AppSec Europe 2014

Writing Secure code is the most effective method to securing your web applications. Writing secure code takes skill and know-how but results in a more stable and robust application and assists in protecting an organisations brand.

The class is a combination of lecture, security testing demonstration and code review. Students will learn the most common threats against applications. More importantly, students will learn how to code secure web solutions via defense-based code samples.

As part of this course, we will explore the use of third-party security libraries and frameworks to speed and standardize secure development. We will highlight production quality API’s from various languages and frameworks that provide production quality and scalable security controls.

This course will include secure coding information for Java, PHP and .NET programmers, but any software developer building web applications or webservices will benefit.

This intensive 1-day course focuses on the most common web application security problems, including aspects of both the OWASP Top Ten (2013) and the MITRE Top 25. Several other OWASP secure coding projects will be featured. The course will introduce and demonstrate application assessment techniques, illustrating how application vulnerabilities can be exploited so students really understand how to avoid introducing such vulnerabilities in their code.

The Mobile App Security Boot Camp is a 2-day training course covering both Android and iOS App security. As a new course for 2014, we provide the most comprehensive and cutting edge guide to mobile App security that is currently available, including in depth coverage of iOS 7! The course is provided as a partnership between MDSec and MWR InfoSecurity, pioneers in mobile security.

Pre-requisite of Training Class:

1) Student.

A basic knowledge of programming and mobile security concepts.

2) Hardware.

All delegates will be provided with a suitable iOS device to perform the labs, it is not necessary to bring your own.

Administrative access to the laptop and the ability to install a few tools, and disable personal firewalls or virus scanners should they get in the way of the lab exercises.

We strongly recommend a personal laptop – if your corporate laptop build is too restrictive this may affect your ability to participate in the course fully.

A laptop with the capability to connect to wireless and wired networks. 3) Software.
Students require a player to run VMWare images.
Daily Class Outline:

Day 1: iOS App Hacking

The course syllabus provides an overview of iOS security features, jailbreaking and approaches to App security assessment. After an introduction to the subject, we delve in to common insecurities, including but not limited too:

• 
  Insecure file storage
  
  


• 
  Keychain attacks
  
  


• 
  Insecure transport security
  
  


• 
  Run-time attacks
  
  


• 
  Cycript
  
  


• 
  Injection attacks
  
  


• 
  IPC handlers
  
  


• 
  Man-in-the-middle attacks
  
  


• 
  Defeating jailbreak and other defensive detection and prevention routines
  
  Attendees will gain theoretical and practical experience of:
  
  

• 
  How to quickly and efficiently pinpoint and exploit vulnerabilities in iOS Apps
  
  


• 
  How to hack UIWebviews, IPC handlers, client-side SQL databases, the
  
  keychain and the App runtime
  
  


• 
  Real-world, 2014 techniques used to defeat real Apps on iOS7!
  
  


• Knowledge of defensive and remedial advice

Day 2: Android App Hacking

Day two of the course will provide an introduction to the attack surface exposed by Android devices and their applications. The Android attack surface will be analysed to demonstrate how its weaknesses can be exploited from various vectors, such as from installed malicious software (malware), local attackers in a Man-in-The-Middle (MiTM) scenario and from attackers with local physical access (e.g. stolen device). Attendees will actively analyse applications, identify vulnerabilities within them and write their own exploits to compromise the application and/or device.

Attendees will gain hands on experience assessing and exploiting Android device and application vulnerabilities. The course will also teach how to defend against the latest Android platform and application threats. The experienced consultants delivering the course will guide attendees through an assessment of a range of applications; all of which are based on real world examples, following a structured methodology.

Course outline

• 
  Theory
  
  


• 
  Introduction to the Android security model
  
  


• 
  Black box assessment approach
  
  


• 
  Reverse engineering applications
  
  


• 
  Introduction to Android malware
  
  


• 
  Android Man-in-the-Middle
  
  


• 
  Stolen device reviews
  
  


• 
  Analysis/Assessment/Attack and Defence
  
  


• 
  IPC end points
  
  


• 
  JavaScript Bridges
  
  


• 
  Mobile Substrate
  
  


• 
  File permission attacks
  
  


• 
  Tap jacking
  
  


• 
  Android Sandbox 
  
  

Setting up, managing and improving your global information security organisation using mature OWASP projects and tools. Achieving cost-effective application security and bringing it all together on the management level. How to use and leverage OWASP and other common best practices to improve your security programs and organization. The workshop will also discuss a number of quick wins and how to effectively manage global security initiatives and use OWASP tools inside your organisation. The author has extensive experience of managing his own secure development organization as well as advising to improve a number of global secure development organisations and processes.

Topics:

• OWASP Top-10 and OWASP projects - how to use within your organisation


• Risk management and threat modelling methods (OWASP risk analysis, ISO-27005,...)


• Benchmarking & Maturity Models


• Security Strategy


• Organisational Design and managing change for global information security programs


• SDLC


• Training: OWASP Secure Coding Practices - Quick Reference Guide, Development Guide, Training tools for developers


• Measuring & Verification: ASVS (Application Security Verification Standard) Project, Code Review Guide, Testing Guide


• Development & Operation: Libraries and Frameworks (ESAPI (Enterprise Security API), AppSensor, ...), Threat assessments using OWASP Cornucopia

All discussion and issues raised by participants at the workshop will be under the confidentiality under the Chatham House Rule (http://en.wikipedia.org/wiki/Chatham_House_Rule).

Attendee takeaways and key learning objectives

• how to effectively build and run a global information security function


• strengthening web and application security using OWASP projects


• improving web & application security for organisations from green-field level to very sophisticated security organisations 

The course follows the chapters of the Second Edition of The Web Application Hacker's Handbook, with strong focus on practical attacks (there are only 136 slides in either of the 2 or 3 day courses). After a short introduction to the subject we delve into common insecurities in logical order:

• 
  Introduction to Web Application Security Assessment (Chapters 1-3)
  
  


• 
  Automating Bespoke Attacks: Practical hands-on experience with Burp
  
  Suite (Chapter 13)
  
  


• 
  Application mapping and bypassing client-side controls (Chapters 4-5)
  
  


• 
  Failures in Core Defense Mechanisms: Authentication, Session
  
  Management, Access Control, Input Validation (Chapters 6-8)
  
  


• 
  Injection and API flaws: (Chapters 9-10)
  
  


• User-to-User Attacks (Chapters 12-13)

Attendees will gain theoretical and practical experience of:

• 
  How to quickly and efficiently pinpoint and exploit vulnerabilities in web applications
  
  


• 
  How to hack using LDAP, XPath, SOAP, HTTP Parameter Pollution (HPP), and HPI
  
  


• 
  Real-world, 2012 techniques in SQL Injection against Oracle, MySQL and MSSQL
  
  


• 
  The real risk: how to turn XSS/CSRF vulnerabilities into full account compromise
  
  


• 
  Harnessing new technologies such as HTML5, NoSQL, and Ajax
  
  


• 
  New attack types and techniques: Bit Flipping, Padding Oracle, Automated
  
  Access Control checking
  
  


• How to immediately recognise and exploit Logic Flaws

For more detailed information about the course's practical structure, see the Web Application Hacker's Methodology chapter from the original version of the book.

To see the practical exercises, in action, please visit:

http://www.mdsec.net/labs/demo.html 

OWASP rates injection flaws as the most critical vulnerability within the Top 10 most Critical Web Application Security Risks under the OWASP Top 10 project: https://www.owasp.org/index.php/Top_10_2013-A1-Injection 

This hands-on session will only focus on the injection flaws and the attendees will get an in-depth understanding of the flaws arising from this vulnerability. The topics covered in the class are: 

SQL Injection 
XPATH Injection 
LDAP Injection 
Hibernate Query Language Injection 
Direct OS Code Injection 
XML Entity Injection 

During the two-days course, the attendees will have access to a number of challenges for each flaw and they will learn a variety of exploitation techniques used by the attackers in the wild. Identify, extract, escalate, execute; we have got it all covered. The following are the objectives of the course: 

• Understand the problem of Injection Flaws 


• Learn a variety of advanced exploitation techniques which hackers use 


• learn how to fix these problems 

Understand JavaScript and HTML5 Features to Secure Your Client-side Code 

HTML5 is the fifth revision of the HTML standard. HTML5, and its integration with JavaScript, introduces new security risks that we need to carefully consider when writing web front-end code. Modern web-based software, including mobile web front-end applications, makes heavy use of innovative JavaScript and HTML5 browser support to deliver advanced user experiences. Front-end developers focus their efforts on creating this experience and are generally not aware of the security implications of the technologies they use. 

The Defensive Programming – JavaScript/HTML5 course helps web front-end developers understand the risks involved with manipulating the HTML Document Object Model (DOM) and using the advanced features of JavaScript and HTML 5 such as cross-domain requests and local storage. The course reinforces some important security aspects of modern browser architecture and presents the student with defensive programming techniques that can be immediately applied to prevent common vulnerabilities to be introduced. Additionally, the course provides a detailed description of typical JavaScript sources and sinks and explains how they can be used to detect problems in code. 

This course is structured into modules that cover the areas of concentration for defensive programming in JavaScript and HTML5 and includes code analysis and remediation exercises. The high-level topics for this course are: 

•The HTML5 and JavaScript Risk Landscape 
•Storage of Sensitive Data 
•Secure Cross-domain Communications 
•Implementing Secure Dataflow 
•JSON-related Techniques 

This course includes 2 labs with hands on exercises where students will learn to apply the defensive programming techniques learned in the course. Students are encouraged to bring laptops with VirtualBox installed to run the VM with the labs. 

Objectives 

After successfully completing this course, you will: 

•Apply HTML5 Defensive Programming Techniques. 
•Apply JavaScript Defensive Programming Techniques. 
•Apply JSON Defensive Programming Techniques. 
•Consider Common Assessment Approaches.

SSL/TLS as used today has more and more problems and it's difficult to understand, what are the root causes of these problems, and how to detect and finally avoid or fix them.

This training will give a brief introduction to SSL, how it works i. g., what problems are known according the protocol, the PKI used, and the known vulnerabilities including potential attacks and provide tools to check for these issues. The main focus will be on SSL used in HTTPS. Other usages i.e. SSL for SMTP are a small subset. As a round-up there will be recommendations how to configure SSL securely.

Topics

The course will be a hands-on-training showing by example how to check the established SSL connection (including ciphers) to a web server and show how to analyse the provided certificate. A great amount of tools will be explained and it will be demonstrated how these tools can be used to detect weaknesses in the SSL connection and such.

The explained tools are for example: openssl, sslaudit, sslscan, ssltest.pl, o-saft, and some more, as well as some online checking tools like ssllabs.com. We show what are these tools useful for, what they can do and what they cannot.

Finally we show how the OWASP tool o-saft can be used to cover most of the previous shown techniques and how to use its advanced features like:

• 
  checking for special SSL settings
  
  


• 
  check multiple servers at a time
  
  


• 
  customizing the results
  
  


• 
  using private SSL-libraries
  
  


• 
  customizing o-saft itself
  
  


• or simple debugging of various SSL connection problems.

The purpose of this course is to provide a tool set for checking SSL to the participants and teach the participants how and when to use which tool.

The course is intended to teach builders and defenders how to analyse SSL from a client-site view, in particular what an auditor or penetration tester does. It will not go into the details of fuzzing or even breaking SSL such as sslsniff, ssltrap and a like or exploiting vulnerabilities. Instead it should give developers an idea how to use SSL securely and give system architects, administrator or operational people hints how to set-up and configure SSL in a proper secure way. 



Technical Requirements

The participants should bring their own laptop with any operating system (recommended is Linux) and at least following tools installed:

• 
  openssl (1.0.1e or newer)
  
  


• 
  perl (5.8 or newer), on windows system Strawberry perl is recommended
  
  


• 
  Net::SSLeay (1.53 or newer), IO::Socket::SSL (1.37 or newer)
  
  

python (2.7) optional

Optional, for smooth testing, a local SSL-enabled web server should be running on the laptop.

 

Others

All other used tools are open source and available during the course. The participants are reliable on their own for accepting and following the license rules of each tool. 

