2016 BASC Training

We would like to thank our speakers for donating their time and effort to help make this conference successful.

In this hands-on workshop, I will help the participants to set up an “efficient” environment for fast web and mobile application penetration testing. Instead of using traditional ready-to-go penetration testing distributions like Kali Linux, I will focus on setting the environment in Windows and Mac OS. After all, a browser and an intercepting proxy is all we need for most manual penetration testing tasks. Setting up a virtual machine and getting it working correctly can be difficult for beginners. I want to keep this simple and painless!

The topics that will be covered are:


 * 1) Preparing Chrome browser by creating a separate pen-testing profile and then installing foxyproxy for quickly switching proxies. I will also talk about how they can use Chrome’s extremely powerful developer tools for getting insights about the application.
 * 2) Installing and setting up OWASP ZAP to start intercepting and modifying the traffic. This    section involves installing the root CA certificate in the browser’s certificate store. I will also cover Burp Suite if time permits. The reason I am focusing on OWASP ZAP is because it's free, awesome and some features which are really necessary for painless pen-testing are not present in free edition of Burp Suite. For mobile, I will talk about steps in setting up an Android device for penetration testing mobile apps. (Live demo for Android if time permits)
 * 3) The third step involves demonstration on a real world application listed on a bug bounty program and then helping the participants understand the traffic. I will show some tricks for focusing on important traffic such as setting up scope using the “context” feature in ZAP, using filters etc.
 * 4) The last and most important section will focus on sharing resources that I have gathered over last 2 years from twitter and security blogs. For people completely new to this domain, I will suggest a “study path”. I will talk about awesome books, blogs, bug bounty programs and some more tricks for painless pen-testing like using Gmail’s alias for creating test accounts and password managers for managing passwords.