PRE-CONFERENCE WORKSHOPS 03-04 October, 2018


Grand Hyatt, Kochi, India

Workshop Registration: 08:30AM to 09:30AM

Workshops:9:30AM to 5:00PM

WS-1

ARM EXPLOITATION 101


speaker Sneha Rajguru & Prajwal Panchmahalkar

WS-2

ATTACKING & AUDITING DOCKER CONTAINERS


speaker Madhu Akula

WS-3

ATTACKING WEAK CRYPTO IMPLEMENTATIONS


speaker Ajit Hatti

WS-4

BUILDING A REAL-WORLD ATTACK MONITORING SOLUTION BY THE ELK STACK


speaker Himanshu Kumar Das & Prajal Kulkarni

Go Back

ARM Exploitation 101

by Sneha Rajguru & Prajwal Panchmahalkar


WORKSHOP OBJECTIVE

ARM architecture-based systems are on the rise and seen in almost every hand-held or embedded device. The increasing popularity and growth of the Internet of Things (IoT) have allowed widespread use of ARM architecture. As with any other thing in this world, increasing popularity and usage brings new security challenges and attacks. This workshop aims to provide an introduction to ARM architecture, assembly and explore intermediate level exploitation techniques on ARM along with hands-on examples and challenges.

This session is aimed at security professionals and personnel who possess general security knowledge and wish to enter the field of ARM exploitation.

The attendees will walk away with basic knowledge and skills of ARM Architecture, Assembly, and Exploitation techniques.

The workshop will provide a base for the attendees to develop exploit research expertise on the ARM based platforms

COURSE CONTENT (ToC)

  • Introduction to ARM CPU
    • Architecture
    • Registers
    • Modes of Operations
  • ARM Assembly Language
    • Instruction Set
  • Introduction to ARM functions and working
  • Debugging on ARM
  • Stack Overflow on ARM
  • How to write a shellcode
  • How to reverse a shellcode

PREREQUISITE

  • The participants are not expected to have any prior knowledge about ARM architectures whereas familiarity with C and Linux Command line will be useful.

PARTICIPANTS REQUIREMENTS

  • Laptop with Virtual Box installed Hard disk: Minimum 20 GB of free space RAM : 4GB

WHO SHOULD ATTEND

Anyone who would want to learn on ARM reverse engineering.

WHAT TO EXPECT

  • Hands-on Labs, Perform basic reversing exercises.

SPEAKERS

Sneha Rajguru

Sneha Rajguru

Sr. Security Consultant,Payatu Software labs LLP,India

Her interests lies in web, mobile application security and fuzzing. She has discovered various security flaws within various open source applications such as PDFLite, Jobberbase, Lucidchart and more. She has spoken and provided trainings at various conferences such as DEFCON, BSides LV, BSidesVienna, OWASP AppSec USA, DeepSec, DefCamp, FUDCon, and Nullcon. Sneha is passionate about promoting and encouraging Women in Security and has founded an initiative called WINJA-CTF through which she hosts women-only CTFs and Workshops at conferences and other events. Sneha is also active in the local security community and hosts local security meetups in Pune. She leads the Pune chapter of null community.

Prajwal Panchmahalkar

Prajwal Panchmahalkar

Lead Security Engineer,VMware

Prajwal Panchmahalkar is a lead security engineer at VMware Inc., He has contributed to public security research and has been the Development Lead for Matriux since 2009. In the past he was a Research Assistant at Texas Tech University working on Security of Critical Infrastructure and Smart Grid Energy Systems, with journal published on Elsevier. A Finalist for America's Information Security Leadership Award 2012 (AISLA) by (ISC)2. Previously, Prajwal was a speaker at BSidesLV and GrrCon. He was a chapter lead for n|u, Hyderabad an open security community. Prajwal holds a Masters degree in Computer Science from the Texas Tech University at Lubbock.

Attacking & Auditing Docker Containers

by Madhu Akula


WORKSHOP ABSTRACT

Developers and Operations teams (DevOps) have moved towards containers and modern technologies. Attackers are catching up with these technologies and finding security flaws in them. In this workshop, we will look at how we can test for security issues and vulnerabilities in Dockerised environments. Throughout the workshop we will learn how we can find security misconfigurations, insecure defaults and container escape techniques to gain access to host operating system (or) clusters. In the workshop, we will look at real world scenarios where attackers compromised containers to gain the access to applications, data and other assets.

