Skip to content

Details

Hi all,

Thursday 25 June will see the second of our free series of workshops based on OWASP's most well known flagship project, the OWASP Top 10 (2013) https://www.owasp.org/index.php/Top10 . The goal of these workshops is to learn by doing, which is usually the best approach to learning anything. In that light, we will speak a little about each of the areas from the Top 10, then take that learning to the next level by attacking vulnerable sites and investigating vulnerable code and configurations.

Note: During the previous workshop we set up our machines.

Anyone who has set up their machines during the last workshop can continue to use that and will have all tools in place, but if you have not, no problem, we can just set up the one or two main tools that we will need for that night. If would like some assistance in getting set-up then we will be there from 18:45 to help. Alternatively, you can contact one of the organisers (Fiona or Darren) in advance and we will let you know what you need.

Having a machine isn't a requirement for attending, there will be talks and demos as well as the practical elements.

This month's workshop will be divided into two phases:

1 a). Top 10 2013 - A8-Cross-Site Request Forgery (CSRF)

Vincent Ryan

A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request, including the victim’s session cookie and any other automatically included authentication information, to a vulnerable web application. This allows the attacker to force the victim’s browser to generate requests the vulnerable application thinks are legitimate requests from the victim.

We will discuss what this issue is, a number of varieties of this issue along with methods for avoiding it in your application code and a demo of how you would examine a defence using burp.

https://www.owasp.org/index.php/Top_10_2013-A8-Cross-Site_Request_Forgery_(CSRF)

1 b). Top 10 2013-A9-Using Components with Known Vulnerabilities

Darren Fitzpartick

Components, such as libraries, frameworks, and other software modules, almost always run with full privileges. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications using components with known vulnerabilities may undermine application defenses and enable a range of possible attacks and impacts.

We will discuss how know vulnerabilities can be identified in a system and used to get access to other systems and data in your network. Mitigation techniques will also be discussed.

https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities

  1. Practical Hands On Workshop

This section of the night will invoke our learning from the first phase and put it to practical use. We take our testing environment and use it to exploit some CSRF & component vulnerabilities on a safe, intentionally vulnerable website.

After giving some time for individually attempting to carry out the exploitation, a walk-through of the exploit technique will be given for each of the examples outlined. The OWASP team will be at hand to help with any issues that might arise through this phase.

Practical elements will cover the following two perspectives so that you leave with not only an understanding of the issues but also having had hands on practice in these areas:

  1. Defensive - Seeing vulnerable code / configurations and investigating how the issues could be rectified.

  2. Offensive - Attacking vulnerable sites from a malicious attacker or software tester's perspective.

Hope to see you there!

Darren & Fiona (OWASP Cork Team)

Events in Cork, IE

Members are also interested in