
j. MITM Attacks on 2-factor Authentication
k. Summary
Course Specifics
Please enter the text here. (i.e. bring your own laptop)
OWASP ESAPI
Instructor
Jeff Williams, Aspect Security
Duration
1 day.
Summary
Please enter the text here.
Audience
Please enter the text here.
Table of Contents
Please enter the text here.
Course Specifics
Please enter the text here. (i.e. bring your own laptop)
Web Services and SOA Security
Instructor
Dave Wichers, Aspect Security
Duration
2 days
Summary
Please enter the text here.
Audience
Please enter the text here.
Table of Contents
Please enter the text here.
Course Specifics
Please enter the text here. (i.e. bring your own laptop)
Advanced Web Application Security Testing
Instructor
Michael Coates, Aspect Security
Duration
2 days
Summary
Please enter the text here.
Audience
Please enter the text here.
Table of Contents
Please enter the text here.
Course Specifics
Please enter the text here. (i.e. bring your own laptop)
Uncovering WebScarab's Secret Treasures
Instructor
Rogan Dawes
Duration
1 day.
Summary
OWASP WebScarab has a lot of hidden features that probably no one but the author really knows about. This in depth hands on session will show delegates how to access these features, and how to use them to their full potential.
Audience
Application reviewers, developers
Table of Contents
- Using the spider
- Manual Request Transforms
- What is the XSS/CRLF plugin, and how does it work?
- Using the Fuzzer
- Comparing Responses
- Searching WebScarab history
- Exploring the Beanshell
- Writing Proxy Intercept scripts
- Writing Script Manager Scripts
- Writing other scripts
Course Specifics
Bring your own laptop
Testing Guide Training
Instructor
Matteo Meucci, Giorgio Fedon.
Duration
4h.
Summary
Please enter the text here.
Audience
Software developers, security consultants, auditors.
Table of Contents
Please enter the text here.
Course Specifics
Bring your own laptop.
AJAX Security
Instructor
Brad Causey
Duration
1 Day
Summary
Additional Details and summary to follow...
Audience
Web Application Security Professionals
Table of Contents
Details to come
Course Specifics
Please bring your own laptop with your choice of web proxy and browser installed if you wish to participate. Participation is optional.
Practical Penetration Testing: Think Like an Attacker to Stop Attacks
Instructors
Lann Martin and Lebbeous Fogle-Weekley
Duration
4 hours
Summary
This class will demonstrate how an attacker approaches potentially vulnerable web applications, taking advantage of both poor server configuration and poor application implementation to discover and exploit vulnerabilities of several types.
Audience
Web application developers and penetration testers of intermediate skill.
Table of Contents
This table of contents is a work in progress
- The trouble with verbose error messages
- The right way and the wrong way to escape input to prevent SQL injection
- The right way and the wrong way to encode output to prevent XSS
- More bad practices to avoid
- More good practices to maintain
Course Specifics
Bring your own laptop to participate in attacks on sample web applications. Firefox is the preferred browser for exploiting web applications. Automated scanning tools are out of scope for this class.
Course Name {template}
Instructor
Please enter the text here.
Duration
Please enter the text here.
Summary
Please enter the text here.
Audience
Please enter the text here.
Table of Contents
Please enter the text here.
Course Specifics
Please enter the text here. (i.e. bring your own laptop)
