OWASP Israel 2017 Chapter Meeting #2

Agenda:

17:00 – Gathering, food & drinks

17:30 – Opening note

17:45 – The Borders are Dissolving – Application Security Crystal Ball

Maty Siman, CTO & Founder, Checkmarx

Over several years applications have become central to anything we do. Whether web, mobile or even IoT applications, they all control almost every aspect of our daily lives. For that exact same reason they have also become the hacker’s new best friend. But it seems that there is a change happening and it isn’t being discussed as often as it should. Data and financial gain is still considered the end goal but the how is dramatically changing.

Join us to try to envision what kind of attacks we will be seeing in the near future, how and who will be taking or dropping responsibility and how modern development practices may benefit attack techniques.

18:30 – Automated security tests using ZAP and Webdriver.io

Omer Levi Hevroni, Soluto

Webdriver.io is a great framework for writing automation tests for your webapp. With a very small configuration you can easily integrate ZAP`s passive scan into those tests, and upgrade those tests into automated security scanning – by enjoying from all the useful things that ZAP is able to detect. I am going to cover how we did this at Soluto – and as we run everything using Docker containers, it is very easy to reproduce this setup for any webapp with existing Webdriver.io/Selenium tests.

19:15 - Coffee Break

19:30 - WebShell AV signature bypass and identification

Gil Cohen, CTO, Comsec

Ever wondered how easy or hard it is to trick a signature based defensive product? Ever wanted to bypass such a product to upload your own malicious web-shell file to an attacked web server? This lecture is for you!

In a very lightweight, straightforward and eye-opening talk I’m going to show how easy it is to upload a slightly modified version of the famous C99 webshell, to get full control over a web server, and how ineffective are signature based modules of defensive products. I’m also going to show tips on how to identify a web-shell, and present 2 open-source tools that try to do just that.