AppSec California 2017
OWASP Top 10 – Exploitation and Effective Safeguards
Monday, January 23rd, 2017 Presented by David Caissy, Albero Solutions Inc.
About the course
The OWASP Top 10 web application vulnerabilities has done a great job promoting awareness for the developers. Along with many cheat sheets, they provide valuable tools and techniques to web developers. But such a great source of information could be overwhelming for the programmer who wants to learn about security. This course aims at providing all web developers deep hands-on knowledge on the subject.
To achieve this goal, participants will first learn the technical details about each OWASP Top 10 vulnerability. Then the instructor will give demos on how attacks are performed against each of them. After that, participants will use virtual machines and follow step by step procedures to launch attacks against a vulnerable web site. This step is key in understanding how exploitation works so they can later implement effective safeguards in their systems. Our experience is that participants who have had hands-on experience at exploiting vulnerabilities will always remember how to prevent them.
The course will cover the following topics
1. OWASP Top 10 web application vulnerabilities:
A1 - Injection Attacks
A2 - Broken Authentication and Session Management
A3 - Cross-Site Scripting (XSS)
A4 - Insecure Direct Object References
A5 - Security Misconfiguration
A6 - Sensitive Data Exposure
A7 - Missing Function Level Access Control
A8 - Cross-Site Request Forgery (CSRF)
A9 - Using Known Vulnerable Components
A10 - Unvalidated Redirects and Forwards
2. Proper Password Management
3. Secure Coding Best Practices
4. Effective Safeguards
Hands-on Exercises
1. Session Initialization and Client-Side Validation
Part 1: Web Proxy and Session Initialization
Part 2: Client-Side Validation
2. Online Password Guessing Attack
3. Account Harvesting
4. Sniffing Encrypted Traffic
5. Launching Command Injection Attacks
6. Using a Web Application Vulnerability Scanner
7. Optional Exercise: Create SSL certificates
Demos from the instructor
1. SQL Injection Attack
2. Cross-Site Scripting Attack
3. Insecure Direct Object References
4. Sensitive Data Exposure
5. Cross-Site Request Forgery
Who should take this course?
This course is designed to help intermediate to expert web developers and security professionals understand how to secure web applications. Candidates are expected to have basic knowledge of web technologies, but no experience in security is required prior to taking this course. However, security professionals who want to learn more about web security will benefit from this class.
Requirements
Participants are asked to bring a laptop (Windows, Mac or Linux) with at least 4 GB of RAM, 20 GB of free disk space and either VMWare Workstation Player (free), VMWare Workstation, VMWare Fusion or Oracle VirtualBox (free) pre-installed. They must also have an administrator/root account on their laptop. At the beginning of the class, participants will receive a USB thumb drive containing a pre-configured virtual machine for the hands-on exercises.
About the trainer
David Caissy, M. Sc., OSCP, GWAPT, GPEN, GSEC, CISSP, CEH is a web application penetration tester with in-depth developer and IT Security background spanning over 16 years. He has extensive experience in conducting vulnerability assessments and penetration tests as well as providing training globally, amongst numerous other teaching engagements. He has worked for a central bank, the Department of National Defense of Canada, various government agencies and private companies. David has been teaching web application security in colleges, conferences and for many government agencies over the last 15 years.
The days of exploiting MS08-067, encoding with Shikata Ga Nai, and blindly scanning are gone. Both Blackhat hackers and pentesters alike have shifted to using more advanced techniques to bypass AV, implement a smaller footprint to evade SIEM detection, and continually stay persistent to devastate enterprise networks. If you are looking to take your craft to the next level, this is the primer course for you.
Written and taught by the author of “The Hacker Playbook” series, Peter Kim will take you through an immensely hands-on experience to replicate real world attacks without even running a single vulnerability scanner. In this hands-on experience, you will take on the role of a malicious Blackhat attacker and infiltrate your way into a corporate network. The onsite lab will emulate a real network using only modern operating systems.
Secure Coding Bootcamp for the Web
The major cause of web insecurity is the lack of secure software development practices. This one-day bootcamp will help developers and other software professionals build and maintain secure applications. This class contains a combination of lecture, security testing demonstration and code review.
This following modules will be included in this class.
– HTTP Basics (1 hr)
In this module we will cover the various security implications of using the HTTP protocol for web and webservice development. Topics such as the proper use of HTTP verbs and HTTP security response headers will be covered. We will also demonstrate the use of an intercepting proxy tool to demonstrate how attackers modify request data to harm your applications. This module will also introduce several methods needed to properly transmit sensitive data over HTTPS.
– SQL and other Injection (.5 hrs)
Injection is an application weakness that will allow attackers to execute harmful SQL, Operating System, LDAP and other commands against your application. This is one of the most dangerous vulnerabilities possible. This module will review several forms of injection with live demonstrations. We will discuss the limits of input validation, and focus on more robust defenses such as query parameterization and encoding.
– Authentication (2.5 hrs)
Authentication is the “front gate” of any application and is used to establish the identity of your users. This module will discuss the security mechanisms found within a secure authentication layer of a web application. We will review a series of historical authentication threats. We will also discuss a variety of authentication design patterns necessary to build a low-risk high-security web application. Session management threats and best practices will also be covered. This module will also include code review labs.
