Web Application Security

Have you ever hacked a website? Have you ever stolen a database or executed unauthorized commands remotely on a server? Ever stolen a user account with JavaScript? But better, yet: Have you ever fixed security vulnerabilities? The great and fun hands-on experience on web application security is not only for beginners. Its a back-and-forth between attacking and protecting, discussing the quick-and-dirty fixes and comparing them to better architectural changes to prevent such mistakes in the future.

In this workshop you will learn how to fix and secure a horribly insecure classified ad application against the most common and severe attacks on web applications.

You’ll learn systematically about the most critical security vulnerabilities in web applications, you will get enough well guided hands-on experience in first finding a vulnerability, executing attacks, and finally fixing it once and for all. Step by step we’ll secure the application and you’ll see how easy it is to avoid critical mistakes. You’ll learn and understand concepts and principles, rather than a certain framework or language. Despite the fact that we’ll hack and protect a Java-Application, every concept is technology independent and can be directly transferred to .net, PHP, or other technologies. You don’t even have to know any Java to have fun and learn a lot in this workshop!

Agenda

Introduction to OWASP
SQL Injection
Authentication (including and beyond passwords)
Cracking and securing passwords
Securing your cookies from the cookie monster
TLS
Command Injection
Cross Site Scripting (XSS)
Insecure Deserialization
XML External Entity Attacks
Session Hijacking and Session Fixation
Input Validation vs. Output Escaping
Cross Site Request Forgery
Same Origin Policy
Security Headers (CSP, CORS, and many, many more)
Clickjacking
Tools (sqlmap, OWASP ZAP, …)
Authorization (Access Control)

Prerequisites

You should be familiar with at least one programming language, and have at least a basic understanding of the terms http, HTML, browser, client, and server.

Requirements

You’ll need your own laptop with administrative privileges, including pre-installed VirtualBox (VMware Workstation or VMware Player should also work, but you’ll know more about it than I do).

About the Speaker

Hannes Molsen

Hannes Molsen is the Product Security Manager of Dräger, a more than 125 year-old family company known, e.g., for medical devices and safety systems. He is responsible for creating and maintaining an environment which enables Dräger to ship devices and applications that are secure to sustain in an interconnected world. Throughout the entire system’s lifecycle, to protect life, data and system functionality.

At Draeger as well as during his activities as self-employed Security Professional, he also tests devices and applications, and gives security trainings for developers, product managers and software architects.

Before taking this position, he was working as a passionate secure coder, with over 10 years of experience in web application development, software for embedded systems and interconnected devices. He is also actively involved with the grass roots organization “I am the cavalry”, supporting the efforts to connect manufacturers and the security research community to become safer, sooner, together.