Wednesday 1:20 p.m.–4:40 p.m.
Shiny, Let's Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulnerabilities
Mike Pirnat, David Stanek
- Audience level:
- Intermediate
- Category:
- Security
Description
Abstract
We'll discuss each kind of the most prevalent security flaws at the theoretical level, then using a specially-crafted, deliberately vulnerable Django app, individuals or pairs will carry out exploits against these flaws, and we'll illustrate solutions to mitigate each kind of attack.
We'll be using the OWASP Top 10 as our topic roadmap, addressing issues such as:
- Injection Attacks
- Broken Authentication & Session Management
- Cross-Site Scripting (XSS)
- Insecure Direct Object References
- Security Misconfiguration
- Sensitive Data Exposure
- Missing Function-Level Access Control
- Cross-Site Request Forgery (CSRF)
- Using Components with Known Vulnerabilities
- Unvalidated Redirects and Forwards
You'll want to set your brain to "devious" mode; you'll also need a laptop with Python 2.7 or 3.3 (or a buddy you can pair with). Having pip and virtualenv will be useful too, as will having Git installed to pull down the code we'll be working with.
Attendees do not need prior security experience; this tutorial is aimed at intermediate web developers who are interested in gaining hands-on experience with simple forms of the most common attacks. Attendees should have some experience with Python, Javascript, and SQL, and may benefit from at least a passing familiarity with Django (eg, previously attending a Django tutorial or working through the online tutorial).
Student Handout
No handouts have been provided yet for this tutorial