Writing Secure code is the most effective method to securing your web applications. Writing secure code takes skill and know-how but results in a more stable and robust application and assists in protecting an organisations brand.

The class is a combination of lecture, security testing demonstration and code review. Students will learn the most common threats against applications. More importantly, students will learn how to code secure web solutions via defense-based code samples.

As part of this course, we will explore the use of third-party security libraries and frameworks to speed and standardize secure development. We will highlight production quality API’s from various languages and frameworks that provide production quality and scalable security controls.

This course will include secure coding information for Java, PHP and .NET programmers, but any software developer building web applications or webservices will benefit.

This intensive 1-day course focuses on the most common web application security problems, including aspects of both the OWASP Top Ten (2013) and the MITRE Top 25. Several other OWASP secure coding projects will be featured. The course will introduce and demonstrate application assessment techniques, illustrating how application vulnerabilities can be exploited so students really understand how to avoid introducing such vulnerabilities in their code.

The Mobile App Security Boot Camp is a 2-day training course covering both Android and iOS App security. As a new course for 2014, we provide the most comprehensive and cutting edge guide to mobile App security that is currently available, including in depth coverage of iOS 7! The course is provided as a partnership between MDSec and MWR InfoSecurity, pioneers in mobile security.

Pre-requisite of Training Class:

1) Student.

A basic knowledge of programming and mobile security concepts.

2) Hardware.

All delegates will be provided with a suitable iOS device to perform the labs, it is not necessary to bring your own.

Administrative access to the laptop and the ability to install a few tools, and disable personal firewalls or virus scanners should they get in the way of the lab exercises.

We strongly recommend a personal laptop – if your corporate laptop build is too restrictive this may affect your ability to participate in the course fully.

A laptop with the capability to connect to wireless and wired networks. 3) Software.
Students require a player to run VMWare images.
Daily Class Outline:

Day 1: iOS App Hacking

The course syllabus provides an overview of iOS security features, jailbreaking and approaches to App security assessment. After an introduction to the subject, we delve in to common insecurities, including but not limited too:

• 
  Insecure file storage
  
  


• 
  Keychain attacks
  
  


• 
  Insecure transport security
  
  


• 
  Run-time attacks
  
  


• 
  Cycript
  
  


• 
  Injection attacks
  
  


• 
  IPC handlers
  
  


• 
  Man-in-the-middle attacks
  
  


• 
  Defeating jailbreak and other defensive detection and prevention routines
  
  Attendees will gain theoretical and practical experience of:
  
  

• 
  How to quickly and efficiently pinpoint and exploit vulnerabilities in iOS Apps
  
  


• 
  How to hack UIWebviews, IPC handlers, client-side SQL databases, the
  
  keychain and the App runtime
  
  


• 
  Real-world, 2014 techniques used to defeat real Apps on iOS7!
  
  


• Knowledge of defensive and remedial advice

Day 2: Android App Hacking

Day two of the course will provide an introduction to the attack surface exposed by Android devices and their applications. The Android attack surface will be analysed to demonstrate how its weaknesses can be exploited from various vectors, such as from installed malicious software (malware), local attackers in a Man-in-The-Middle (MiTM) scenario and from attackers with local physical access (e.g. stolen device). Attendees will actively analyse applications, identify vulnerabilities within them and write their own exploits to compromise the application and/or device.

Attendees will gain hands on experience assessing and exploiting Android device and application vulnerabilities. The course will also teach how to defend against the latest Android platform and application threats. The experienced consultants delivering the course will guide attendees through an assessment of a range of applications; all of which are based on real world examples, following a structured methodology.

Course outline

• 
  Theory
  
  


• 
  Introduction to the Android security model
  
  


• 
  Black box assessment approach
  
  


• 
  Reverse engineering applications
  
  


• 
  Introduction to Android malware
  
  


• 
  Android Man-in-the-Middle
  
  


• 
  Stolen device reviews
  
  


• 
  Analysis/Assessment/Attack and Defence
  
  


• 
  IPC end points
  
  


• 
  JavaScript Bridges
  
  


• 
  Mobile Substrate
  
  


• 
  File permission attacks
  
  


• 
  Tap jacking
  
  


• 
  Android Sandbox 
  
  

Setting up, managing and improving your global information security organisation using mature OWASP projects and tools. Achieving cost-effective application security and bringing it all together on the management level. How to use and leverage OWASP and other common best practices to improve your security programs and organization. The workshop will also discuss a number of quick wins and how to effectively manage global security initiatives and use OWASP tools inside your organisation. The author has extensive experience of managing his own secure development organization as well as advising to improve a number of global secure development organisations and processes.

Topics:

• OWASP Top-10 and OWASP projects - how to use within your organisation


• Risk management and threat modelling methods (OWASP risk analysis, ISO-27005,...)


• Benchmarking & Maturity Models


• Security Strategy


• Organisational Design and managing change for global information security programs


• SDLC


• Training: OWASP Secure Coding Practices - Quick Reference Guide, Development Guide, Training tools for developers


• Measuring & Verification: ASVS (Application Security Verification Standard) Project, Code Review Guide, Testing Guide


• Development & Operation: Libraries and Frameworks (ESAPI (Enterprise Security API), AppSensor, ...), Threat assessments using OWASP Cornucopia

All discussion and issues raised by participants at the workshop will be under the confidentiality under the Chatham House Rule (http://en.wikipedia.org/wiki/Chatham_House_Rule).