By the end of workshop participants will be able to:

  • Understand Docker security architecture
  • Audit containerised environments
  • Perform container escapes to get access to host environments

The participants will get the following:

  • A Gitbook(pdf, epub, mobi) with complete workshop content
  • Virtual machines to learn & practice
  • Other references to learn more about topics covered in the workshop

COURSE CONTENT (ToC)

  1. Introduction to docker (Quick Primer)
    1. Why & What is Docker
    2. Docker commands
    3. Docker components & concepts
  2. Understanding docker architecture
    1. Namespaces
    2. Capabilities
    3. Control Groups
    4. LSM
  3. Auditing Docker Containers
    1. CIS Benchmarks (docker bench security audit)
    2. Docker Runtime & API
    3. Docker Images & containersDocker Images & containers
    4. Docker Networks & Volumes
  4. Scenarios for Docker Escapes
    1. Capability Escape
    2. Insecure Volume & Socket Mounts
    3. Insecure API & Misconfigurations
    4. Playing a fun game with container capabilities
  5. Advanced scenarios
    1. Docker-Compose environments
    2. Docker-Swarm environments
    3. Attacks around clusters
    4. Twisted attack scenarios (Demo-Only)
  6. Security Best practices & Take Away
    1. Docker configurations and deployments security checks
    2. Security checks for Docker files and docker-compose files
    3. Security checks for events using Docker events
    4. Logging and Monitoring for events

Pre-Requisite

  1. A laptop with administrator privileges
  2. 10 GB of free Hard Disk Space
  3. Ideally 8 GB of RAM but minimum 4 GB
  4. Laptop should support hardware-based virtualization
  5. If your laptop can run a 64-bit virtual machine in Oracle VirtualBox it should work
  6. Other virtualization software might work but we will not be able to provide support for that

Participants Requirements

  1. Able to run linux cli commands
  2. Basics of system administration
  3. Understanding about virutalization would be useful

Who should attend

  1. Penetration Testers
  2. Security Engineers/Analysts
  3. IT and System Administrators
  4. DevOps and Security Teams

What to expect

  1. Completely hands-on, intense, fast paced learning using a combination of scenarios, case studies, hacker tools
  2. Attacking applications and services hosted in containerised environments. Complete documentation of the attacks and virtual machines

What not to expect

  1. A lot of hand holding about basic concepts already mentioned in the things you should be familiar with
  2. A lot of theory. This is meant to be a completely hands-on training!!

Speakers

Madhu Akula

Madhu Akula

Madhu Akula is a security ninja and published author, security and devops researcher with extensive experience in the industry ranging from client facing assignments building scalable and secure infrastructure, to publishing industry leading research to running training sessions for companies and governments alike.

Madhu Akula’s research papers are frequently selected for major security industry conferences including Defcon 24, Blackhat USA 2018, All Day DevOps (2016, 2017), DevSecCon (London, Singapore, Boston), DevOpsDays India, c0c0n, Serverless Summit, ToorCon, DefCamp, SkydogCon, NolaCon and null, etc. Madhu Akula was a keynote speaker for the National Cyber Security conference at Dayananda Sagar College in Feb 2016.

When he’s not working with Appsecco’s clients or speaking at events he’s actively involved in researching vulnerabilities in open source products/platforms such as WordPress, Ntop, Opendocman etc. and is also a contributing bug hunter with Code Vigilant (a project to Secure Open Source Software). His research has identified many vulnerabilities in over 200 organisations including US Department of Homeland Security, Google, Microsoft, Yahoo, Adobe, LinkedIn, Ebay, At&t, Blackberry, Cisco, Barracuda etc. He is also an active member with Bugcrowd, Hackerone, Synack etc.

Madhu Akula has trained over 5000 people in information security for companies and organisations including the Indian Navy and the Ministry of e-services in a leading Gulf state. Madhu Akula has also authored a book titled "Security Automation with Ansible 2" that comes recommended by the creator of Ansible itself.

He is co-author of Security Automation with Ansible2 book published by Packt Publishing in December 2017, which is listed as a resource by the RedHat.

Attacking weak Crypto Implementations

by Ajit Hatti


WORKSHOP ABSTRACT

The aim of the workshop will be to build Solid Understanding of the basic primitives of cryptography and building blocks of PKI. How these different blocks come together and try to provide you end to end security and still there are many ways you can get around and exploit these Implementations.

We will use OpenSSL as our Swiss Army Knife and practically understand how the cryptography, benchmarking, cryptoassessment, back door detection is done. We will see how the balance between security requirements and the performance & compliance is achieved by choosing the right set of primitives.

And One day entirely hands on to attack, bypass or exploit the SSL / TLS implementations in N different ways.

