AppSec California 2018

Please note: Training Sessions are not included in the Conference price.  Sign up now! Check for availability and pricing on Eventbrite.


Abstract:
Tired of alert(‘xss’)? You want to learn advanced web hacking techniques, if you want to go beyond automated scanners and perform manual testing to bypass Filters and Web Application Firewalls (WAF) or you want to defend web applications, then this training is for you. This training covers and goes beyond OWASP TOP 10 and also covers secure coding practices recommended by OWASP.
This hands-on training covers both offensive and defensive approaches to web applications. You’ll learn how to identify vulnerabilities of web applications, how to execute exploit against that vulnerability, how the attacks works, and how to prevent them in the future. This training closes that gap between web application attack and defense. Because as they say - if you want to stop attacker from stealing you data then you must think like one. 
This training starts with the basic web app hacking and then move into more advanced stuff such as bypassing Filters, bypassing Web Application Firewalls(WAF), HTML5 attacks and recent vulnerabilities such as Shellshock, Heartbleed, POODLE, Serialization, SSL Strip etc. You’ll learn how to get shell on the box using web application vulnerabilities as well as how to write secure code so you can avoid that attack. 
This training covers both offensive and defensive approach towards web applications. Firstly training would cover how to use certain attack on web application and then how does this attack happened. So it covers where the developer went wrong and how to write secure code so that the attack would not have happened. It covers various mistakes made by developers and wrote vulnerable code. This training covers how to write secure code in multiple languages such as PHP, Java, C# etc. Lab contains multiple CMS such as Wordpress, Drupal, Joomla and multiple databases such as MySql, SQL Server, MongoDB etc. . Also training contains various client side attacks as well as server side attacks such as XSS, CSRF, SQL Injections etc. 
After this training, attendees will be able to successfully identify and avoid insecure code and test their web applications for vulnerabilities. Attendees will get to know the difference between vulnerable code and secure code. 
This training contains over 50 labs and 30+ challenges which are inspired by real world vulnerabilities and case studies.
Training Outline: 

• Introduction
• User Enumeration
• Bypassing Password Verification 
• Information Leakage 
• HTTP Verb Tampering  
• Injection - iFrame Injection, LDAP Injection, CSS Injection, JSON Injection
• Cross Site Scripting (XSS) 
• Cross Site Request Forgery (CSRF)
• Clickjacking
• Insecure direct object reference (IDOR) 
• Open Redirects
• Server Side Request Forgery (SSRF)
• Server Side Includes Injection (SSI Injection)
• JavaScript Validation Bypass
• SQL Injection
• JSON Hijacking 
• Session Management and Cookie Stealing 
• HTML5 
• XML 
• Insecure System Configuration
• Database Security - MySql, SQL Server etc.
• Remote Command or OS Command Injection
• Path traversal 
• Local File Inclusion (LFI) 
• Remote File Inclusion (RFI) 
• Serialization Attacks 
• HTTP Response Splitting 
• MongoDB 
• CMS Attacks and Defenses - Wordpress, Drupal, Joomla
• Recent Vulnerabilities Case Study - Shellshock, Heartbleed, POODLE, Struts, PHPMailer RCE, SSL Strip attack
• Logical Flaws
• Filter Evasion and Bypassing Web Application Firewalls (WAF)
• OWASP Top 10 Attacks
• OWASP Secure Coding Practices
• and more ...

Upon the completion of this training, attendees will:

• This training brings attendees into a world of web hacking and secure coding
• Attendees will learn how to identify vulnerabilities of web applications, how to execute exploit against that vulnerability, how the attacks works, and how to prevent them in the future
• They can test different CMS such as Wordpress, Drupal, Joomla as well as recent vulnerabilities 
• They can do secure code review as well as write secure code in multiple languages such as PHP, Java, C# etc.
• Attendees will get to know the common but dangerous coding mistakes done by the developers 
• They can think like developer as well as penetration tester

Attendees will be provided with:

• Multiple vulnerable applications
• Hosted VMs for testing and training labs.
• Over 50 labs and 30+ challenges to solve
• Training materials – presentation materials and lab examples
• Custom tools and scripts 
• Additional reading materials

Attendee requirements for this training:

• Modern laptop with wireless networking capabilities and have admin/root access on it. (64-bit Machine)
• Minimum 4 GB RAM installed
• At least 60 GB HD Free
• VMware Workstation / Fusion installed

Pre-requisites:
This course requires following pre-requisites:

• Web application development skills 
• Basic knowledge on HTTP, HTML and Scripting
• Reading and understanding of PHP, Java, C# Server-side Code (Optional)

Who should attend this training?

• Penetration Testers
• Security Consultants 
• Web Developers
• QA testers
• Web Application Tester
• System administrators
• IT Security professionals with a technical background
• IT managers
• System architects 
• Bug Bounty Hunters

Please note: Training Sessions are not included in the Conference price.  Sign up now! Check for availability and pricing on Eventbrite.


One Day Session
Presenters: Nicole Becher and Tanya Janca
Introduction to Hacking Web applications, APIs and Web Services with OWASP DevSlop
The OWASP DevSlop team are back!  This full day workshop will have two parts: introduction to application security, and web app scanning with OWASP ZAP in the morning, and manual testing of web services and APIs in the afternoon using Postman.  The DevSlop team will use the first phase of their open source project, a MEAN stack app called, Pixi, for API and Web Service testing and demonstrations, and a Ruby on Rails Application called Cyclone Transfers for the vulnerable web application scanning.  
Both parts of this workshop are appropriate for application developers or security practitioners, even with no prior knowledge of hacking.
Morning:
The “How to Hack Your Own Apps" workshop will start with a lesson that includes hands on demo of how to find security flaws, how they happen in the first place, and most importantly, how to fix them. If you've written a fast, beautiful application that meets all your requirements but it isn't secure, then it's not the best. This lesson will focus on helping developers find and fix their own security issues.
Once the lesson is over participants will set up their own machines to scan intentionally vulnerable applications, with support from Tanya and Nicole, to ensure everyone is finding security bugs before lunch.
Afternoon:
Modern applications often use APIs and other micro services to deliver faster and better products and services. However, there are currently few training grounds for security testing in such areas. In comes DevSlop, OWASP's newest project, a collection of DevOps security disasters made as a vulnerable testing and proving ground for developers and security testers alike. DevSlop's Pixi, the first of many entries to come for this OWASP project, will be demonstrated and presenting for participant's hacking and learning pleasure. Pixi consists of vulnerable web services, and participants will be walked through how to exploit several of it's vulnerabilities so they can learn how to do better when they create their own web services and other types of APIs from now on.
What will be discussed?

• Web app, API and Web Service Hacking & OWASP Project DevSlop

What will attendees learn from attending this session?

• How to scan a basic web app and how to hack APIs and web services manually

Items attendees are required to bring with them

• A laptop with a web proxy and modern web browser (Chrome or FireFox are great). Admin Priv on your machine, and the ability to install software.  If possible, install VirtualBox or VMWare, Docker, GitHub and OWASP Zap on your machine in advance.  If you don’t have them, we will get them for you, don’t worry.  Windows and Mac OS are supported for this workshop, if you you have linux you’ll probably be fine, but we make no guarantees.  

Please note: Training Sessions are not included in the Conference price.  Sign up now! Check for availability and pricing on Eventbrite.


Abstract:
Learn how to secure your AWS environment while building a TOR hidden service.  

Areas within AWS that will be covered:
1. The 3 Layers in AWS
2. Security Constructs in AWS
3. What does an ideal architecture look like
4. How do I build it
5. How do I maintain/monitor it
6. How do I break it




The first part of each topic will bring the students up to speed followed by hands on exercises to put their knowledge to the test.  Each area covered focuses on core resources within AWS that need to be understood in order to successfully secure your AWS cloud environment.  In the end, students will build a multi-account AWS environment with restricted access and network routes and operate a TOR hidden service.