Hacking Web App Security

As part of Bob Allen's Code Craftman Saturdays, we had Shanti Suresh present a hands on workshop at Pillar Technology's Forge 4.0 location in Ann Arbor.

Her class shed some light onto what cool computer hackers mean when they say they are going to hack into a system.
Bob Allen and Shanti Suresh


For this workshop,  which ran 5 keyboard hours we started with an introduction to the different terms such as

Phase 1 : Introduction to security 

Shanti spoke about when and why security became an important aspect of application development and gave a brief overview of the following.
  • Security
  • Authentication
  • Authorization
Next we got down and dirty.

Phase 2 : Setting up with Zap

Using primarily two tools, WebGoat 6.0.1  and Zap (beware of using Zap... it makes your computer vulnerable when connected to an external network or internet) we were able to do some sql injection and bypass security.

We setup Zap to intercept traffic both to and from the server such as 


Phase 3 : Hacking Requests and Responses

The exercises involved deep dives into the following :

  1. Cross site scripting where you redirect the content from WebGoat to another url.
  2. XSS flaws and how we can try to detect them.
  3. Hijacking the user's current session








Comments

Post a Comment

Popular posts from this blog

Simple MVC3/Razor Fileupload and Storage

Recently I had to add a simple fileupload control in an MVC3 Razor page. It wasn't very difficult to do, thanks to System.Web.Helpers and Microsoft.Web.Helpers. To begin... if you don't have Microsoft.Web.Helpers, find and install through NuGet. pm > Install-Package microsoft-web-helpers Next in your Razor view add the following : @using Microsoft.Web.Helpers @{ ViewBag.Title = "Upload Files"; } @using (Html.BeginForm("Upload","Upload", FormMethod.Post, new { @encType = "multipart/form-data" })) { @FileUpload.GetHtml(initialNumberOfFiles:1, allowMoreFilesToBeAdded:true, includeFormTag:false, addText:"Add Files", uploadText: "Upload File") < input type="submit" name="submit" text="upload" /> } Next in your Upload Controller add the following. The submit button on the Razor page submits the form to the Upload
Read more

Execution is Everything : An Agile Coaching Story

Prologue: Never in a million years did I think I was going to enjoy teaching/coaching of any kind until a few years ago. My younger son was in third grade and trying out for the travel basketball team in our town that was know to have  a very strong basketball following. We were there on time and as the tryouts proceeded, I sat by the bleachers, cringing as he under performed. The kid was neither fast nor accurate. After a grueling two hours, we knew he was not going to be picked. Prior to this, I'd thought he was going to do well. He had a passion for the game and would shoot hoops every spare moment he had. That was not enough for today's competition. He could have used an adult to have trained him. A personal coach. He needed to be taught the fundamentals of the game and ball handling. Since his father was not around to do this, I decided I had to play a bigger part in making it happen. The boy loved the game and I wanted to make sure he had all the help he could get to
Read more