COURSE CONTENT (ToC)

  • Understanding the Basic Building Blocks of Cryptography & PKI
    • Using Trustable Crypto Source & Libraries
    • OpenSSL: Swiss Army knife of Cryptography [Lots of hands on assessment here]
  • Defining & Testing Secure Communications
    • Configuring an HTTPS server
    • Understanding SSL / TLS communication & Flaws
    • Attacks on SSL / TLS protocols using web Proxies
    • Undocumented Attacks & Bypasses for SSL / TLS
    • Perfect Forward Secrecy
  • Storing and Retrieval / Archiving of the Sensitive Data
    • Basic Cryptographic algorithms
    • Understanding the Limitations & attacks on cryptographic algorithms
    • Malware precaution & protection
    • Storing & Securing sensitive Data in Cloud
  • Processing Sensitive Data
    • In memory processing of sensitive data
    • Securing data processing in Cloud
    • Browser Hacks on sensitive data caching
  • Recent & Popular attacks
    • Heart Bleed to SSL Sniff / Strip
    • Back-dooring the (P)RNG & other crypto algorithms
    • Hashes & Collisions
  • Exploitation in Post Quantum Scenario
    • Post Quantum & Contemporaneity Cryptography
    • Quantum Key Generation & Distribution
    • Post Quantum Crypto Systems
  • More Attacks
    • Timing Attacks
    • OCSP stappeling
    • HSTS time stamps
    • PRNG Functions
    • Crypt Analysis
    • Side Channel Attacks
  • Miscellaneous
    • Quantum CryptoGraphy
    • Quantum Key Distribution
    • Quantum Resist crypto premitives
    • Attacks on Quantum Computing
    • Few Practical tips on Privacy and security

Pre-requisite

  • Mac or a A laptop with a Linux of your choice is must
  • Openssl any version, C / C++ compilers
  • Browser, web proxy & any Web Server instance on your machine

Participants Requirements

Understanding of basic concept of Information Security

Who should attend

Security Professionals responsible for Testing, Developing, Designing, Auditing critical systems with Cryptographic implementations.

WHAT TO EXPECT

  • Walk away with the pratical knowledge of
  • Working use and abuse of PKI systems using Openssl Toolkit
  • Know how to test and exploit secure protocols, encrypted networks, few crypt analysis techniques
  • Where to look for flaws in systems secured by cryptography
  • What are the latest attacks in the Cryptographic world and how do they work Know end to end use and abuse of Browser to Web server secure channels
  • Know few advanced standards and theoretical attacks

WHAT NOT TO EXPECT

  • A to Z of the Mathematics Behind the Cryptographic standards
  • Breaking Google, FB, Banks secure communication by successful cryptanalysis
  • This course tries to gives you basic but essential knowledge of cryptography to be an effective Pen-testers, auditors, to become a Cryptographer Lets join a PHD course

Speakers

Ajit Hatti

Ajit Hatti

Co-founder of null - Open security community,author of LAMMA and GibberSense

Ajit Hatti is a Co-founder of "null - Open security community", and author of LAMMA and GibberSense, the crypto security assessment tools. Previously worked on secure applications of Cryptography at Symantec Corporation. He has worked as an Engineer and Security Researcher with security companies like IBM-ISS, Bulelane, Zscaler in past. He has previously presented his security research at BlackHat, DEF CON + Crypto Privacy Village, NullCon, Ground Zero Summit & c0c0n.

Building a Real-World Attack Monitoring Solution by leveraging the ELK Stack

by Himanshu Kumar Das & Prajal Kulkarni

COURSE CONTENT

The 2 day training course outlines defense in depth on Network and Application Layer attacks using Elastic stack. During the 2 day training programme, we would conduct hands-on exercise on simulating, correlating, analyzing and mitigating multiple attacks from Layer 4 - Layer 7. We would also cover various case-studies on day-day security requirements on cloud as well as enterprise networks. The course would end with a CTF exercise to participants on visualizing security facts using Elastic stack.

Detailed Course Abstract

With growing trend of Big data, companies tend to rely on high cost SIEM solutions. Continuous Security Monitoring/Alerting of medium and big enterprise is a large challenge in hand today. Logs from thousands of endpoints, servers and perimeter devices is difficult to aggregate, analyze and correlate in real time that can enable better security incident response & event handling. Organization usually end up with massive data breaches due to lack of visibility in their network activities across the infrastructure. Our course would expose you to take control of enterprise wide logs, analyze them in real time using the ELK frameworks. During our course, you would learn to scale the Elastic Stack and generate powerful visualization & data modeling using kibana making analysis of data and decision making simple.

The training will also cover simulating real-world attack scenarios, alerts customisation necessary to respond to a real world attacks/anomalies. With growing cloud based offerings it becomes crucial to understand systems for detecting and responding to attacks. With tools like osquery we will show how a scalable solution for system level anomaly detection can be build.