Attendee takeaways and key learning objectives

• how to effectively build and run a global information security function


• strengthening web and application security using OWASP projects


• improving web & application security for organisations from green-field level to very sophisticated security organisations 

The course follows the chapters of the Second Edition of The Web Application Hacker's Handbook, with strong focus on practical attacks (there are only 136 slides in either of the 2 or 3 day courses). After a short introduction to the subject we delve into common insecurities in logical order:

• 
  Introduction to Web Application Security Assessment (Chapters 1-3)
  
  


• 
  Automating Bespoke Attacks: Practical hands-on experience with Burp
  
  Suite (Chapter 13)
  
  


• 
  Application mapping and bypassing client-side controls (Chapters 4-5)
  
  


• 
  Failures in Core Defense Mechanisms: Authentication, Session
  
  Management, Access Control, Input Validation (Chapters 6-8)
  
  


• 
  Injection and API flaws: (Chapters 9-10)
  
  


• User-to-User Attacks (Chapters 12-13)

Attendees will gain theoretical and practical experience of:

• 
  How to quickly and efficiently pinpoint and exploit vulnerabilities in web applications
  
  


• 
  How to hack using LDAP, XPath, SOAP, HTTP Parameter Pollution (HPP), and HPI
  
  


• 
  Real-world, 2012 techniques in SQL Injection against Oracle, MySQL and MSSQL
  
  


• 
  The real risk: how to turn XSS/CSRF vulnerabilities into full account compromise
  
  


• 
  Harnessing new technologies such as HTML5, NoSQL, and Ajax
  
  


• 
  New attack types and techniques: Bit Flipping, Padding Oracle, Automated
  
  Access Control checking
  
  


• How to immediately recognise and exploit Logic Flaws

For more detailed information about the course's practical structure, see the Web Application Hacker's Methodology chapter from the original version of the book.

To see the practical exercises, in action, please visit:

http://www.mdsec.net/labs/demo.html 

OWASP rates injection flaws as the most critical vulnerability within the Top 10 most Critical Web Application Security Risks under the OWASP Top 10 project: https://www.owasp.org/index.php/Top_10_2013-A1-Injection 

This hands-on session will only focus on the injection flaws and the attendees will get an in-depth understanding of the flaws arising from this vulnerability. The topics covered in the class are: 

SQL Injection 
XPATH Injection 
LDAP Injection 
Hibernate Query Language Injection 
Direct OS Code Injection 
XML Entity Injection 

During the two-days course, the attendees will have access to a number of challenges for each flaw and they will learn a variety of exploitation techniques used by the attackers in the wild. Identify, extract, escalate, execute; we have got it all covered. The following are the objectives of the course: 

• Understand the problem of Injection Flaws 


• Learn a variety of advanced exploitation techniques which hackers use 


• learn how to fix these problems 

Understand JavaScript and HTML5 Features to Secure Your Client-side Code 

HTML5 is the fifth revision of the HTML standard. HTML5, and its integration with JavaScript, introduces new security risks that we need to carefully consider when writing web front-end code. Modern web-based software, including mobile web front-end applications, makes heavy use of innovative JavaScript and HTML5 browser support to deliver advanced user experiences. Front-end developers focus their efforts on creating this experience and are generally not aware of the security implications of the technologies they use. 

The Defensive Programming – JavaScript/HTML5 course helps web front-end developers understand the risks involved with manipulating the HTML Document Object Model (DOM) and using the advanced features of JavaScript and HTML 5 such as cross-domain requests and local storage. The course reinforces some important security aspects of modern browser architecture and presents the student with defensive programming techniques that can be immediately applied to prevent common vulnerabilities to be introduced. Additionally, the course provides a detailed description of typical JavaScript sources and sinks and explains how they can be used to detect problems in code. 

This course is structured into modules that cover the areas of concentration for defensive programming in JavaScript and HTML5 and includes code analysis and remediation exercises. The high-level topics for this course are: 

•The HTML5 and JavaScript Risk Landscape 
•Storage of Sensitive Data 
•Secure Cross-domain Communications 
•Implementing Secure Dataflow 
•JSON-related Techniques 

This course includes 2 labs with hands on exercises where students will learn to apply the defensive programming techniques learned in the course. Students are encouraged to bring laptops with VirtualBox installed to run the VM with the labs. 

Objectives 

After successfully completing this course, you will: 

•Apply HTML5 Defensive Programming Techniques. 
•Apply JavaScript Defensive Programming Techniques. 
•Apply JSON Defensive Programming Techniques. 
•Consider Common Assessment Approaches.

SSL/TLS as used today has more and more problems and it's difficult to understand, what are the root causes of these problems, and how to detect and finally avoid or fix them.

This training will give a brief introduction to SSL, how it works i. g., what problems are known according the protocol, the PKI used, and the known vulnerabilities including potential attacks and provide tools to check for these issues. The main focus will be on SSL used in HTTPS. Other usages i.e. SSL for SMTP are a small subset. As a round-up there will be recommendations how to configure SSL securely.

Topics

The course will be a hands-on-training showing by example how to check the established SSL connection (including ciphers) to a web server and show how to analyse the provided certificate. A great amount of tools will be explained and it will be demonstrated how these tools can be used to detect weaknesses in the SSL connection and such.

The explained tools are for example: openssl, sslaudit, sslscan, ssltest.pl, o-saft, and some more, as well as some online checking tools like ssllabs.com. We show what are these tools useful for, what they can do and what they cannot.

Finally we show how the OWASP tool o-saft can be used to cover most of the previous shown techniques and how to use its advanced features like:

• 
  checking for special SSL settings
  
  


• 
  check multiple servers at a time
  
  


• 
  customizing the results
  
  


• 
  using private SSL-libraries
  
  


• 
  customizing o-saft itself
  
  


• or simple debugging of various SSL connection problems.

The purpose of this course is to provide a tool set for checking SSL to the participants and teach the participants how and when to use which tool.

The course is intended to teach builders and defenders how to analyse SSL from a client-site view, in particular what an auditor or penetration tester does. It will not go into the details of fuzzing or even breaking SSL such as sslsniff, ssltrap and a like or exploiting vulnerabilities. Instead it should give developers an idea how to use SSL securely and give system architects, administrator or operational people hints how to set-up and configure SSL in a proper secure way. 



Technical Requirements

The participants should bring their own laptop with any operating system (recommended is Linux) and at least following tools installed:

• 
  openssl (1.0.1e or newer)
  
  


• 
  perl (5.8 or newer), on windows system Strawberry perl is recommended
  
  


• 
  Net::SSLeay (1.53 or newer), IO::Socket::SSL (1.37 or newer)
  
  

python (2.7) optional

Optional, for smooth testing, a local SSL-enabled web server should be running on the laptop.

 

Others

All other used tools are open source and available during the course. The participants are reliable on their own for accepting and following the license rules of each tool. 

