AppSecUSA 2015

Lab material available for download here: 
https://drive.google.com/folderview?id=0BxSfMVkfLvsla2YxMUN2VU4yTDA&usp=sharing
Please download before arriving at the conference!

In one hour, we will teach you how to install, configure and protect your web application using ModSecurity. You will learn the basics, starting from configuring the WAF in detection mode, using the OWASP ModSecurity Core Rule Set to writing your own custom rules. We will also provide examples of negative and positive security models, create simple virtual patches to fix vulnerabilities and block confidential data from being leaked.

Lab material available for download here: 
https://drive.google.com/folderview?id=0BxSfMVkfLvslZUw1RDhXX0UwVVU&usp=sharing
Please download before arriving at the conference!

The basic problem of XSS has been known at least since the year 2000.
Nonetheless, XSS is as widespread as ever, even though an astonishing amount of thought, attention and education has been devoted to the topic. Apparently, the convoluted mess of server-side scripting, transport level rewriting and heterogeneous client-side processing (which is commonly know under the term "the Web") is too complex to allow a robust SDL-based solution to succeed.

Content Security Policy (CSP) is a highly promising, new way to address this old problem. The currently established approach to counter XSS is trying to identify untrusted data and attempting to prevent that this data influences the semantics of the application's JavaScript. CSP breaks away from this practice: Instead of spotting bad scripts, CSP allows the server to precisely tell the Web browser, which scripts are actually allowed to run, thus, enabling the browser to robustly stop all injection attempts. This way, by the means of a simple policy, the fast majority of XSS vulnerabilities can be efficiently

In this lightning training, the fundamental mechanisms of CSP are covered:

* Protection capabilities and surface of CSP
* How to design strong CSP policies
* How to build CSP compliant web applications
* Using CSP's reporting functionality

To do so, the students work with a insecure legacy Web application (which is provided in the form of a virtual box image). After the practical identification of several XSS problems, the students will first deploy a strong CSP policy to prevent exploitation. Then, subsequently the students will use CSP's reporting mode to iteratively adopt the policy (and parts of the application code) to match the application's functionality requirements. Finally, after deploying the policy, the students can test themselves, that the previously found vulnerabilities are indeed mitigated. 

Lab material available for download here: 
https://drive.google.com/folderview?id=0BxSfMVkfLvslT19XS2xPUWF2QnM&usp=sharing
Please download before arriving at the conference!

OWASP Cornucopia is a free open-source card game, referenced by a PCI DSS information supplement, that helps derive application security requirements during the software development life cycle. This session will use an example ecommerce application to demonstrate how to utilise the card game. After a brief introduction, attendees will split into smaller groups to play the game. Participants of this session will gain insights into relevant web application threats, learn how to use the card game with their own colleagues subsequently, and find out the most important aspects to obtain the greatest benefits for security requirements definition, and/or threat modelling, and/or security training.

Lab material available for download here: 
https://drive.google.com/folderview?id=0BxSfMVkfLvslcEp4dGJKcV9xdG8&usp=sharing
Please download before arriving at the conference!

The OWASP Benchmark is a test suite designed to evaluate the speed, coverage, and accuracy of automated vulnerability detection tools. Without the ability to measure these tools, it is difficult to understand their value or interpret vendor claims. The OWASP Benchmark contains over 20,000 test cases that are fully runnable and exploitable.

This training class will provide attendees with details of how the Benchmark was developed, what the tests cover, and how to use it to evaluate tools. Students will be able to download a VM with the entire Benchmark fully installed and ready to go. They will be able to compile all the tests, run tools against the benchmark, and generate scorecards for all the tools they run. The scorecards describe how each tool did, as well as allow for quick comparisons between the tools. The VM will include numerous open source security vulnerability detection tools they can use in the class, and if they have access to commercial vulnerability detection tools, they can use those as well.

Lab material available for download here: 
https://drive.google.com/folderview?id=0BxSfMVkfLvslRXhxUkZhNUJNYVU&usp=sharing
Please download before arriving at the conference!

Want to learn the basics of Web App pen testing? Or would you prefer to develop new advanced pen testing tricks? Join the us for the lightning Security Shepherd Web Application training session that will bring attendees up to speed on all the latest and greatest security testing techniques that are a concern in the industry today. Compete against other participants and solve increasingly complex security puzzles derived from real world security threats. Attendees will leave with a real familiarity of web application pen testing best practice, terminology, workflow's and commonly used tool kits.

Lab material available for download here: 
https://drive.google.com/folderview?id=0BxSfMVkfLvslTVlzSXNYalVLX3c&usp=sharing
Please download before arriving at the conference!

The training will cover security testing concepts for enterprise messaging applications. An example JMS based application hosted on ActiveMQ messaging broker will be used to for the hands on training. Open source JMSDigger will also be used leveraged.
The training will cover the following concepts:
1. Enterprise messaging basics
2. Attacks on Queues and Topics
3. Testing authentication, authorization with JMS API
4. Discuss additional attack scenarios

This is the live and hands on version of Jason's Defcon talk "How to Shot Web: Web and Mobile Hacking in 2015". Join Jason as he explores successful tactics and tools used by himself and the best bug hunters. Practical methodologies, scripts, and tips make you better at hacking websites and mobile apps. Whether you're trying to claim those bug bounty prizes or find high level vulnerabilities faster or more efficiently, this talk is for you! Convert edge-case vulnerabilities to practical pwnage even on presumably heavily tested sites. These are tips and tricks that the every-tester can take home and use. Jason will focus on philosophy, discovery, mapping, tactical fuzzing (XSS, SQLi, LFI, ++), CSRF, web services, and mobile vulnerabilities. In many cases we will explore these attacks down to the parameter, teaching the tester common places to look when searching for certain bugs. In addition he will cover common evasions to filters and as many time saving techniques he can fit in.

Lab material available for download here: 
https://drive.google.com/folderview?id=0BxSfMVkfLvslUXVMSEt6aXlCUVk&usp=sharing
Please download before arriving at the conference!

Fiddler Web Debugging Tool is a free tool created by Eric Lawrence and it is great for troubleshooting issues and capture HTTP/HTTPS traffic. Due tot he extensible model it provides, and the features on top of it, Fiddler can be used as an excellent tool for Web Application Security Testing, some of the features are :

1. Capture HTTP/HTTPS traffic.
2.HTTP Parameter Tampering
3. Filters to setup breakpoints on HTTP POST
4.Autoresponders.
5. Modify the raw byte response
6. Extensible model to build inspector and create rules

Lab material available for download here: 
https://drive.google.com/folderview?id=0Bwov3aDFEjiETzBmTl9udlM1RU0&usp=sharing
Please download before arriving at the conference!

Android is the leading Operating system. It is used not just in Smartphones / Tablet but also is used as base for interactive Television, gaming console and lot more systems. The obvious resultant is that there is a large focus towards developing applications for this platform and to maintain its security. This is one hour crash course on “By passing root detection” on android based dummy internet banking app, This dummy internet banking application has features such as adding a beneficiary account, fund transfer, view statements, OTP, Pin sign-in, etc. to provide attendees a real world application scenario.

Android APK file architecture and Setting up the emulator.
Reversing the APK file package
Understanding, patching smali code (JAVA – Class – Dex – smali – APK)
Bypass the business logic for the root detection

Who Should Attend
- Security Professionals
- Mobile Application Developers
- People interested to start into Android security
- Web Application Pentesters
- Beginners mobile app malware auditor

What to expect :
- Getting started with Android Security
- Reversing and Auditing of Android applications
- Hands-on on Finding vulnerabilities and patching the binary