This training is meant for security enthusiast, DevOps, and startups trying to build an in-house solution. This will be a great learning to set-up one's own an affordable Security Analytics Platform.

Course Outline

Day 1

  • Elastic 5
    • Overview & Architecture of Elastic Stack
    • Capacity Planning of Elastic Stack
    • Overview of ElasticSearch API’s
    • Dumping data into ElasticSearch
    • Extending Elastic capabilities using X-Pack
  • Logstash 5
    • Introduction to Logstash 5
    • Exercise - Various use cases(webservers,syslog,etc)
    • Introduction to GROK filters
    • Pattern matching using GROK filters
    • Exercise – Normalizing Logs using GROK Filters (firewall, webserver,syslog,etc)
  • Elastic Stack on Cloud & Enterprise Network
    • Introduction to Data shippers
    • Shipping & Correlating logs from heterogeneous sources
    • Exercise – Collect and correlate logs (filebeat, packetbeat)
  • Scaling Elastic Stack for High Availability Architectural
    • Overview of Scaling Elastic Stack using HAproxy & Redis
  • Interpolation of Security Events into Elastic Stack
    • Exercise – Correlating Layer 4 and Layer 7 attacks (SYN Flood, HTTP Verb Flood)

Day 2

  • Kibana 5
    • Overview of Kibana Dashboard
    • Setting up Visualizations in Kibana
    • Setting up multiple dashboards in Kibana
    • Exercise - Kibana Visualizations(Area, Pie,Line,etc)
  • Alerting Attacks
    • History on alerting – Evolving from script to automation
    • Overview Of ElastAlerts
    • Exercise – Writing Elastalert rules
  • Case Studies on Elastic Stack
    • NMAP with Elastic Stack
    • Burp with Elastic Stack
    • Threat Intel with Elastic Stack
  • Approaching Internal Security on Cloud & Enterprise Network
    • Overview and architecture of osquery
    • Understanding tables & packs in osquery
    • Integration of osquery with Elastic Stack
  • Capture the Flag on Elastic Stack

What to Expect

Over the duration of 2 day workshop, you would get a detailed knowledge on how to build a no cost attack monitoring solution as one stop solution for external as well as internal security both on cloud as well as enterprise network. We will have various classroom exercise to engage participants on real world security use-cases as well as scaling the entire Elastic Stack for large scale networks. Labs will include all necessary tools and configs necessary to run a full functional stack for attack monitoring. The workshop would have a mega challenge at the end of the course on a pre-populated data to get a hands-on experience on production grade Elastic Stack.

What Not to Expect

Elasticsearch programming Writing Plugins for Logstash Any exercise/demo on a physical network device.

Pre-requisite of Training

  • A laptop with administrator privileges.
  • 30 GB of free Hard Disk Space.
  • Ideally 8 GB of RAM but minimum 4 GB
  • Laptop should have a working wireless and wired/Ethernet connection
  • Latest Oracle Virtualbox(preferred) or VMWare Workstation or VMWare Fusion installed Other virtualization software might work but we will not be able to provide support for that.
  • **Note: We do not support Windows XP

What you will get

  • Tools and software provided for the training
  • Completely documented script and programs
  • A simple to follow step by step walkthrough of the entire training in a PDF file
  • Virtual machines with code used during the training so that you can even practice after the training is over

Speakers

Himanshu Kumar Das

Himanshu Kumar Das

Himanshu Kumar Das is a security engineer with expertise on Infrastructure and Payments security. He is passionate about system security and fuzzing. He participates in CTF with team SegFault. He has won Nullcon JailBreak 2012 and is a Security Engineer at GRABPAY. While away from security, he spends his time playing console (FPS) and enjoys cooking.

Prajal Kulkarni

Prajal Kulkarni

Prajal Kulkarni, is a Security Researcher currently working with FlipKart. He is an active member of Null Security Community for the past 3 Years. His area of interest includes Web,mobile and system security. He writes a security blog at www.prajalkulkarni.com and he is also the lead contributor at project Code Vigilant (https://codevigilant.com/). Code-Vigilant has disclosed over 200+ vulnerabilities in various wordpress plugins and themes. In the past he has disclosed several vulnerabilities in core components of GLPI, BugGenie, Owncloud etc. He has also reported many security vulnerabilities to companies like Adobe, Twitter, Facebook, Google, Mozilla. He has spoken at multiple security conferences and provided trainings at NullCon2015, NullCon2016, NullCon2018, Confidence 2014, Gracehopper 2014 etc.

