Posts Tagged ‘web’

Web Application Security training @ FRHACK

July 29th, 2009

I’m going to be delivering a Web Application Security training at FRHACK next September 2009! FRHACK is a highly technical, non-business conference that is going to be held at Besançon, France. The training is a two day, hands-on class where the w3af project leader will train you in the techniques and methodologies needed to discover and exploit web application vulnerabilities.

Here is some extra information regarding the training,

Training name: Discovery and exploitation of web application vulnerabilities


This training course focus is on manual and automated, discovery and exploitation of web application vulnerabilities. During this course you are going to go through a series of lectures followed by hands on practice. In each practice you will find vulnerabilities to exploit, each with a different level of complexity, which will defy your understanding of the subject. After the hands on practice, a small lecture on how the vulnerability is fixed is presented, together with common errors introduced by developers in that process.

The training will also teach you how to use the most advanced tools used by professionals in the field, like w3af (developed by the trainer), the burp suite, sqlmap and many others.

Course Structure

This is a two-day course that combines lectures with increasingly difficult hands-on exercises designed to teach the attendee different ways to discover and exploit web application vulnerabilities. All course materials, and a certificate of completion will be offered. You must provide your own laptop.


- Training booklet with printed slides and trainer comments
- Live CD with Web Application Security Tools
- VMware image with the training environment
- w3af T-Shirt ;)


Security consultants, system and network administrators, experienced web application developers, information security officers, government agencies.

Topics Covered

  • Day One
    1. HTTP protocol review
      • Web architecture
      • HTTP headers and methods
      • HTTP authentication
      • HTTPS
      • Session management: cookies
    2. Common web server misconfigurations
      • Banners
      • Directory Indexing
      • HTTP authentication
      • HTTP method restrictions
    3. Common development and configuration errors
      • HTML comments and versioning
      • File inclusions
      • Backup and local database files
      • Hidden HTML Fields
      • Path Disclosure and directory enumeration
      • Exceptions and error messages
    4. Types of analysis
      • Static code analysis, black box testing and gray box testing:
      • Definitions
      • Vulnerabilities that can be detected
      • Vulnerabilities that CAN’T be detected
    5. Web Application Vulnerabilities
      • Reverse engineering of Java applets y Flash movies
      • Local file read
      • Local file inclusions
      • Path Traversal and Null Bytes
      • Remote file inclusions
      • Cross Site Scripting (XSS)
      • Cross Site Tracing
      • Cross Site Request Forgeries / Session Riding
      • HTTP Response Splitting
  • Day Two
    1. Web Application Vulnerabilities
      • Uncommon attack vectors
      • LDAP Injection
      • OS Commanding
      • SQL Injection:
        • Enumeration of tables and columns
        • Execution of queries and stored procedures
        • Creation of files
        • Execution of OS commands
      • Blind SQL Injection
    2. Web application privilege escalation
      • Session handling
      • Logical vulnerabilities
    3. Countermeasures
      • mod_security
      • Hardening for Java
        • HDIV
        • Spring Security
      • PHP hardening:
        • Secure configuration parameters
        • GRASP
        • PHP-IDS

andres.riancho bonsai, conferences , , , ,

CONFidence and OWASP CtF

June 3rd, 2009

For the 2009 edition of CONFidence and OWASP Europe, Bonsai helped with the development and organization of the Capture the Flag event. This post is a general description of the capture the flag, and a “statistical analysis” of the results.

The game

The CtF levels were divided into three different categories: Web, Networking and Forensics. Each category had 5 levels with increasing difficulty that awarded the player with 300 to 750 points. One of the features of this CtF was that players were able to play any level at any time, if players got stuck with the second level of the Web challenge but had a good idea about how to solve the fifth level of the same category, they were able to do it.

In order to be awarded with the points, players had to solve each level to get the magic_token: a twelve character long password that proves they solved the level. Magic tokens had then to be entered in the CtF scoring system together with the player’s username and password created at sign up.