 

This one day hands-on workshop focuses on securing Java web applications against malicious hacker attacks. During the workshop a Java web application (written specifically for this workshop) with lots of vulnerabilities is examined, exploited, and secured. We will start with common vulnerabilities found in web applications: Authentication bypasses, different flavours of XSS (reflected, stored, DOM-based), (blind) SQL-Injection, CSRF, Clickjacking, Command Injection, Path Traversals, SSRF, Session Attacks like Session Fixation, etc. and continue to more specialized security holes (covering XML like XXE Attacks and XPath Injections as well as REST-ful interfaces, JSON and WebSockets). Also prophylactic protection techniques are discussed like introducing protection tokens (e.g. OWASP’s CSRFGuard) as well as adding several security headers (CSP and more) and considering encryption techniques.

The Mobile App Security Boot Camp is a 2-day training course covering both Android and iOS App security. As a new course for 2014, we provide the most comprehensive and cutting edge guide to mobile App security that is currently available, including in depth coverage of iOS 7! The course is provided as a partnership between MDSec and MWR InfoSecurity, pioneers in mobile security.

Pre-requisite of Training Class:

1) Student.

A basic knowledge of programming and mobile security concepts.

2) Hardware.

All delegates will be provided with a suitable iOS device to perform the labs, it is not necessary to bring your own.

Administrative access to the laptop and the ability to install a few tools, and disable personal firewalls or virus scanners should they get in the way of the lab exercises.

We strongly recommend a personal laptop – if your corporate laptop build is too restrictive this may affect your ability to participate in the course fully.

A laptop with the capability to connect to wireless and wired networks. 3) Software.
Students require a player to run VMWare images.
Daily Class Outline:

Day 1: iOS App Hacking

The course syllabus provides an overview of iOS security features, jailbreaking and approaches to App security assessment. After an introduction to the subject, we delve in to common insecurities, including but not limited too:

• 
  Insecure file storage
  
  


• 
  Keychain attacks
  
  


• 
  Insecure transport security
  
  


• 
  Run-time attacks
  
  


• 
  Cycript
  
  


• 
  Injection attacks
  
  


• 
  IPC handlers
  
  


• 
  Man-in-the-middle attacks
  
  


• 
  Defeating jailbreak and other defensive detection and prevention routines
  
  Attendees will gain theoretical and practical experience of:
  
  

• 
  How to quickly and efficiently pinpoint and exploit vulnerabilities in iOS Apps
  
  


• 
  How to hack UIWebviews, IPC handlers, client-side SQL databases, the
  
  keychain and the App runtime
  
  


• 
  Real-world, 2014 techniques used to defeat real Apps on iOS7!
  
  


• Knowledge of defensive and remedial advice

Day 2: Android App Hacking

Day two of the course will provide an introduction to the attack surface exposed by Android devices and their applications. The Android attack surface will be analysed to demonstrate how its weaknesses can be exploited from various vectors, such as from installed malicious software (malware), local attackers in a Man-in-The-Middle (MiTM) scenario and from attackers with local physical access (e.g. stolen device). Attendees will actively analyse applications, identify vulnerabilities within them and write their own exploits to compromise the application and/or device.

Attendees will gain hands on experience assessing and exploiting Android device and application vulnerabilities. The course will also teach how to defend against the latest Android platform and application threats. The experienced consultants delivering the course will guide attendees through an assessment of a range of applications; all of which are based on real world examples, following a structured methodology.

Course outline

• 
  Theory
  
  


• 
  Introduction to the Android security model
  
  


• 
  Black box assessment approach
  
  


• 
  Reverse engineering applications
  
  


• 
  Introduction to Android malware
  
  


• 
  Android Man-in-the-Middle
  
  


• 
  Stolen device reviews
  
  


• 
  Analysis/Assessment/Attack and Defence
  
  


• 
  IPC end points
  
  


• 
  JavaScript Bridges
  
  


• 
  Mobile Substrate
  
  


• 
  File permission attacks
  
  


• 
  Tap jacking
  
  


• 
  Android Sandbox 
  
  

Building security into the software development and management practices of a company can be a daunting task. There are many elements to the equation: company structure, different stakeholders, technology stacks, tools and processes, and so forth. Implementing software assurance can have a significant impact on the organization. Yet, trying to achieve this without a good framework is most likely leading to just marginal and unsustainable improvements. OWASP OpenSAMM gives you a structural and measurable framework to do just that. It enables you to formulate and implement a strategy for software security that is tailored to the risk profile of your organization.

The goal of this one-day training, which is conceived as a mix of training and workshop, is for the participants to get a more in-depth view on and practical feeling of the OpenSAMM model. The training is setup in three different parts.

In a first part, an overview is presented of the OpenSAMM model and similarities and differences with other similar models are explained. The different domains (governance, construction, verification, deployment), their activities and relations are explained. Furthermore, different constituent elements (e.g., metrics) are discussed and the overall usage scenarios of the model are explained.

Next, approx. half a day will be spent on doing an actual OpenSAMM evaluation of your own organization (or one that you have worked for). We will go through an evaluation of all the OpenSAMM domains and discuss the results in group. This will give all participants a good indication of the organization’s maturity wrt. software assurance. In the same effort, we will define a target model for your organization and identify the most important challenges in getting there.

The final part of the training will be dedicated to specific questions or challenges that you are facing wrt. secure development in your organization. In this group discussion, experience between the different participants will be shared to address these questions.

In case you haven't started a secure software initiative in your organization yet, this training should provide you with the necessary foundations and ideas to do so. Be prepared for a highly effective and applicable treatment of this large domain ! And in case you would be concerned about confidentiality issues, we adhere to the Chatham House Rule.

After the conference the OpenSAMM project team comes together for their first OpenSAMM summit in Cambridge. If you want to contribute to this flagship project, stay and join us at the summit. More details on www.opensamm.org.

Requirements

This training requires a good amount of interactivity and common-sense. No specific technical requirements are set forth. 