WS-5

Burp Suite for Web and Mobile Security Testing


speaker Riddhi Shree

WS-6

JavaScript for Pentesting the Modern Application Stack


speaker Bharath Kumar and Subash SN

WS-7

Secure code Audit


speaker Manoj Kumar & Ranjith Menon

WS-8

Mobile App Exploitation


speaker Arun.S and Karthik Lalan

Go Back

Burp Suite for Web and Mobile Security Testing

by Riddhi Shree

WORKSHOP ABSTRACT

If you care about application security, the one tool that you must absolutely be familiar with is an “Interception proxy”. Although there are several interception proxies in existence, depending on the intensity of penetration tests that need to be performed, a penetration tester might choose a simple or an advanced tool with advanced features. Burp Suite is a collection of several simple-yet-powerful tools. It not only works as an 'interception proxy' but also gives users the ability to automate attacks, attack multiple parameters, generate PoCs, statically detect vulnerabilities, perform out of band exploitation, manage sessions across authorization levels, transform data across multiple types, save and export session data between users, and much more! This completely hands-on workshop is meant for web and mobile security testers, penetration testers and security enthusiasts who want to eliminate the grunt work involved in manual analysis of server traffic, and who want to craft customized and effective attacks against web applications to discover high risk security vulnerabilities.

Course Content

Day-1: Getting Started

  1. Burp Suite Features:
    • Target
    • Proxy
    • Spider
    • Scanner
    • Intruder
    • Repeater
    • Sequencer
    • Decoder
    • Comparer
    • Project Options
    • User Options
    • Alerts
  2. Attacking with Intruder (Hands-On):
    • Attack Types
    • Sniper
    • Battering Ram
    • Pitch Fork
    • Cluster Bomb
    • Payload Types
    • Simple list
    • Runtime file
    • Custom iterator
    • Character substitution
    • Case modification
    • Recursive grep
    • Illegal Unicode
    • Character blocks
    • Numbers
    • Dates
    • Brute Force
    • Null Payloads
    • Character Frobber
    • Bit flipper
    • Username generator
    • ECB Block Shuffler
    • Extension-generated
    • Copy other payload

Day-2: Tools of the Trade

  1. Setting-up the Web and Mobile Application Security Testing Environment:
    • Memory allocation to avoid crashing of Burp
    • Exclusive Firefox profile setup
    • Defining the 'Target Scope'
    • Setting up the 'Proxy Listeners'
    • Hot-keys setup
    • Upstream proxies and SOCKS proxies
    • SSH tunneling
    • Installing Burp Certificate
    • Mozilla Firefox
    • Microsoft IE and Google Chrome
    • iOS or Android
    • SSL pass-through
    • Invisible proxy
  2. Attacking web applications using Burp Suite tool: Hands-on

Pre-Requisite

  1. Laptop with administrator access (mandatory)
  2. Minimum 4 GB RAM
  3. At least 10 GB of free hard disk space
  4. Oracle VirtualBox 5.x or later installed
  5. Burp Suite Community Edition installed (https://portswigger.net/burp/communitydownload)
  6. Make sure Burp Suite can start
  7. Firefox browser with FoxyProxy Standard add-on installed (https://addons.mozilla.org/en-US/firefox/addon/foxyproxy-standard/)
  8. Familiarity with HTTP Request and Response Structure

Who should attend

Anyone who is getting started with Web Application Security Testing and who would want to use Burp Suite powerfully should attend this training. Folks who are seasoned security testers would also benefit from the advanced usage of Burp Suite during the training.

WHAT TO EXPECT

Gain confidence in customizing your Web Application Security Testing approach to suit application-specific pentesting needs, by gaining clarity on the powerful features provided by the Burp Suite tool.

WHAT NOT TO EXPECT

As this is a hands-on training, do not expect a lot of theory

Speakers

Riddhi Shree

Riddhi Shree

Riddhi Shree is working with Appsecco as Application Security Engineer. She is an active speaker at null Bangalore and has contributed to the application security community by writing multiple security blogs and creating educational videos. She has interest in a variety of areas including (but not limited to) blogging, playing guitar, painting/sketching, playing chess, indulging in adventure sports, and keeping up with technology.

JavaScript for Pentesting the Modern Application Stack

by Bharath Kumar & Subash SN

WORKSHOP ABSTRACT

JavaScript is everywhere! JS is on the client side, JavaScript is on the server side (Node.js), there are way too many JavaScript frameworks both on client and server side. Understanding JavaScript is not optional anymore for Web Security testers. JavaScript is not just one of those things a tester needs to know just so he/she can write XSS payloads. Understanding JavaScript is one of the most fundamental and crucial skills a Web Application security tester can have. Knowledge of Javascript makes you a better security tester and it makes an immense difference in the way someone looks/test applications.