The access to the CtF was open during the whole conference time, giving the players the opportunity to play at any time and place (WiFi access was provided also). In most cases CtF players created teams and solved the different levels together to have more chances to win the prices. In most cases you would think that creating a big team increases your chances of winning, which was true for OWASP conference where first and second place were awarded to teams of more than five players; but in CONFidence a team of two managed to win the CtF!


The servers

To be able to run the CtF game, Andrzej Targosz provided us with two different servers:

  1. CtF scoring system: A simple Pentium IV box with 512MB of RAM, where we installed a stable Debian.
  2. CtF vmware server: A much more robust server, with 3GB of RAM and two dual 2.4Ghz core processors, where we installed a stable Debian with VMware server to be able to run all the different levels that gave the user some kind of interaction with the operating system.

The VMware server was needed in order to host the different levels. In some levels the players had to get remote command execution and we wanted to be totally sure that there was no way to read the source code of other levels or gain any other advantage by getting root in the servers.

At the end we had a total of seven virtual machines running smoothly in the VMware server. The levels that required a virtual machine were Web 2, 3, 4, 5 and Networking (1,2,3), 4 and 5.

The results

For each conference we had three winners. The material prices aren’t important, what these guys care about are the bragging rights, so here are the names of the winning teams at the OWASP conference:

  1. defrag_brains (6150)
  2. tripkaci (4900)
  3. FluxReiners (4200)

And the winners from CONFidence conference:

  1. the0wners (6000)
  2. yellowfrogs (5700)
  3. korzen (5284)

The following statistics were created from the joint results of both CtF games:

Easiest levels

Easiest levels

Hardest levels
Harder Levels

Stay tuned, more information about the different levels, including the source code is going to be posted here!

The conclusion

The whole experience of organizing the CtF was excellent. I learned a lot of nice technical tricks from the players, who interacted with me at all times ( I think they were trying to social engineer me to give them tips) and I made a couple of new friends.

I would like to thank Jaroslaw Sajko, the co-organizer of the CtF for all his hard work on the servers.

andres.riancho conferences , , , , ,

TOP 5 talks @ OWASP Poland

April 27th, 2009

I’ll be attending the OWASP conference in Poland next month, and I’ve already put together my TOP 5 list of talks:

  • The Truth about Web Application Firewalls: What the vendors do not want you to know by Wendel Guglielmetti Henrique, Trustwave & Sandro Gauci, EnableSecurity. I’ve been doing some WAF research of my own, and I would like to hear what these guys have to say about WAF’s. I would like to know if Ivan Ristic is going to be there also… ;)
  • Advanced SQL injection exploitation to operating system full control by Bernardo Damele the creator of sqlmap. I know he’s been doing some excellent research on getting OS control from SQL injections, and I want to hear all about that.
  • When Security Isn’t Free: The Myth of Open Source Security by Rob Rachwald, Fortify. This seems to be “one of those talks” where the speaker is so tainted that you won’t believe one word… but… I want to hear what he is going to say.
  • Exploiting Web 2.0 – Next Generation Vulnerabilities by Shreeraj Shah, Blueinfy. It’s always nice to hear the latest XSS stuff ;)
  • I thought you were my friend Evil Markup, browser issues and other obscurities by Mario Heiderich, Business-IN. I’ll attend this talk mostly to meet Mario and hear what he has to say about evil markup (?).

Between talks, I’ll be idling around and giving some w3af T-Shirts away, so pay attention!

andres.riancho conferences , , , ,

Two different trainings @ Confidence – Poland

April 22nd, 2009

Well, it seems that I’m going to be traveling a lot this year ;) I’ve just talked with the CONFidence conference organizers and we decided that it would be nice to deliver two different trainings at CONFidence:

Both trainings are hands on, and will be 7 hours long (with a one hour meal break in between), the prices are really affordable, only 300€ each, so I expect a crowded class. Please register early because the seats are limited!

I’m really looking forward to the w3af training, it’s going to be the first time I deliver that particular training at a conference. The adrenaline rush will be higher than usual, as I see more and more people getting interested in w3af as an every-day tool that they can use during their penetration test engagements.

admin conferences , , ,