How to hack your own apps!

An introduction to the concept of hacking a web application.

Hands-on workshop (interactive

Abstract

Everyone knows that the earlier you fix a bug the cheaper and easier it is, this rings true for security bugs as well. This talk will argue that security needs to start from the beginning of every project, with this talk exploring the development phase, and that the power to find most common security issues needs to be put into the developer's hands.
This talk will include hands on demo of how to find security flaws, an explanation of the flaws, and most importantly, how to fix them. If you've written a fast, beautiful application that meets all your user requirements but it isn't secure, then it's not the done yet. This talk will enable you to write the best code possible, by making your code secure!

Following the talk will be a workshop where participants will launch a VM in virtual box, learn to use OWASP Zap (the free vulnerability scanner /web proxy) and scan a web application for themselves with the help of the instructor. A laptop with permission to run a VM, 8G of hard drive space for the VM itself, and either virtual box installed or permissions to install it yourself.

Audience background

This workshop is appropriate for application developers or security practitioners, with no prior knowledge of hacking.

Benefits of participating

Audience members will learn how to hack web apps, and by doing that learn how to write more secure applications in the future.

Materials provided

A Virtual Machine that contains all the files below, including the DevSlop Pixi application and Cyclone Web Transfers web apps, pre-setup. We also give the files below in case some students cannot run the VM for whatever reason.
Install files of: VirtualBox, OWASP Zap, Postman, Docker, GitHub
(windows and Mac)

Process

First Tanya will do approximately 30-ish minutes of talking with questions about why security of software matters and how it works.
I will demonstrate how our application works, and what some of the faults are in it.
I will demonstrate how to use OWASP Zap.
*** We will set everyone up to ensure they are running the virtual machines.
I will have everyone scan the app with Zap, then we will discuss the report.

Detailed timetable

30 mins: talk and demo
The rest of the time: everyone scanning with Zap and discussing the report.

Outputs

All of the software we use during our workshop is open source, so participants are free to take them home. We will continue to release new training material and components from our project to hack, so the relationship does not need to end after the workshop is over.

History

Here's our project page:
https://www.owasp.org/index.php/OWASP_DevSlop_Project

Presenters

  1. Tanya Janca
    Microsoft