OWASP AppSec India Conference 2008 Application Security Assessment (Threats And Exploits)

Jump to: navigation, search

Application Security Assessment (Threats and Exploits)

As a corporate, you may already have various security solutions in place like firewalls, IDS etc. to defend corporate assets, but access to port http(80) and https(443) is still allowed all the time. This is the layer where applications are running and where attackers are looking for possible vulnerabilities to gain unauthorized access. Published research and surveys suggest that 7 out of every 10 sites are vulnerable to various application layer attack vectors. Over 70% of cyber attacks target web ports and that is where strong security measures are required and best way to start is to have strong knowledge base around security issues, strategies and defense tactics.

This workshop is designed by the author of "Web Hacking: Attacks and Defense", “Hacking Web Services” and “Web 2.0 Security – Defending Ajax, RIA and SOA” bringing his experience in application security and research as part of curriculum to address new challenges. The class features real life cases, hands one exercises, new scanning tools and defense mechanisms. Participants would be methodically exposed to various different attack vectors and exploits. In the class instructor will explain new tools like wsScanner, scanweb2.0, AppMap, AppCodeScan etc. for better pen-testing and application audits. Below is a list of topics those will be covered in this workshop:

  • Application Security Fundamentals and Principles
  • Application Components and Protocols
  • Application footprinting and discovery
  • Application Attack countermeasures
  • Assessment methods
  • Reconnaissance and Vulnerability Assessment
  • Fuzzing and Exploitation
  • Web Services attacks
  • Forcing application layer errors
  • Information leakage through error messages
  • Source code disclosure
  • Input tampering and input validation attacks
  • SQL injection and attacks on the database
  • Injecting malicious code and remote command execution
  • Accessing the underlying file system
  • Brute forcing HTTP authentication
  • Brute forcing HTML form authentication
  • Session Hijacking
  • Cross Site Scripting (XSS) attacks
  • Cross Site Request Forgery (XSRF) attacks
  • XPATH injection
  • XML and Schema poisoning
  • Blind SQL injection
  • XSS proxy attacks
  • Browser hijacking
  • Intranet scanning
  • Javascript exploitation

About Instructor

Shreeraj Shah

Shreeraj Shah, B.E., MSCS, MBA, is the founder of Blueinfy, an application security company. Prior to founding Blueinfy, he was founder and board member at Net Square. He also worked with Foundstone (McAfee), Chase Manhattan Bank and IBM in security space. He is also the author of popular books like Web 2.0 Security (Thomson 07), Hacking Web Services (Thomson 06) and Web Hacking: Attacks and Defense (Addison-Wesley 03). In addition, he has published several advisories, tools, and whitepapers, and has presented at numerous conferences including RSA, AusCERT, InfosecWorld (Misti), HackInTheBox, Blackhat, OSCON, Bellua, Syscan, ISACA etc. His articles are regularly published on Securityfocus, InformIT, DevX, O’reilly, HNS. His work has been quoted on BBC, Dark Reading, Bank Technology as an expert.

Shreeraj was instrumental in product development, researching new methodologies and training designs. He has performed several security consulting assignments in the area of penetration testing, code reviews, web application assessments, security architecture reviews and managing projects.