In this workshop, we will start with absolute basics of JavaScript and how JavaScript fits into the web ecosystem. We'll take a deep dive and look at all the essential JavaScript concepts that a security tester must know. We'll look at JavaScript both from client side and server side. You'll gain hands-on practice with real-world vulnerabilities in JavaScript based applications/frameworks. We'll wrap up the training with a Capture The Flag on an application that resembles a real life application.

Learning outcomes

  1. You'll learn the essentials of JavaScript both on client side and server side
  2. You'll understand the importance of JavaScript in the web ecosystem and importance in web security
  3. You'll gain hands-on experience with multiple attacks both on client side and server side
  4. You'll have hands-on practice on how to test for vulnerabilities in JavaScript based applications and also utilizing JavaScript to exploit other vulnerabilities for maximum impact (like script injection attacks)

Course Content (ToC)

The training will more or less adhere to the following outline

  1. Essentials of JavaScript
    • JavaScript Language Fundamentals
    • Intro to DevTools(Chrome/Firefox)
    • Manipulating DOM & Events
    • Local & Session Storage
    • Asynchronous JavaScript, Ajax & Fetch API
  2. Client-side attacks
    • DevTools(Chrome/Firefox) for security testing
    • Bypassing client-side restrictions using DevTools
    • Advanced Cross Site Scripting (XSS) attacks
      • o XSS in modern JS frameworks
      • o Advanced XSS payloads - going beyond alert('xss')
      • o Esoteric XSS payload - bypassing XSS filters
    • Understanding SOP & CORS(using JS)
    • JSON hijacking
    • Client Side Template Injection(CSTI)
      • o CSTI in AngularJS
    • Attacking Single-Page Applications (SPAs)
  3. Server side attacks
    • OWASP Top 10 on a Node.js application
    • Server Side JavaScript Injection(SSJI)
    • Server Side Template Injection(SSTI)
  4. Extras
    • Attacking Token Based Authentication
    • Attacking JSON Web Token (JWT)
    • Remote Code Execution in JavaScript applications
    • Performing JavaScript static analysis to find security vulnerabilities
  5. Custom Capture The Flag (CTF)

Pre-requisite

  • Laptop with administrator access (mandatory)
  • Minimum 2 GB RAM and 5 GB free hard disk space.(More the better)
  • Preferably running Linux as primary OS but Windows/Mac is permissible
  • Oracle VirtualBox 5.x or later installed. (VMWare users are on their own)
  • An SSH client on the host OS. (Most Linux distributions have SSH client by default, Windows user can use putty)
  • Your own Internet connectivity (Internet is needed for few exercises and also for additional reading)

Participants Requirements

  • Little bit of programming experience in some language but not necessarily JavaScript is preferable. (Enough to know what is a variable, 'if' conditonal, 'for' loop etc.)
  • Some exposure to Web application penetration testing is expected. We don't expect audience to be proficient at pentesting but we will expect that you know the basics of web application penetration testing especially OWASP Top 10
  • Able to use at least any one command line and one graphical text editor (nano, vim, gedit, Sublime, VS Code etc)

Who should attend

  • Pentesters and Security Testers
  • Security Professionals
  • Web Application Developers(JavaScript) who are interested in understanding the security aspects

WHAT TO EXPECT

  • - Everything in the training will be hands-on, fast paced training
  • - Lab-driven approach (You'll get to practice every attack we discuss)
  • - Attacker focused, although there will be mitigation discussion when applicable this class is focused towards testers

WHAT NOT TO EXPECT

  • Lots of theory
  • This workshop is geared towards Web Application Security professionals so don't expect more development related discussion

Speakers

Bharath Kumar

Bharath Kumar

Bharath is an open source evangelist with a strong passion for information security and building solutions that solve real world problems. Bharath has presented at many security and developer conferences including Bsides Delhi 2017, Bugcrowd LevelUp 2017 & 2018, PyCon India 2013 and FUDCon 2012.

Bharath is an active member and contributor at various security and developer communities including null open security community and Python Malaysia User Group.

His core interest lies in Infrastructure security, Application security, Protocol security and Reconnaissance.

Subash SN

Subash SN

Subash is a Security Engineer at Appsecco. As an avid security enthusiast and a passionate developer, he enjoys developing meaningful solutions to real world security problems. He is currently working on solving security problems at cloud scale and exploring solutions to improve intelligent automation using AI. During his free time, he loves to explore and research on new and upcoming technologies. Introduced to the world of security by null Open Security Community, he is on track to actively contributing back by presenting at various meetups and conferences and has given talks at null Bangalore and the Serverless Summit. He has also contributed to open source security tools such as OWASP Threat Dragon and DVNA. Subash's training on "Automated Defense using Cloud Services for AWS, Azure and GCP" has been selected for Blackhat USA 2018 and Appsec EU 2018.

