This year we had the opportunity to attend both the conference and a training session of OWASP AppSec Europe 2018 which took place in London from 2nd to 6th of July 2018.
Please bear in mind that this is not a complete review of the event. In this post we describe what OWASP AppSec is about, our experience, and give feedback for the training session we attended.
OWASP APPSEC EU
OWASP AppSec EU is an annual conference held in Europe for people who are interested in application security (e.g. developers, pentesters, etc). The event includes talks (both technical and non-technical), training sessions, and a variety of other activities such as Capture The Flag (CTF).
This year the training sessions took place from 2nd to 4th of July, while the main conference spanned two days from 5th to 6th of July.
Starting with the training sessions, the following seven (7) training courses were available:
- 3-Day Training: Exploiting Websites by using offensive HTML, SVG, CSS and other browser-evil by Mario Heiderich
- 3-Day Training: Practical DevSecOps: Continuous Security in the age of cloud by A. Imran Mohammed and Raghunath Gopinath
- 3-Day Training: Advanced Web Hacking - Black Belt edition by Sumit Siddharth, Sunil Yadav and Sudhanshu Chauhan
- 2-Day Training: Web Application Security Essentials by Fabio Cerullo
- 2-Day Training: Pentesting the modern application stack by Francis Alexander and Bharadwaj Machiraju
- 2-Day Training: Automated Defense using serverless for AWS, Azure and GCP by Madhu Akula & Subash Sn
- 1-Day Training: Access Control for Rest API’s by Johan Peeters and Michael Boeynaer
After examining the contents of each training course, I was between the Exploiting Websites by using offensive HTML, SVG, CSS and other browser-evil by Mario Heiderich and Advanced Web Hacking - Black Belt edition by Sumit Siddharth, Sunil Yadav and Sudhanshu Chauhan from NotSoSecure. I chose to attend the 3-day training session Advanced Web Hacking - Black Belt edition due to the fact I was looking for a course that focuses on server-side flaws and the Advanced Web Hacking course looked like a great opportunity.
The training focused on specific areas of application security and on advanced vulnerability identification and exploitation techniques (especially server-side flaws). This session gave me the opportunity to identify and exploit various vulnerabilities that usually go undetected by modern automated application scanners and the exploitation techniques are not so well known. As my favourite quote is “A fool with a tool is still a fool”, I wanted to expand my knowledge and skills in identifying and exploiting web application vulnerabilities without relying on automated scanners.
The course was quite intense and covered many vulnerabilities / attacks such as the following:
- Authentication & Authorization
- Token Hijacking
- SAML / OAuth 2.0 / Auth-0 / JWT
- Mass Assignment
- Password Reset Attacks
- Cookie Swap
- Host Header Validation Bypass
- Known Plaintext
- Padding Oracle
- Hash Length Extension
- Business Logic Flaws
- Replay attacks
- XML External Entity (XXE)
- XXE through SAML
- XXE in file parsing
- Advanced XXE exploitation over Out-of-Band (OOB) channels
- SQL Injection
- Second Order
- SQLi exploitation over OOB channels
- SQLi via Crypto
- Remote Code Execution (RCE)
- RCE via SQLi
- PHP object injection
- Node.js RCE
- Ruby/ERB template injection
- RCE over OOB channels
- Server-Side Request Forgery (SSRF)
- Unrestricted File Upload
- Malicious File Extensions
- Circumventing File validation checks
- HTTP Parameter Pollution (HPP)
In addition to the above, the course included very interesting case studies and a collection of weird XSS and CSRF attacks. For more information regarding the course outline please see here.
All attendees were given lab access via VPN and a Kali VM. The course included demos for all topics and we were given the chance to get our hands dirty and go through exercises in order to exploit the vulnerabilities explained and demonstrated by the instructors. After the training session, we were also given a 2-week free lab access for more practice time.
First of all, one of the main reasons for choosing to attend this course was that it was not aimed for beginners. My goal was not to learn what SQL Injection or Cross-Site Scripting (XSS) is. Instead, I was aiming for advanced exploitation techniques and one of the pre-requisites was that attendees were expected to have a good prior understanding of the OWASP Top 10 risks to gain maximum value from the class. There are not many advanced web hacking courses out there and I can say with confidence that this course was indeed advanced. Although I have previously seen most of the attacks / vulnerabilities during Penetration Testing engagements and Capture The Flag (CTF) competitions, I’ve learned a few new things and the course gave me the opportunity to get my hands dirty and have some fun.
The course was extremely well organized and the lab developed by NotSoSecure was fantastic. The lab consisted of a few intentionally vulnerable custom web applications that we had to exploit to complete the exercises. There were no issues and the lab worked like a charm.
The instructors were really good, they were able to answer all questions and they knew their stuff. They explained and demonstrated everything step-by-step which helped in clarifying a few things. I had some trouble undestanding some of the crypto stuff (not my favourite topic) and they were willing to join me for lunch and help me understand so kudos to them.
It should be noted that all material including slides, cheatsheets, and exercise answers were given to all attendees which was nice as I can refer back to the material in case I forget something.
I would highly recommend this course to fellow Penetration Testers!
The conference was structured into the following four (4) main tracks:
In addition to the main tracks, there were also four (4) talks from keynote speakers:
- The Perimeter Has Been Shattered: Attacking and Defending Mobility and IoT on the Enterprise Network (Georgia Weidman)
- Winning - the future perspective in the next 20 years! (Andrew van der Stock)
- XSS is dead. We just don’t get it. (Mario Heiderich)
- Perimeter-less: Engineering the future of Defense (Allison Miller)
We attended all presentations from keynote speakers and after examining the talks of each track, we decided to join the Hacker track which involved various talks about interesting subjects such as HTTP/2, XSS, testing iOS apps without jailbreak, and WAF bypass techniques. For the complete list of talks please see here.
The presentations of the “Hacker” track were very interesting and we learned a lot of new things that we will probably apply to real-world Penetration Testing engagements in the future. Our only regret is that we could not attend more tracks as the talks were happening at the same time. Hopefully, next year we will have the opportunity to attend some talks from the DevOps track.
Overall this was a fantastic experience which allowed us to futher bolster our knowledge about application security from some of the people who are at the forefront of this topic. We had the opportunity for networking and meet people from other companies, teams, and vendors. We also had the chance to meet some of the OWASP Foundation staff which were extremely helpful! We highly recommend this event to anyone interested in application security. We would like to thank the OWASP Foundation for organizing such a fantastic event and we look forward to seeing you there next year!