The course follows the chapters of the Second Edition of The Web Application Hacker's Handbook, with strong focus on practical attacks (there are only 136 slides in either of the 2 or 3 day courses). After a short introduction to the subject we delve into common insecurities in logical order:

• 
  Introduction to Web Application Security Assessment (Chapters 1-3)
  
  


• 
  Automating Bespoke Attacks: Practical hands-on experience with Burp
  
  Suite (Chapter 13)
  
  


• 
  Application mapping and bypassing client-side controls (Chapters 4-5)
  
  


• 
  Failures in Core Defense Mechanisms: Authentication, Session
  
  Management, Access Control, Input Validation (Chapters 6-8)
  
  


• 
  Injection and API flaws: (Chapters 9-10)
  
  


• User-to-User Attacks (Chapters 12-13)

Attendees will gain theoretical and practical experience of:

• 
  How to quickly and efficiently pinpoint and exploit vulnerabilities in web applications
  
  


• 
  How to hack using LDAP, XPath, SOAP, HTTP Parameter Pollution (HPP), and HPI
  
  


• 
  Real-world, 2012 techniques in SQL Injection against Oracle, MySQL and MSSQL
  
  


• 
  The real risk: how to turn XSS/CSRF vulnerabilities into full account compromise
  
  


• 
  Harnessing new technologies such as HTML5, NoSQL, and Ajax
  
  


• 
  New attack types and techniques: Bit Flipping, Padding Oracle, Automated
  
  Access Control checking
  
  


• How to immediately recognise and exploit Logic Flaws

For more detailed information about the course's practical structure, see the Web Application Hacker's Methodology chapter from the original version of the book.

To see the practical exercises, in action, please visit:

http://www.mdsec.net/labs/demo.html 

OWASP rates injection flaws as the most critical vulnerability within the Top 10 most Critical Web Application Security Risks under the OWASP Top 10 project: https://www.owasp.org/index.php/Top_10_2013-A1-Injection 

This hands-on session will only focus on the injection flaws and the attendees will get an in-depth understanding of the flaws arising from this vulnerability. The topics covered in the class are: 

SQL Injection 
XPATH Injection 
LDAP Injection 
Hibernate Query Language Injection 
Direct OS Code Injection 
XML Entity Injection 

During the two-days course, the attendees will have access to a number of challenges for each flaw and they will learn a variety of exploitation techniques used by the attackers in the wild. Identify, extract, escalate, execute; we have got it all covered. The following are the objectives of the course: 

• Understand the problem of Injection Flaws 


• Learn a variety of advanced exploitation techniques which hackers use 


• learn how to fix these problems 

Web Services and Single Sign-On belong to the group of the most important Internet technologies. They are used in many fields such as automotive, healthcare, e-government, or military infrastructures. In recent years, it has been shown that these technologies allow for serious attacks. The attacks take advantage of the XML complexity and make it possible to read data from secured servers, authenticate as an arbitrary user in Single Sign-On scenarios, or decrypt confidential data.

In this training, we will give an overview of the most important XML-specific attacks. Participants will get the opportunity to carry out these attacks in a prepared virtual machine. The attacks will be first tested manually (e.g., with soapUI), in order to get a feeling for the attacks. Subsequently, we will present our penetration testing tool WS-Attacker, which will be used to execute the presented attacks automatically. For each of the attacks, countermeasures will be discussed. 

Contents

The course will contain the following topics. In each topic, the attendants will get the opportunity to execute practical evaluations using soapUI, WS-Attacker, or a different applications:

• XML and SOAP-based Web Services

• 
  XML Schema and WS-Policy
  
  


• 
  WS-Addressing und WS-Addressing Spoofing
  
  


• 
  XML Parsing (DOM vs SAX)
  
  


• 
  XML-specific Denial-of-Service Attacks
  
  


• 
  XML Security and WS-Security
  
  ◦ Why not SSL/TLS?
  
  


• 
  XML Signature
  
  ◦ ID-based and XPath-based XML Signatures
  
  ◦ XMLSignatureWrappingAttacks
  
  


• 
  XML Encryption
  
  ◦ Attacks on symmetric encryption
  
  ◦ Attacks on asymmetric encryption
  
  


• 
  WS-Attacker
  
  


• 
  SAML-based Single-Sign On
  
  ◦ Attacks 
  
  

Requirements

• 
  A laptop with a recent version of “Virtual Box“ (the virtual machine will be provided). VMWare and other virtualization software should also work but cannot be supported. 
  
  

This course explores measures that developers can take both from a coding and configuration perspective to secure their PHP applications.

PHP is a powerful and versatile web development platform that is widely used throughout the industry. PHP applications are generally affected by most of the same risks that affect web applications written in other languages. Although it has a lot in common with other web platforms, there are specific aspects of PHP that set it apart from the other technologies. This is also true from a risk perspective. Some PHP risks are unique or amplified by the platform.

This course highlights the features and specifics of the platform that can potentially introduce risks including (but not limited to) unsafe PHP configuration, null-byte issues, dangerous APIs, cryptography, and dynamic file inclusion issues. Once PHP features and risks are understood by the student, this course builds upon this knowledge and teaches a set of defensive programming techniques that can be followed to create secure PHP applications including in the areas of file system access, session management, authentication, input validation/output encoding, cross-site request forgery, transport security, and injection attacks.

This course is structured into modules that cover the areas of concentration for defensive programming for the PHP platform and includes code analysis and remediation exercises. The high-level topics for this course are:

• 
  PHP Platform Security
  
  


• 
  The PHP Application Risk Landscape
  
  


• 
  Secure Design Principles
  
  


• 
  Defensive Programming Techniques in PHP
  
  


• Secure PHP Architecture and Configuration

Objectives

After successfully completing this course, students will:

• 
  Comprehend the PHP Platform
  
  


• 
  Appreciate the Risks Affecting PHP Applications
  
  


• 
  Write Secure Web Applications Using PHP
  
  


• 
  Design and Architect Secure PHP Applications
  
  


• Configure Your PHP Applications Securely

Labs and Demonstrations

If students bring their own laptops with VirtualBox software installed, they can install an Ubuntu VM (provided by the instructor) with a vulnerable PHP application on it and participate in two interactive lab sessions. There are also two interactive demonstrations during which the PHP application is ex- ploited to show directory traversal, information leakage, and SQL injection. The labs are not compulso- ry to get the full value of the course. 

