Hacking Web App Security

As part of Bob Allen's Code Craftman Saturdays, we had Shanti Suresh present a hands on workshop at Pillar Technology's Forge 4.0 location in Ann Arbor.

Her class shed some light onto what cool computer hackers mean when they say they are going to hack into a system.
Bob Allen and Shanti Suresh


For this workshop,  which ran 5 keyboard hours we started with an introduction to the different terms such as

Phase 1 : Introduction to security 

Shanti spoke about when and why security became an important aspect of application development and gave a brief overview of the following.
  • Security
  • Authentication
  • Authorization
Next we got down and dirty.

Phase 2 : Setting up with Zap

Using primarily two tools, WebGoat 6.0.1  and Zap (beware of using Zap... it makes your computer vulnerable when connected to an external network or internet) we were able to do some sql injection and bypass security.

We setup Zap to intercept traffic both to and from the server such as 


Phase 3 : Hacking Requests and Responses

The exercises involved deep dives into the following :

  1. Cross site scripting where you redirect the content from WebGoat to another url.
  2. XSS flaws and how we can try to detect them.
  3. Hijacking the user's current session








Comments

Post a Comment

Popular posts from this blog

Simple MVC3/Razor Fileupload and Storage

Recently I had to add a simple fileupload control in an MVC3 Razor page. It wasn't very difficult to do, thanks to System.Web.Helpers and Microsoft.Web.Helpers. To begin... if you don't have Microsoft.Web.Helpers, find and install through NuGet. pm > Install-Package microsoft-web-helpers Next in your Razor view add the following : @using Microsoft.Web.Helpers @{ ViewBag.Title = "Upload Files"; } @using (Html.BeginForm("Upload","Upload", FormMethod.Post, new { @encType = "multipart/form-data" })) { @FileUpload.GetHtml(initialNumberOfFiles:1, allowMoreFilesToBeAdded:true, includeFormTag:false, addText:"Add Files", uploadText: "Upload File") < input type="submit" name="submit" text="upload" /> } Next in your Upload Controller add the following. The submit button on the Razor page submits the form to the Upload
Read more

Book Summary : How to fail at almost everything and still win big

This is a summary of Scott Adam's book "How to fail at almost everything and still win big". Scott has most likely failed at more things than the average person. This is because he tries his hand at new skills and businesses which in term lead him to big successes such as the Dilbert series.  Major takeaways from the book Let energy be your indicator Decide on what you do based on your energy. If you feel something excites you, let that be the indicator to do more of it. Chances of success are higher on these projects. Goals vs Systems He bluntly says goals are for losers. Goals are specific objectives while systems are to be followed on regular basis. “Losing 10 pounds” is a goal, “eating healthier” is a system. Focus on better systems rather than goals. Systems oriented people feel good every time they follow the system, goals oriented are always busy chasing their goals and once they have attained it feel miserable (and start looking for another one). There are
Read more