Secure code Audit

by Manoj Kumar & Ranjith Menon

Pre-requisite

Training will be hands on so you need to bring your own laptop to perform different types of attacks on web based applications.

System Requirements

  1. Windows/Linux/OsX Installed machine
  2. RAM – 8GB
  3. Free space in your machine – 10GB
  4. Installed VMware Player in your machine
  5. Visual Studio installed
  6. Notepad++

Who should attend

  1. Having knowledge to develop web application in Java & .Net
  2. Understanding of server client architecture
  3. Those having development background
  4. Eager to learn secure source code practices

WHAT TO EXPECT

  • Exposure to different tools used for performing attacks
  • Demo application to perform secure coding practices

WHAT NOT TO EXPECT

  • Any professional tools

DURATION

2 Days

The course covers relevant web application issues to subsequently demonstrate how to design and develop code defenses into an application.

1-Day: Secure Source Code Practices

Module 1: Introduction to Secure Source Code Practices (SSCP)

  • What is SSCP
  • Need for SSCP security solution

Module 2: Parameter manipulation attack and Defenses

  • Bypassing client-side validation
  • Variable manipulation attacks
  • Input validation types
  • Black list vs White list filters
  • File Upload attacks and best practices
  • Exploit CSV based export features using formula injection
  • Best practices and guidelines to avoid these Attacks
  • Demo

Module 3: SQL- Injection

  • Blind & Second Order SQL injection
  • Enumerating database tables and columns
  • Demo

Module 4: Cross Site Scripting (XSS)

  • Reflected, Stored and DOM based XSS
  • Same domain Policy in browsers
  • Best practices and guidelines to avoid Cross Site Scripting Attack
  • Demo

Module 5: Cryptography

  • Encryption & Decryption
  • Encoding
  • Hashing
  • Demo

2-Day: Secure Source Code Practices

Module 1: Client Side Attacks and Defenses

  • Back-refresh attack
  • Insecure caching
  • Sensitive data in History
  • Insecure Local Storage issues
  • Demo

Module 2: Broken Authentication and Session Management

  • Session expiry
  • Session fixation
  • Secure attribute for Cookies
  • Best practices to manage session
  • Demo

Module 3: Error Handling and Logging

  • Proper implementation of log
  • Proper error handling
  • Demo

Module 4: Code quality

  • Hard coded information
  • Critical information in comment
  • Client side hardcoded information
  • Demo

Module 5: Backend storage Information

  • Password storage
  • Salted hash technique
  • Storage of critical information in backend side
  • Demo

Module 6: Insecure Direct Object References

Module 7: Cross Site Request Forgery (CSRF)

Module 8: Hands-on practice on vulnerable source code application for attendees

Speakers

Manoj Kumar

Manoj Kumar

Manoj has more than 5 years of experience in the field of Application Security and Secure coding process and a co-founder of h1hakz. He has Developed many Secure Application Projects using different languages and has Code reviewed a wide range of applications, from embedded systems to web applications including Retail Banking and E-commerce Application.

Ranjith Menon

Ranjith Menon

Ranjith Menon who has more than 7 years of experience. He is an active player on Bug bounty programs and specialized in Web application, Mobile, Cloud and a contributor to the Security Community and co-founder of h1hakz, an open platform for knowledge sharing though webcast series.

Also, he has found many vulnerabilities for many organizations. Apart from hacking, he gets time for fitness from his work schedule.

Mobile App Exploitation

by Arun.S & Karthik Lalan

Workshop Abstract

Mobile App Exploitation is a unique training which covers security and exploitation on mobile platforms on both Android and iOS. The entire class will be based on a intentionally crafted real-world vulnerable Android and iOS apps. The training will take the attendees from the ground level upwards to be able to audit any real world applications on the platforms. This is a 2 days fast paced training with full of hands-on Labs & challenges for both Android and iOS environment.

