1. Objective
Have you ever wondered how safe the applications you use everyday are?
Those that have access to your personal and, in some cases, financial
information? Are these applications so safe that the only ones that
might be able to compromise them are the kind of hackers that you see
on TV and in movies, those who sit in front of a black screen with green
letters, use the keyboard at lightning speed, and probably speak binary
as their second language?
We are sorry to burst your bubble, but the truth is far from that, and
it probably takes a much less extraordinary person to compromise your
information. This is usually because the most common vulnerabilities
found in applications are of the type XSS (Cross Site Scripting),
SQLi (SQL Injections), CSRF (Cross-Site Request Forgery), Insecure
Session Management and Insecure Configurations, among others. These
vulnerabilities are widely documented, and their exploitation can be, in
some cases, extremely simple, even without requiring an in-depth
knowledge of computation or programming.
We give you a look at how our ethical hackers exploit these
vulnerabilities to obtain sensitive information, hijack a session, or
even gain root access over the server running the application.
2. Content
In this conference, we will use an application named
bWAPP, which has the particularity of
being vulnerable by design (vbd). This allows ethical hackers and
security enthusiasts to practice their skills and keep improving, while
those who are just starting in this world can also learn how to find and
exploit vulnerabilities.
The application will be attacked from different levels: the web interface and the different services running inside the server. We start with an identification phase, followed by the exploitation and privilege escalation.
We will also show the programming issues that cause these vulnerabilities, always keeping it simple, so all participants, no matter their profession, can keep up and understand the importance of information security in a world where applications and devices are multiplying exponentially.
3. Experience
This conference was held in the Information Security Workshop carried
out by TigoUne.
4. Where?
The presentation can be hosted at your company’s facilities or an external venue.
The talk can be given in Medellín with a minimum audience of 10. For
other cities in Colombia and Latin America, the minimum is 20
participants.
5. Duration
The event duration is 1 hour.
6. Audience
This conference is suitable for people with basic or low technical
knowledge. The audience limit is 30 participants.