OWASP Top 10 Workshop - XSS - 10 Sept 2015

Name: OWASP Top 10 Workshop - XSS - 10 Sept 2015
Start: 2015-09-10T19:00:00+01:00
End: 2015-09-10T21:00:00+01:00
Location: https://www.google.com/maps/place/Western+Gateway+Building+-+UCC/@51.8934237,-8.4990742,17z/

Hosted by Fiona C. and Darren F.

Meet the group

OWASP Cork Chapter

No reviews yet

Details

Detecting and preventing XXS, the most common web app security flaw.

Hi all,

On Thursday, September 10th, we are having the fourth of our free series of workshops based on OWASP's most well known flagship project, the OWASP Top 10 (2013) https://www.owasp.org/index.php/Top10 . The goal of these workshops is to learn by doing, which is usually the best approach to learning anything. In that light, we will speak a little about each of the areas from the Top 10, then take that learning to the next level by attacking vulnerable sites and investigating vulnerable code and configurations.

This month our guest speaker, Damilare Fagbemi, will mainly be investigating Cross Site Scripting (XSS) which claims the third highest spot (A3) in the top 10 and will also touch on A10 - Unvalidated Redirects and Forwards.

Damilare is a software engineer and information security professional with expertise in Software Security and Data Analytics. He is a software security engineer in the Partner team at Intel Security Group where is responsible for developing strategies to improve security in the software development process while ensuring that software products built and shipped for Intel Security's partners are secure.
http://damilarefagbemi.com
@damilarefagbemi

Note: During the previous workshops we set up our machines to be ready for web penetration testing. Anyone who has done this can continue as such, but if you have not, no problem, we can help you set up the one or two main tools that we will need for that night. That should only take a couple of minutes. If you would like some assistance in getting set-up then we will be there from 18:45 to help. Alternatively, you can contact one of the organisers (Fiona or Darren) in advance and we will let you know what you need.

If you would like to have ZAP installed on your machine you can get it here: ZAP Install (https://github.com/zaproxy/zaproxy/wiki/Downloads). Having a machine isn't a requirement for attending, there will be talks and demos as well as the practical elements.

This month's workshop will be divided into three phases:

Top 10 2013 - A3 - Cross Site Scripting (XSS)

This important vulnerability can result in your application allowing arbitrary code to be run in the unsuspecting browsers of your users, putting those users at risk.

We will discuss how to identify XSS vulnerabilities in your application, highlight the risks associated with injection flaws, provide some mitigation techniques and demonstrate how this all works.

https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_(XSS)

Top 10 2013 - A10 - Unvalidated Redirects and Forwards

An open redirect is a parameter which is accepted and used by the application to redirect a user to a URL of their choosing without any validation. This vulnerability is often used to facilitate phishing attacks.

We will discuss how to identify these vulnerabilities in your application, highlight the associated risks , provide some mitigation techniques and demonstrate how this all works.

https://www.owasp.org/index.php/Top_10_2013-A10-Unvalidated_Redirects_and_Forwards

Practical Hands On Workshop

This section of the night will invoke our learning from the first phase and put it to practical use. We take our testing environment and use it to exploit some of both types of vulnerabilities on a safe, intentionally vulnerable website.

After giving some time for individually attempting to carry out the exploitation, a walk-through of the exploit technique will be given for each of the examples outlined. The OWASP team will be at hand to help with any issues that might arise through this phase.

The practical elements will allow you attack a vulnerable site from a malicious attacker or software tester's perspective. You will leave with not only an understanding of the issues but also having had hands on practice.

Chapter meetings are provided free of charge although OWASP membership is encouraged and besides supporting the organisation, will provide the holder with benefits in other areas such as free/discounted entry to conferences, etc.

Hope to see you there!

Darren & Fiona (OWASP Cork Team)

Events in Cork, IE

OWASP Top 10 Workshop - XSS - 10 Sept 2015

OWASP Cork Chapter

Details

Members are also interested in