OWASP Top 10 Workshop - 28 July 2015
Details
Hi all,
Tuesday July 28 will see the third of our free series of workshops based on OWASP's most well known flagship project, the OWASP Top 10 (2013) https://www.owasp.org/index.php/Top10 . The goal of these workshops is to learn by doing, which is usually the best approach to learning anything. In that light, we will speak a little about each of the areas from the Top 10, then take that learning to the next level by attacking vulnerable sites and investigating vulnerable code and configurations.
We will also be having our summer social event, with some free food and beer, after the talks - see below for more details.
This month we will be looking at Injection flaws which are #1 in the top 10. This is the top item as successful exploitation can lead to complete control of your systems by a malicious user.
Note: During the previous workshops we set up our machines.
Anyone who has set up their machines during the last workshop can continue to use that and will have all tools in place, but if you have not, no problem, we can just set up the one or two main tools that we will need for that night. If you would like some assistance in getting set-up then we will be there from 18:45 to help. Alternatively, you can contact one of the organisers (Fiona or Darren) in advance and we will let you know what you need.
If you would like to have ZAP installed on your machine you can get it here: ZAP Install (https://github.com/zaproxy/zaproxy/wiki/Downloads). Having a machine isn't a requirement for attending, there will be talks and demos as well as the practical elements.
This month's workshop will be divided into two phases with a networking event after the talks:
- Top 10 2013 - A1-Injection
Fiona Collins
Injection flaws, such as SQL, OS, and LDAP injection occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization. The result of this being that an attacker can by-pass any application level controls in place and gain full remote control of the application or database server which can in turn be used to access other systems on your network.
We will discuss how to identify injection vulnerabilities in your application, highlight the risks associated with injection flaws, provide some mitigation techniques and demonstrate how this all works.
https://www.owasp.org/index.php/Top_10_2013-A1-Injection (https://www.owasp.org/index.php/Top_10_2013-A8-Cross-Site_Request_Forgery_(CSRF))
- Practical Hands On Workshop
This section of the night will invoke our learning from the first phase and put it to practical use. We take our testing environment and use it to exploit some injection vulnerabilities on a safe, intentionally vulnerable website.
After giving some time for individually attempting to carry out the exploitation, a walk-through of the exploit technique will be given for each of the examples outlined. The OWASP team will be at hand to help with any issues that might arise through this phase.
The practical elements will allow you attack a vulnerable site from a malicious attacker or software tester's perspective. You will leave with not only an understanding of the issues but also having had hands on practice.
- Summer Networking Event
After the workshop we will go along to the Woolshed bar where we would like to treat you to some food, drinks and chats: ( http://www.woolshedbaa.com/cork/)
Chapter meetings are provided free of charge although OWASP membership is encouraged and besides supporting the organisation, will provide the holder with benefits in other areas such as free/discounted entry to conferences, etc.
Hope to see you there!
Darren & Fiona (OWASP Cork Team)