[Owasp-cork] Fwd: [OWASP-Cork] OWASP Workshop - A1 Injection - Tonight!

Darren Fitzpatrick darren.fitzpatrick at owasp.org
Tue Jul 28 12:59:29 UTC 2015


Hi all,

Just a reminder about tonight's OWASP Top 10 workshop on the number one
issue - Injection. The night will be led by Fiona Collins and will be
followed by some drinks and food on us for anyone who can make it to the
Woolshed afterwards. The security shepherd modules on Injection (that's
going to be mostly SQL Injection) will be opened afterwards as usual to
play around with for the end of the session and in your own time afterwards.

....

Hi all,

Tuesday July 28 will see the third of our free series of workshops based on
OWASP's most well known flagship project, the OWASP Top 10 (2013)
https://www.owasp.org/index.php/Top10. The goal of these workshops is to
learn by doing, which is usually the best approach to learning anything. In
that light, we will speak a little about each of the areas from the Top 10,
then take that learning to the next level by attacking vulnerable sites and
investigating vulnerable code and configurations.

We will also be having our summer social event, with some free food and
beer, after the talks - see below for more details.

This month we will be looking at Injection flaws which are #1 in the top
10. This is the top item as successful exploitation can lead to complete
control of your systems by a malicious user.

Note: During the previous workshops we set up our machines.

Anyone who has set up their machines during the last workshop can continue
to use that and will have all tools in place, but if you have not, no
problem, we can just set up the one or two main tools that we will need for
that night. If you would like some assistance in getting set-up then we
will be there from 18:45 to help. Alternatively, you can contact one of the
organisers (Fiona or Darren) in advance and we will let you know what you
need.

If you would like to have ZAP installed on your machine you can get it
here: ZAP Install <https://github.com/zaproxy/zaproxy/wiki/Downloads>. Having
a machine isn't a requirement for attending, there will be talks and demos
as well as the practical elements.

This month's workshop will be divided into two phases with a networking
event after the talks:

1. Top 10 2013 - A1-Injection

Fiona Collins

Injection flaws, such as SQL, OS, and LDAP injection occur when untrusted
data is sent to an interpreter as part of a command or query. The
attacker’s hostile data can trick the interpreter into executing unintended
commands or accessing data without proper authorization. The result of this
being that an attacker can by-pass any application level controls in place
and gain full remote control of the application or database server which
can in turn be used to access other systems on your network.

We will discuss how to identify injection vulnerabilities in your
application, highlight the risks associated with injection flaws, provide
some mitigation techniques and demonstrate how this all works.

<https://www.owasp.org/index.php/Top_10_2013-A4-Insecure_Direct_Object_References>
https://www.owasp.org/index.php/Top_10_2013-A1-Injection
<https://www.owasp.org/index.php/Top_10_2013-A8-Cross-Site_Request_Forgery_(CSRF)>

2. Practical Hands On Workshop

This section of the night will invoke our learning from the first phase and
put it to practical use. We take our testing environment and use it to
exploit some injection vulnerabilities on a safe, intentionally vulnerable
website.

After giving some time for individually attempting to carry out the
exploitation, a walk-through of the exploit technique will be given for
each of the examples outlined. The OWASP team will be at hand to help with
any issues that might arise through this phase.

The practical elements will allow you attack a vulnerable site from
a malicious attacker or software tester's perspective. You will leave with
not only an understanding of the issues but also having had hands on
practice.

3. Summer Networking Event

After the workshop we will go along to the Woolshed bar where we would like
to treat you to some food, drinks and chats: (
http://www.woolshedbaa.com/cork/)

Chapter meetings are provided free of charge although OWASP membership is
encouraged and besides supporting the organisation, will provide the holder
with benefits in other areas such as free/discounted entry to conferences,
etc.

Hope to see you there!

Darren & Fiona (OWASP Cork Team)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-cork/attachments/20150728/a147e068/attachment.html>


More information about the Owasp-cork mailing list