OWASP AppSec DC 2012/Training/Application Source Code Analysis - Discovering Vulnerabilities in Web 2.0, HTML5 and RIA
Course Length: 1 Day
Enterprise application source code, independent of languages and platforms, is a major source of vulnerabilities. The class is designed and developed to focus on enterprise architecture and application analytics to discover vulnerabilities across Web 2.0, RIA and HTML5. We will be covering analysis techniques, with tools, for assessment and review of enterprise application source code. It is imperative to know source code review methodologies and strategies for analysis. The emphasis of the class would be to develop a complete understanding of source code analysis, techniques and tools to address top set of vulnerabilities. Knowledge gained would help in analyzing and securing next generation enterprise applications at all different stages - architecture, design and/or development. The course is designed and delivered by the author of "Web Hacking: Attacks and Defenses", "Hacking Web Services" and "Web 2.0 Security - Defending Ajax, RIA and SOA", bringing his experience in application security and research to the curriculum.
Class will be demo driven. Laptop Required: No Students Need to Bring:No
Audience: Technical Skill Level: Basic
Objectives are as under,
Detecting OWASP Top 10 and CWE Top 25 Errors and vulnerabilities - mapped to newer stack.
Enhancing your ability to understand Enterprise Application Framework and Structures with newer context.
Dealing with different protocols and structures in enterprise environment for vulnerability assessment.
Detecting the state of source code for attack vectors like DOM based XSS, Flash/Flex based XSS, SQL injection, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Path traversal, Session hijacking, LDAP/XPATH/Command injection, Buffer overflow, Input validation bypassing, Database hacks, Ajax exploits, Web Services attack vectors etc.
Using tools and writing scripts for source code analysis and vulnerability mapping
Code review methodologies by Spidering the code, enumerating blocks and identifying modules.
Scanning for vulnerabilities and analysis by Function and Method signature mapping, entry point identification, data access layer calls, tracing variables and functions.
Decomposing assemblies to discover other security vulnerabilities and structured analysis.
Key security aspects and Domains for enterprise security like Authentication, Authorization, Session management, Crypto usage and Error handling.
Defense plans and strategies, Secure objects, functions and wrappers
Detecting vulnerabilities in advanced technologies like Ajax, Rich Internet Applications (RIA) and SOA
XML and Web Services security for SOAP, XML-RPC and REST base attacks and secure coding.