Skip to content

Details

Topics:

A5 Security Misconfiguration

A2 Broken Authentication and Session Management

A6 Sensitive Data Exposure

Hi all,

On Thursday, October 15th, we are holding the last of our free series of workshops based on OWASP's most well known flagship project, the OWASP Top 10 (2013) https://www.owasp.org/index.php/Top10 . The goal of these workshops is to learn by doing, which is usually the best approach to learning anything. In that light, we will speak a little about each of the areas from the Top 10, then take that learning to the next level by attacking vulnerable sites and investigating vulnerable code and configurations.

Note: During the previous workshops we set up our machines to be ready for web penetration testing. Anyone who has done this can continue as such, but if you have not, no problem, we can help you set up the one or two main tools that we will need for that night. That should only take a couple of minutes. If you would like some assistance in getting set-up then we will be there from 18:45 to help. Alternatively, you can contact one of the organisers (Fiona or Darren) in advance and we will let you know what you need.

If you would like to have ZAP installed on your machine you can get it here: ZAP Install (https://github.com/zaproxy/zaproxy/wiki/Downloads). Having a machine isn't a requirement for attending, there will be talks and demos as well as the practical elements.

This month's workshop will be divided into three phases:

  1. Top 10 2013 - A5 - Security Misconfiguration

Delivered by: Fiona Collins

Security misconfiguration can happen at any level of an application stack, including the platform, web server, application server, database, framework, and custom code. Developers and system administrators need to work together to ensure that the entire stack is configured properly. Automated scanners are useful for detecting missing patches, misconfigurations, use of default accounts, unnecessary services, etc., however these should not be relied upon.

https://www.owasp.org/index.php/Top_10_2013-A5-Security_Misconfiguration

  1. Top 10 2013 - A2 - Broken Authentication and Session Management Delivered by: Darren Fitzpatrick

Developers frequently build custom authentication and session management schemes, but building these correctly is hard. As a result, these custom schemes frequently have flaws in areas such as logout, password management, timeouts, remember me, secret question, account update, etc. Finding such flaws can sometimes be difficult, as each implementation is unique.

https://www.owasp.org/index.php/Top_10_2013-A2-Broken_Authentication_and_Session_Management

  1. Top 10 2013 - A6 - Sensitive Data Exposure

Delivered by: Fiona Collins

The most common flaw is simply not encrypting sensitive data. When crypto is employed, weak key generation and management, and weak algorithm usage is common, particularly weak password hashing techniques. Browser weaknesses are very common and easy to detect, but hard to exploit on a large scale. External attackers have difficulty detecting server side flaws due to limited access and they are also usually hard to exploit.

https://www.owasp.org/index.php/Top_10_2013-A6-Sensitive_Data_Exposure

  1. Practical Hands On Workshop

This section of the night will invoke our learning from the first phase and put it to practical use. We take our testing environment and use it to exploit some of both types of vulnerabilities on a safe, intentionally vulnerable website.

After giving some time for individually attempting to carry out the exploitation, a walk-through of the exploit technique will be given for each of the examples outlined. The OWASP team will be at hand to help with any issues that might arise through this phase.

The practical elements will allow you attack a vulnerable site from a malicious attacker or software tester's perspective. You will leave with not only an understanding of the issues but also having had hands on practice.

Chapter meetings are provided free of charge although OWASP membership is encouraged and besides supporting the organisation, will provide the holder with benefits in other areas such as free/discounted entry to conferences, etc.

Hope to see you there!

Darren & Fiona (OWASP Cork Team)

Events in Cork, IE

Members are also interested in