– OAuth Security (2 hrs)
OAuth is a delegation framework that appears on the radar of security professionals and developers more and more every day. OAuth intersects with authentication and access control, yet you would not likely use OAuth in and of itself for authentication, session management or an access control in your applications. Even more confusing, OAuth is not a standard and various service providers will likely have different implementations. Let’s say it again, OAuth is not a standard – its a framework for delegation. So this leaves us with questions! What really is delegation? Where does OAuth fit in? How can I use OAuth in a secure fashion? These questions and more will me answered in this module.
– Access Control (1 hr)
Access Control is a necessary security control at almost every layer within a web application. This module will discuss several of the key access control anti-patterns commonly found during website security audits. These access control anti-patterns include hard-coded security policies, lack of horizontal access control, and “fail open” access control mechanisms. In reviewing these and other access control problems, we will discuss and design a positive access control mechanism that is data contextual, activity based, configurable, flexible, deny-by-default and other positive design attributes that make up a robust web-based access-control mechanism.
– Angular.JS Security (1 hr)
AngularJS is one of the most popular and exciting JavaScript UI frameworks in use today. This module will discuss what AngularJS is, how it is built and the various security controls contained with in. We’ll discuss the various controls contained within AngularJS including Strict Contextual Escaping, HTML Sanitization, Content Security Policy Integration, Double-submit cookie defense and JSON hijacking protection.
Spend a full day to understand both the theory and practice of SSL/TLS.
Designed by the author of the much acclaimed Bulletproof SSL and TLS, this practical course will teach you how to deploy secure servers and encrypted web applications during a day packed with theory and practical work. We’ll focus on what you need in your daily work to deliver best security, availability and performance. And you will learn how to get an A+ on SSL Labs!
Why This Course is for You
We will also provide you with many additional exercises that you can work on in your own time. You'll be able to ask us for help via email. And if you're already familiar with the basics, we'll challenge you with some of the advanced exercises on the day.
This talk highlights important lessons in scaling the software security touchpoints described in the book Software Security and making them work efficiently and effectively in a global software security initiative. The talk will focus on the top three touchpoints, discussing tools, technology, people and processes for each:
These questions and others will be addressed head on using examples from the 95+ BSIMM firms and many years of real world experience. (Firms in the BSIMM include, Adobe, Aetna, ANDA, Autodesk, Axway, Bank of America, Betfair, BMO Financial Group, Black Knight Financial Services, Box, Canadian Imperial Bank of Commerce, Capital One, Cisco, Citigroup, Citizen’s Bank, Comerica Bank, Cryptography Research, Depository Trust & Clearing Corporation, Elavon, Ellucian, EMC, Epsilon, Experian, F-Secure, Fannie Mae, Fidelity, Freddie Mac, General Electric, Highmark Health Solutions, Horizon Healthcare Services, Inc., HP Fortify, HSBC, Independent Health, iPipeline, JPMorgan Chase & Co., Lenovo, LGE, LinkedIn, Marks and Spencer, McKesson, Morningstar, Navient, NetApp, NetSuite, Neustar, Nokia, NVIDIA, NXP Semiconductors N.V., Principal Financial Group, Qualcomm, Royal Bank of Canada, Siemens, Sony Mobile, Splunk, Symantec, Target, The Advisory Board, The Home Depot, The Vanguard Group, Trainline, U.S. Bank, Visa, Wells Fargo, and Zephyr Health.)
We are absolutely thrilled to announce that OWASP San Diego will be hosting an amazing AppSec California CTF hacking competition this January 26th-27th for the third year in a row!
Here are the all important details:
Date: January 23th-25th, 2016
Time: 9AM – 5PM PST runs until 4pm PST the second day
Location: Event House (Hacking Village) (Must be there in-person)
Players: 100 Players Maximum
Registration: Register on-site
Required: Bring your laptop (and a ethernet/usb adapter if you do not have an ethernet port on your laptop).
Optional Equipment: Bring lock picks (as there will likely be physical security challenges)
Cost: Free!
Prizes: Yes! =]
No pre-registration necessary! Sign up on-site, get plugged in, and get started. Contest begins on January 24th at 10:00 in the Hacking Village and will run through the end of the day January 25th at 4pm. Winners will be announced and prizes given out at the closing ceremonies.
Contest Rules:
Don’t be a jerk.
No host discovery is required. Everyone scanning a network just makes it break. Scanning a single host as part of a challenge is fine.
Targets are clearly marked, only attack those. No attacking the switches, networks, etc.
No DOS attacks, get the flags.
No physical attacks – cables, switches, hardware services are right out. Don’t break them.
Don’t delete or change the the flags.
VMs will be reverted somewhat regularly.
Don’t mess with splunk and logging, we are just health checking.
Don’t delete our root key from the box or we’ll have to revert it. Don’t do this as a DOS attack for the other participants.
If we ask, you need to show us what/how you did something.
We aren’t lawyers, you probably aren’t a lawyer. Don’t look for loopholes, and don’t get in the way of other people having fun.
Random Thoughts:
If this is your first CTF ever, you will be able to find things if you try, if it is not, we have challenges for you also.
Objectives and flags are fairly clearly marked.
NO STEGO! We hate stego. The tools never work and it’s a pain, so we didn’t do that. Images that have flags are clearly marked and are images for the lulz.
No host discovery is required, but scanning a host may be useful.
Challenges are standalone, but some easier ones may give ideas for harder ones.
We are logging lots of things, if you aren’t happy with that, don’t play.