ctrl-alt-Development

Your hotkey to alternative software development

Essential Reading

There are many nice books out there, but a few of them contain such wisdom that I just must mention them here:

Nov '15
05

Review and Hack Workshop

This workshop was presented at NLJUG JFall 2015 on November 5th. It teaches the participants how to analyse source code for vulnerabilities and demonstrate them.


Review and Hack workshop at NLJUG JFall 2015

Is your web application secure? How can you tell?

Code Reviewing for security issues is one way, but what do you look for? And more interestingly, how do you prove it really is a security issue?

This workshop provides you with the source code of a Java web application full of security holes and guides you through finding and exploiting them.

Some of the topics covered in this workshop are:

  • SQL Injection
  • Cross Site Scripting
  • Validation and Normalization issues
  • ID Guessing
  • XML Processing and External Entities
  • Regular Expression Denial of Service
  • Common Configuration problems
  • Tools that (don't) help you

At the end of the workshop you have hands-on knowledge on the most commonly made security mistakes, you will know where they live in the source code and how to demonstrate them!

The workshop is based on the NCSC Security Guideline for Webapplications and enhanced for the OWASP Top 10 2013.

Practical Notes

Please bring a laptop or pair with someone. Make sure you have a working Maven3+ / Java7+ development environment or have VirtualBox installed.

Prerequisites:


Review and Hack workshop at 42