Pre-Requisites

  • Passion to Learn New Things
  • Basic Knowledge of HTTP Protocol & Basic programming fundamentals (any language)
  • Basic Knowledge on how to Install & use Mobile Apps & VirtualBox

What to expect

  • Hands-on Training
  • Fast Paced Learning
  • Real World Case Studies & Scenarios

WHAT NOT TO EXPECT

  • A lot of Theory
  • To become a Mobile App Pentester Overnight

What Should Participants Bring

  • A jailbroken iPhone / iPad for iOS testing is must for hands-on.
  • Laptop with 40+ GB free hard disk space & 8 GB RAM.
  • Android Training - Windows/Macbook is required & for iOS Training - Macbook with Xcode (8.2 or above) Installed.
  • Install Android Studio latest, Oracle Virtual Box 5.2.x & above, Install Android Virtual Device Images – OS Version 5/6/8.
  • Root/Administrative access on your laptop with external USB allowed.
  • Make sure Intel / AMD Hardware Virtualization enabled in OS.
  • Google Drive link for other tools & resources
    • https://drive.google.com/open? id=0B7EvnEyvoZxsQlB5N0FxdkhBM2c

Takeaways For Participants

  • Mobile App Concepts & Reference
  • Bug Bounty Approaches & Methodologie
  • Get in touch with the trainer's even after the training via a Whatsapp Group for a month Course Duration

16 hours of Training in 2 days (8 Hours Daily).hours of Training in 2 days (8 Hours Daily).

Course Outline

Day 1: Android Pentesting

Android Basics

  • Android Security Mode
  • Application Signing & Sandboxing
  • Android Permission Model
  • Basics of Android Rooting
  • Understanding Android File System
  • Application Components and Structure

Setting up the Pentesting Environment

  • Setting up Android Debug Bridge(ADB)
  • Setting up the Android Studio Emulators
  • Setting up Intercepting proxy – BurpSuite
  • Setting up Automated Tools like – MobSF, Qark,Drozer etc.,

Reverse Engineering

  • Manifest File Analysis
  • Runtime Manipulation & Code Patching
  • Decompiling & Recompiling the APK
  • Code Signing.
  • Code Obfuscation using Proguard & Dexguard
  • Root Detection techniques and bypass via Reverse Engineering

Static & Dynamic Analysis

  • Exploiting Application Components & Security
  • Exploiting Local Storage
  • Exploiting Side Channel Data Leakage
  • Exploitation using Droze
  • Automated Static Code Analysis using MobSF, Qark etc
  • Exploiting apps on non-rooted device
  • Run time analysis using JDB / Frida

Network Analysis & Data Manipulation

  • Certificate Validation
  • Bypassing SSL Pinning
  • Insecure communication
  • WebViews & JavaScript Interfaces
  • Analyzing Network based weaknesses

Day 2 : iOS Pentesting

Getting started with iOS Pentesting

  • iOS Security Model
  • App Sandboxing
  • App Provisioning
  • Changes in iOS 10/11 Security
  • Exploring the iOS Filesystem
  • Code Obfuscation Techniques
  • App Signing

Setting up the Pentesting Environment

  • Setting up iOS Simulators
  • Jailbreaking Basics (iOS 10.x - 11.x)
  • Setting up iPhones & iPads
  • Working on Test Flight Builds. Cydia, Mobile Substrate

Reverse Engineering & Binary Analysis

  • Reversing AppStore Binaries
  • Checking for PIE, ARC
  • Finding Shared libraries
  • Reversing un-encrypted binaries
  • Disassembling using hopper
  • Binary Analysis
  • Patching, Repackaging, and Re-Signing IPA Files

Static & Dynamic Analysis

  • Exploiting Local Data Storage Flaws
  • Dynamic Analyis on Non-Jailbroken Devices
  • Keychain Storage
  • Data Storage in SQLite,Core Data, Realm & YAP DB
  • NSUserDeafaults
  • Dumping Keychain Storage
  • Cycript Basics
  • Side Channel Data Leakage
  • Sensitive information disclosure

Analyzing iOS Network Traffic

  • Intercepting HTTP/HTTPS Traffic
  • Attacking Weak Server Side Controls
  • Client Side Injection
  • Inspecting & Manipulating Network Traffic
  • Bypassing SSL pinning using Frida

Speakers

Arun.S

Arun.S

Arun.S - Senior Security Consultant @ IBM India Pvt.Ltd., with overall 4+ years of expertise in Mobile,WebApp & WebServices Pentesting. He holds various industry recognized certifications such as ECSA, CEH etc.,. He is an active speaker & member @ various Security Communities & Conferences like BSides Delhi ,null/OWASP/G4H & he is a chapter lead for Null Bangalore Security Community.

Manoj Kumar

Karthik Lalan

Security Engineer @ Security Centre of Excellence – Philips Innovation Campus. He is M.Tech. in CS with Specialization in Information & Network Security. He conducts frequent talks and workshops on Android and Info Sec @ several places including Bsides Delhi, OWASP, NullBangalore Chapter, DroidCon-IN. Kartik loves to write technical Blogs in his leisure time – www.nestedif.com.