Presentation: Shiny, Let's Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulnerabilities

Thursday 9 a.m.–12:20 p.m.

Shiny, Let's Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulnerabilities

Mike Pirnat, David Stanek

Audience level:: Intermediate
Category:: Web Frameworks

Description

The Internet is a dangerous place, filled with evildoers out to attack your code for fun or profit, so it's not enough to just ship your awesome new web app--you have to take the security of your application, your users, and your data seriously. You'll get into the mindset of the bad guys as we discuss, exploit, and mitigate the most common web app security flaws in a controlled environment.

Abstract

We'll discuss each kind of the most prevalent security flaws at the theoretical level, then using a specially-crafted, deliberately vulnerable Django app, individuals or pairs will carry out exploits against these flaws, and we'll illustrate solutions to mitigate each kind of attack.

We'll be using the OWASP Top 10 as our topic roadmap, addressing topics such as:

Injection attacks
Cross-Site Scripting (XSS)
Cross-Site Request Forgery (CSRF)
Insecure Direct Object References
Insecure Cryptographic Storage
Failure to Restrict URL Access
Unvalidated Redirects and Forwards
Security Misconfiguration
Broken Authentication and Session Management

You'll want to set your brain to "devious" mode; you'll also need a laptop with Python 2.7 (or a buddy you can pair with). Having pip and virtualenv will be useful too, as will having Git installed to pull down the code we'll be working with.

Attendees should have some experience with Python, Javascript, and SQL, and should have at least a passing familiarity with Django (eg, previously attending a Django tutorial or working through the online tutorial).

Update: See updated tutorial preparation instructions at Shiny, Let's Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulnerabilities