[Owasp-cork] Final OWASP Top 10 Workshop - 15 Oct 2015

Fiona Collins fiona.collins at owasp.org
Tue Oct 6 09:21:50 UTC 2015


Hi all,



On Thursday, October 15th, we are holding the last of our free series of
workshops based on OWASP's most well known flagship project, the OWASP Top
10 (2013) https://www.owasp.org/index.php/Top10. The goal of these
workshops is to learn by doing, which is usually the best approach to
learning anything. In that light, we will speak a little about each of the
areas from the Top 10, then take that learning to the next level by
attacking vulnerable sites and investigating vulnerable code and
configurations.


*Register to attend
here: http://www.meetup.com/OWASP-Cork/events/225847811/
<http://www.meetup.com/OWASP-Cork/events/225847811/>*



Note: During the previous workshops we set up our machines to be ready for
web penetration testing. Anyone who has done this can continue as such, but
if you have not, no problem, we can help you set up the one or two main
tools that we will need for that night. That should only take a couple of
minutes. If you would like some assistance in getting set-up then we will
be there from 18:45 to help. Alternatively, you can contact one of the
organisers (Fiona or Darren) in advance and we will let you know what you
need.



If you would like to have ZAP installed on your machine you can get it
here: ZAP Install. Having a machine isn't a requirement for attending,
there will be talks and demos as well as the practical elements.


This month's workshop will be divided into three phases:



*1. Top 10 2013 - A5 - Security Misconfiguration *



*Delivered by: Fiona Collins*



Security misconfiguration can happen at any level of an application stack,
including the platform, web server, application server, database,
framework, and custom code. Developers and system administrators need to
work together to ensure that the entire stack is configured properly.
Automated scanners are useful for detecting missing patches,
misconfigurations, use of default accounts, unnecessary services, etc.,
however these should not be relied upon.



https://www.owasp.org/index.php/Top_10_2013-A5-Security_Misconfiguration



*2. Top 10 2013 - A2 - Broken Authentication and Session Management*


*Delivered by: Darren Fitzpatrick*



Developers frequently build custom authentication and session management
schemes, but building these correctly is hard. As a result, these custom
schemes frequently have flaws in areas such as logout, password management,
timeouts, remember me, secret question, account update, etc. Finding such
flaws can sometimes be difficult, as each implementation is unique.



https://www.owasp.org/index.php/Top_10_2013-A2-Broken_Authentication_and_Session_Management



*3. Top 10 2013 - A6 - Sensitive Data Exposure*



*Delivered by: Fiona Collins*



The most common flaw is simply not encrypting sensitive data. When crypto
is employed, weak key generation and management, and weak algorithm usage
is common, particularly weak password hashing techniques. Browser
weaknesses are very common and easy to detect, but hard to exploit on a
large scale. External attackers have difficulty detecting server side flaws
due to limited access and they are also usually hard to exploit.



https://www.owasp.org/index.php/Top_10_2013-A6-Sensitive_Data_Exposure



*4. Practical Hands On Workshop *



This section of the night will invoke our learning from the first phase and
put it to practical use. We take our testing environment and use it to
exploit some of both types of vulnerabilities on a safe, intentionally
vulnerable website.



After giving some time for individually attempting to carry out the
exploitation, a walk-through of the exploit technique will be given for
each of the examples outlined. The OWASP team will be at hand to help with
any issues that might arise through this phase.



The practical elements will allow you attack a vulnerable site from a
malicious attacker or software tester's perspective. You will leave with
not only an understanding of the issues but also having had hands on
practice.



Chapter meetings are provided free of charge although OWASP membership is
encouraged and besides supporting the organisation, will provide the holder
with benefits in other areas such as free/discounted entry to conferences,
etc.



Hope to see you there!



Darren & Fiona (OWASP Cork Team)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-cork/attachments/20151006/b5034fd8/attachment.html>


More information about the Owasp-cork mailing list