This one day hands-on workshop focuses on securing Java web applications against malicious hacker attacks. During the workshop a Java web application (written specifically for this workshop) with lots of vulnerabilities is examined, exploited, and secured. We will start with common vulnerabilities found in web applications: Authentication bypasses, different flavours of XSS (reflected, stored, DOM-based), (blind) SQL-Injection, CSRF, Clickjacking, Command Injection, Path Traversals, SSRF, Session Attacks like Session Fixation, etc. and continue to more specialized security holes (covering XML like XXE Attacks and XPath Injections as well as REST-ful interfaces, JSON and WebSockets). Also prophylactic protection techniques are discussed like introducing protection tokens (e.g. OWASP’s CSRFGuard) as well as adding several security headers (CSP and more) and considering encryption techniques.

The Mobile App Security Boot Camp is a 2-day training course covering both Android and iOS App security. As a new course for 2014, we provide the most comprehensive and cutting edge guide to mobile App security that is currently available, including in depth coverage of iOS 7! The course is provided as a partnership between MDSec and MWR InfoSecurity, pioneers in mobile security.

Pre-requisite of Training Class:

1) Student.

A basic knowledge of programming and mobile security concepts.

2) Hardware.

All delegates will be provided with a suitable iOS device to perform the labs, it is not necessary to bring your own.

Administrative access to the laptop and the ability to install a few tools, and disable personal firewalls or virus scanners should they get in the way of the lab exercises.

We strongly recommend a personal laptop – if your corporate laptop build is too restrictive this may affect your ability to participate in the course fully.

A laptop with the capability to connect to wireless and wired networks. 3) Software.
Students require a player to run VMWare images.
Daily Class Outline:

Day 1: iOS App Hacking

The course syllabus provides an overview of iOS security features, jailbreaking and approaches to App security assessment. After an introduction to the subject, we delve in to common insecurities, including but not limited too:

• 
  Insecure file storage
  
  


• 
  Keychain attacks
  
  


• 
  Insecure transport security
  
  


• 
  Run-time attacks
  
  


• 
  Cycript
  
  


• 
  Injection attacks
  
  


• 
  IPC handlers
  
  


• 
  Man-in-the-middle attacks
  
  


• 
  Defeating jailbreak and other defensive detection and prevention routines
  
  Attendees will gain theoretical and practical experience of:
  
  

• 
  How to quickly and efficiently pinpoint and exploit vulnerabilities in iOS Apps
  
  


• 
  How to hack UIWebviews, IPC handlers, client-side SQL databases, the
  
  keychain and the App runtime
  
  


• 
  Real-world, 2014 techniques used to defeat real Apps on iOS7!
  
  


• Knowledge of defensive and remedial advice

Day 2: Android App Hacking

Day two of the course will provide an introduction to the attack surface exposed by Android devices and their applications. The Android attack surface will be analysed to demonstrate how its weaknesses can be exploited from various vectors, such as from installed malicious software (malware), local attackers in a Man-in-The-Middle (MiTM) scenario and from attackers with local physical access (e.g. stolen device). Attendees will actively analyse applications, identify vulnerabilities within them and write their own exploits to compromise the application and/or device.

Attendees will gain hands on experience assessing and exploiting Android device and application vulnerabilities. The course will also teach how to defend against the latest Android platform and application threats. The experienced consultants delivering the course will guide attendees through an assessment of a range of applications; all of which are based on real world examples, following a structured methodology.

Course outline

• 
  Theory
  
  


• 
  Introduction to the Android security model
  
  


• 
  Black box assessment approach
  
  


• 
  Reverse engineering applications
  
  


• 
  Introduction to Android malware
  
  


• 
  Android Man-in-the-Middle
  
  


• 
  Stolen device reviews
  
  


• 
  Analysis/Assessment/Attack and Defence
  
  


• 
  IPC end points
  
  


• 
  JavaScript Bridges
  
  


• 
  Mobile Substrate
  
  


• 
  File permission attacks
  
  


• 
  Tap jacking
  
  


• 
  Android Sandbox 
  
  

Building security into the software development and management practices of a company can be a daunting task. There are many elements to the equation: company structure, different stakeholders, technology stacks, tools and processes, and so forth. Implementing software assurance can have a significant impact on the organization. Yet, trying to achieve this without a good framework is most likely leading to just marginal and unsustainable improvements. OWASP OpenSAMM gives you a structural and measurable framework to do just that. It enables you to formulate and implement a strategy for software security that is tailored to the risk profile of your organization.

The goal of this one-day training, which is conceived as a mix of training and workshop, is for the participants to get a more in-depth view on and practical feeling of the OpenSAMM model. The training is setup in three different parts.

In a first part, an overview is presented of the OpenSAMM model and similarities and differences with other similar models are explained. The different domains (governance, construction, verification, deployment), their activities and relations are explained. Furthermore, different constituent elements (e.g., metrics) are discussed and the overall usage scenarios of the model are explained.

Next, approx. half a day will be spent on doing an actual OpenSAMM evaluation of your own organization (or one that you have worked for). We will go through an evaluation of all the OpenSAMM domains and discuss the results in group. This will give all participants a good indication of the organization’s maturity wrt. software assurance. In the same effort, we will define a target model for your organization and identify the most important challenges in getting there.

The final part of the training will be dedicated to specific questions or challenges that you are facing wrt. secure development in your organization. In this group discussion, experience between the different participants will be shared to address these questions.

In case you haven't started a secure software initiative in your organization yet, this training should provide you with the necessary foundations and ideas to do so. Be prepared for a highly effective and applicable treatment of this large domain ! And in case you would be concerned about confidentiality issues, we adhere to the Chatham House Rule.

After the conference the OpenSAMM project team comes together for their first OpenSAMM summit in Cambridge. If you want to contribute to this flagship project, stay and join us at the summit. More details on www.opensamm.org.

Requirements

This training requires a good amount of interactivity and common-sense. No specific technical requirements are set forth. 

