Loading…
This event has ended. View the official site or create your own event → Check it out
This event has ended. Create your own
View analytic
Monday, January 23 • 9:00am - 5:00pm
OWASP Top 10 - Exploitation and Effective Safeguards

Sign up or log in to save this to your schedule and see who's attending!

 

 AppSec California 2017

OWASP Top 10 – Exploitation and Effective Safeguards

Monday, January 23rd, 2017 Presented by David Caissy, Albero Solutions Inc.

About the course

The OWASP Top 10 web application vulnerabilities has done a great job promoting awareness for the developers. Along with many cheat sheets, they provide valuable tools and techniques to web developers. But such a great source of information could be overwhelming for the programmer who wants to learn about security. This course aims at providing all web developers deep hands-on knowledge on the subject.

To achieve this goal, participants will first learn the technical details about each OWASP Top 10 vulnerability. Then the instructor will give demos on how attacks are performed against each of them. After that, participants will use virtual machines and follow step by step procedures to launch attacks against a vulnerable web site. This step is key in understanding how exploitation works so they can later implement effective safeguards in their systems. Our experience is that participants who have had hands-on experience at exploiting vulnerabilities will always remember how to prevent them.

The course will cover the following topics

1. OWASP Top 10 web application vulnerabilities:

A1 - Injection Attacks

  •  Command Injection
  •  SQL Injection

 

A2 - Broken Authentication and Session Management

A3 - Cross-Site Scripting (XSS)

A4 - Insecure Direct Object References

A5 - Security Misconfiguration

A6 - Sensitive Data Exposure

A7 - Missing Function Level Access Control

A8 - Cross-Site Request Forgery (CSRF)

A9 - Using Known Vulnerable Components

A10 - Unvalidated Redirects and Forwards

2. Proper Password Management

3. Secure Coding Best Practices

4. Effective Safeguards

Hands-on Exercises

1. Session Initialization and Client-Side Validation

 Part 1: Web Proxy and Session Initialization

 Part 2: Client-Side Validation

2. Online Password Guessing Attack

3. Account Harvesting

4. Sniffing Encrypted Traffic

5. Launching Command Injection Attacks

6. Using a Web Application Vulnerability Scanner

7. Optional Exercise: Create SSL certificates

 

Demos from the instructor

1. SQL Injection Attack

2. Cross-Site Scripting Attack

3. Insecure Direct Object References

4. Sensitive Data Exposure

5. Cross-Site Request Forgery

Who should take this course?

This course is designed to help intermediate to expert web developers and security professionals understand how to secure web applications. Candidates are expected to have basic knowledge of web technologies, but no experience in security is required prior to taking this course. However, security professionals who want to learn more about web security will benefit from this class.

Requirements

Participants are asked to bring a laptop (Windows, Mac or Linux) with at least 4 GB of RAM, 20 GB of free disk space and either VMWare Workstation Player (free), VMWare Workstation, VMWare Fusion or Oracle VirtualBox (free) pre-installed. They must also have an administrator/root account on their laptop. At the beginning of the class, participants will receive a USB thumb drive containing a pre-configured virtual machine for the hands-on exercises.

About the trainer

David Caissy, M. Sc., OSCP, GWAPT, GPEN, GSEC, CISSP, CEH is a web application penetration tester with in-depth developer and IT Security background spanning over 16 years. He has extensive experience in conducting vulnerability assessments and penetration tests as well as providing training globally, amongst numerous other teaching engagements. He has worked for a central bank, the Department of National Defense of Canada, various government agencies and private companies. David has been teaching web application security in colleges, conferences and for many government agencies over the last 15 years.

 


Speakers
avatar for David Caissy

David Caissy

Penetration Tester, TRM Technologies Inc.
David Caissy is a web application penetration tester with in-depth developer and IT Security background spanning over 16 years. He has extensive experience in conducting vulnerability assessments and penetration tests as well as providing training globally, amongst numerous other teaching engagements. He has worked for a central bank, the Department of National Defense, various government agencies and private companies. David has been teaching... Read More →


Monday January 23, 2017 9:00am - 5:00pm
Terrace Lounge

Attendees (7)