Myself and Asanka Fernandopulle conducted corporate level workshop on Application Security. This workshop covered areas such as application security treats, secure cording practices, application penetration testing and web application exploitations. Workshop mainly consisted with practical sessions and demonstrations. You can find all the presentations here.
2. Basics of Application Security
• HTTP and HTTPS
• Symmetric key
• Asymmetric key
• Session key
• Analyzing a certificate
• Sniffing HTTP and HTTPS
• Calomel plugin
1/1/2013 99X Technology(c) 2
3. Basics of Application Security
• Man in the middle
• Analyzing browser requests
• Analyzing server response
• https communication
• https and s-http
1/1/2013 99X Technology(c) 3
4. Basics of Application Security
• What OWASP does
• Builders , Breakers and Defenders
1/1/2013 99X Technology(c) 4
5. Web Application penetration testing
• Basic web testing methodology
• Vulnerability, Threat and Exploit
• Developer level application security overview
1/1/2013 99X Technology(c) 5
6. Web Application penetration testing
• Application Security frameworks
• Before development begins
• During definition and design
• During development
• During deployment
• Maintenance and operations
1/1/2013 99X Technology(c) 6
12. Secure Authentication
• Parameter tampering
• Bypass HTML Field restrictions
• Exploit hidden fields
• Bypass client side JavaScript validation
• Coding controls for Parameter Tampering
1/1/2013 99X Technology(c) 12
13. Secure Authentication
• Access control flaws
• Using an Access control matrix
• Bypass a path based access control scheme
• Bypass data layer access control
1/1/2013 99X Technology(c) 13
14. Injections
• SQL injection classes
• In band
• Out of band
• Inferential
1/1/2013 99X Technology(c) 14
15. Injections
• Techniques to exploit sql injections
• Union operator
• Boolean
• Error based
• Out of band
• Time delay
1/1/2013 99X Technology(c) 15
16. Injections
• Standard SQL injection testing
• SELECT * FROM Users WHERE Username='$username' AND
Password='$password'
• Numeric sql injection
1/1/2013 99X Technology(c) 16
24. Session Management
• Check your cookies
• Cookie collection
• Cookie reverse engineering
• Cookie manipulation
• Hijack a session
• Hijack a session
• Spoof an authentication cookie
• Session fixation
1/1/2013 99X Technology(c) 24
25. Session Management
• How developers work on session handling
1/1/2013 99X Technology(c) 25
26. Code Quality
• Code quality breach
• Discover clues in the HTML
1/1/2013 99X Technology(c) 26
27. Cross Site Scripting
• Scripting types
• Reflected cross site scripting (non-persistent XSS)
• Stored cross site scripting (second-order XSS)
• DOM based cross site scripting (type 0 xss)
1/1/2013 99X Technology(c) 27
28. Cross Site Scripting
• Reflected cross site scripting (non-persistent XSS)
• Testing for reflected XSS
• Reflected xss
1/1/2013 99X Technology(c) 28
29. Cross Site Scripting
• Bypass XSS filters
• Tag Attribute Value
• Different syntax or enconding
• Bypassing non-recursive filtering
1/1/2013 99X Technology(c) 29