I was lucky enough to attend a web application security event hosted in the Queens Ashby Building in Belfast last night. Run by the Belfast chapter of OWASP the event was a practical session in using tools to look for vulnerabilities in specially crafted pages accessed through a learning portal. If you are not familiar with OWASP (Open Web Application Security Project) – they aim to educate develops and security staff to probe for and understand common (and not so common) attack methods and flaw that affect Web Applications.
This was the first of their events I have attended and judging by the turnout and the enthusiasm of the attendees – this will not be the last. I was impressed by the willingness of attendees to help each other and if like me web app development is not your everyday occupation – this was much appreciated. The exercises were varied and increased in complexity as you progressed through them. The platform used for the training is the Security Shepherd which you can find much more detail on here and I highly recommend that you take a look either online or through the VM which you can download for your own network environment.
Sadly three hours was not enough time and I will be covering the remaining parts of the training offline. Here’s looking forward to another event like this in Belfast!!
The Security Shepherd project covers the following web and mobile application security topics;
- SQL Injection
- Broken Authentication and Session Management
- Cross Site Scripting
- Insecure Direct Object Reference
- Security Misconfiguration
- Sensitive Data Exposure
- Missing Function Level Access Control
- Cross Site Request Forgery
- Unvalidated Redirects and Forwards
- Poor Data Validation
- Insecure Data Storage
- Unintended Data Leakage
- Poor Authentication and Authorisation
- Broken crypto
- Client Side Injection
- Lack Of Binary Protections