[Owasp-cork] OWASP Top 10 Workshop - 25 June 2015

Fiona Collins fiona.collins at owasp.org
Thu Jun 11 11:35:03 UTC 2015


Hi all,

Thursday 25 June will see the second of our free series of workshops based
on OWASP's most well known flagship project, the OWASP Top 10 (2013)
https://www.owasp.org/index.php/Top10. The goal of these workshops is to
learn by doing, which is usually the best approach to learning anything. In
that light, we will speak a little about each of the areas from the Top 10,
then take that learning to the next level by attacking vulnerable sites and
investigating vulnerable code and configurations.

Join us here:  http://www.meetup.com/OWASP-Cork/events/223124638/

Note: During the previous workshop we set up our machines.

Anyone who has set up their machines during the last workshop can continue
to use that and will have all tools in place, but if you have not, no
problem, we can just set up the one or two main tools that we will need for
that night. If would like some assistance in getting set-up then we will be
there from 18:45 to help. Alternatively, you can contact one of the
organisers (Fiona or Darren) in advance and we will let you know what you
need.

Having a machine isn't a requirement for attending, there will be talks and
demos as well as the practical elements.

This month's workshop will be divided into two phases:

1 a). Top 10 2013 - A8-Cross-Site Request Forgery (CSRF)

Vincent Ryan

A CSRF attack forces a logged-on victim’s browser to send a forged HTTP
request, including the victim’s session cookie and any other automatically
included authentication information, to a vulnerable web application. This
allows the attacker to force the victim’s browser to generate requests the
vulnerable application thinks are legitimate requests from the victim.

We will discuss what this issue is, a number of varieties of this issue
along with methods for avoiding it in your application code and a demo of
how you would examine a defence using burp.

https://www.owasp.org/index.php/Top_10_2013-A8-Cross-Site_Request_Forgery_(CSRF)

1 b). Top 10 2013-A9-Using Components with Known Vulnerabilities

Darren Fitzpartick

Components, such as libraries, frameworks, and other software modules,
almost always run with full privileges. If a vulnerable component is
exploited, such an attack can facilitate serious data loss or server
takeover. Applications using components with known vulnerabilities may
undermine application defenses and enable a range of possible attacks and
impacts.

We will discuss how know vulnerabilities can be identified in a system and
used to get access to other systems and data in your network. Mitigation
techniques will also be discussed.

https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities


2. Practical Hands On Workshop

This section of the night will invoke our learning from the first phase and
put it to practical use. We take our testing environment and use it to
exploit some CSRF & component vulnerabilities on a safe, intentionally
vulnerable website.

After giving some time for individually attempting to carry out the
exploitation, a walk-through of the exploit technique will be given for
each of the examples outlined. The OWASP team will be at hand to help with
any issues that might arise through this phase.

Practical elements will cover the following two perspectives so that you
leave with not only an understanding of the issues but also having had
hands on practice in these areas:

1. Defensive - Seeing vulnerable code / configurations and investigating
how the issues could be rectified.

2. Offensive - Attacking vulnerable sites from a malicious attacker or
software tester's perspective.

Hope to see you there!

Darren & Fiona (OWASP Cork Team)



Fiona Collins,
OWASP Cork Chapter Lead
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-cork/attachments/20150611/8b404a84/attachment.html>


More information about the Owasp-cork mailing list