The course follows the chapters of the Second Edition of The Web Application Hacker's Handbook, with strong focus on practical attacks (there are only 136 slides in either of the 2 or 3 day courses). After a short introduction to the subject we delve into common insecurities in logical order:

• 
  Introduction to Web Application Security Assessment (Chapters 1-3)
  
  


• 
  Automating Bespoke Attacks: Practical hands-on experience with Burp
  
  Suite (Chapter 13)
  
  


• 
  Application mapping and bypassing client-side controls (Chapters 4-5)
  
  


• 
  Failures in Core Defense Mechanisms: Authentication, Session
  
  Management, Access Control, Input Validation (Chapters 6-8)
  
  


• 
  Injection and API flaws: (Chapters 9-10)
  
  


• User-to-User Attacks (Chapters 12-13)

Attendees will gain theoretical and practical experience of:

• 
  How to quickly and efficiently pinpoint and exploit vulnerabilities in web applications
  
  


• 
  How to hack using LDAP, XPath, SOAP, HTTP Parameter Pollution (HPP), and HPI
  
  


• 
  Real-world, 2012 techniques in SQL Injection against Oracle, MySQL and MSSQL
  
  


• 
  The real risk: how to turn XSS/CSRF vulnerabilities into full account compromise
  
  


• 
  Harnessing new technologies such as HTML5, NoSQL, and Ajax
  
  


• 
  New attack types and techniques: Bit Flipping, Padding Oracle, Automated
  
  Access Control checking
  
  


• How to immediately recognise and exploit Logic Flaws

For more detailed information about the course's practical structure, see the Web Application Hacker's Methodology chapter from the original version of the book.

To see the practical exercises, in action, please visit:

http://www.mdsec.net/labs/demo.html 

OWASP rates injection flaws as the most critical vulnerability within the Top 10 most Critical Web Application Security Risks under the OWASP Top 10 project: https://www.owasp.org/index.php/Top_10_2013-A1-Injection 

This hands-on session will only focus on the injection flaws and the attendees will get an in-depth understanding of the flaws arising from this vulnerability. The topics covered in the class are: 

SQL Injection 
XPATH Injection 
LDAP Injection 
Hibernate Query Language Injection 
Direct OS Code Injection 
XML Entity Injection 

During the two-days course, the attendees will have access to a number of challenges for each flaw and they will learn a variety of exploitation techniques used by the attackers in the wild. Identify, extract, escalate, execute; we have got it all covered. The following are the objectives of the course: 

• Understand the problem of Injection Flaws 


• Learn a variety of advanced exploitation techniques which hackers use 


• learn how to fix these problems 

Web Services and Single Sign-On belong to the group of the most important Internet technologies. They are used in many fields such as automotive, healthcare, e-government, or military infrastructures. In recent years, it has been shown that these technologies allow for serious attacks. The attacks take advantage of the XML complexity and make it possible to read data from secured servers, authenticate as an arbitrary user in Single Sign-On scenarios, or decrypt confidential data.

In this training, we will give an overview of the most important XML-specific attacks. Participants will get the opportunity to carry out these attacks in a prepared virtual machine. The attacks will be first tested manually (e.g., with soapUI), in order to get a feeling for the attacks. Subsequently, we will present our penetration testing tool WS-Attacker, which will be used to execute the presented attacks automatically. For each of the attacks, countermeasures will be discussed. 

Contents

The course will contain the following topics. In each topic, the attendants will get the opportunity to execute practical evaluations using soapUI, WS-Attacker, or a different applications:

• XML and SOAP-based Web Services

• 
  XML Schema and WS-Policy
  
  


• 
  WS-Addressing und WS-Addressing Spoofing
  
  


• 
  XML Parsing (DOM vs SAX)
  
  


• 
  XML-specific Denial-of-Service Attacks
  
  


• 
  XML Security and WS-Security
  
  ◦ Why not SSL/TLS?
  
  


• 
  XML Signature
  
  ◦ ID-based and XPath-based XML Signatures
  
  ◦ XMLSignatureWrappingAttacks
  
  


• 
  XML Encryption
  
  ◦ Attacks on symmetric encryption
  
  ◦ Attacks on asymmetric encryption
  
  


• 
  WS-Attacker
  
  


• 
  SAML-based Single-Sign On
  
  ◦ Attacks 
  
  

Requirements

• 
  A laptop with a recent version of “Virtual Box“ (the virtual machine will be provided). VMWare and other virtualization software should also work but cannot be supported. 
  
  

This course explores measures that developers can take both from a coding and configuration perspective to secure their PHP applications.

PHP is a powerful and versatile web development platform that is widely used throughout the industry. PHP applications are generally affected by most of the same risks that affect web applications written in other languages. Although it has a lot in common with other web platforms, there are specific aspects of PHP that set it apart from the other technologies. This is also true from a risk perspective. Some PHP risks are unique or amplified by the platform.

This course highlights the features and specifics of the platform that can potentially introduce risks including (but not limited to) unsafe PHP configuration, null-byte issues, dangerous APIs, cryptography, and dynamic file inclusion issues. Once PHP features and risks are understood by the student, this course builds upon this knowledge and teaches a set of defensive programming techniques that can be followed to create secure PHP applications including in the areas of file system access, session management, authentication, input validation/output encoding, cross-site request forgery, transport security, and injection attacks.

This course is structured into modules that cover the areas of concentration for defensive programming for the PHP platform and includes code analysis and remediation exercises. The high-level topics for this course are:

• 
  PHP Platform Security
  
  


• 
  The PHP Application Risk Landscape
  
  


• 
  Secure Design Principles
  
  


• 
  Defensive Programming Techniques in PHP
  
  


• Secure PHP Architecture and Configuration

Objectives

After successfully completing this course, students will:

• 
  Comprehend the PHP Platform
  
  


• 
  Appreciate the Risks Affecting PHP Applications
  
  


• 
  Write Secure Web Applications Using PHP
  
  


• 
  Design and Architect Secure PHP Applications
  
  


• Configure Your PHP Applications Securely

Labs and Demonstrations

If students bring their own laptops with VirtualBox software installed, they can install an Ubuntu VM (provided by the instructor) with a vulnerable PHP application on it and participate in two interactive lab sessions. There are also two interactive demonstrations during which the PHP application is ex- ploited to show directory traversal, information leakage, and SQL injection. The labs are not compulso- ry to get the full value of the course.