OWASP Women in Application Security (WIA) Committee

The purpose of Women in AppSec (WIA) Committee is for anyone who believes that diversity is important to the success of the organisation, as well as for women looking to learn more about AppSec or who want to make career connections with like-minded colleagues. This includes female undergraduate and graduate students, instructors, and professionals who are dedicated to information security or application development.

INFOSEC GIRLS Our main objective is to get women curious about information security. We aim to do this by encouraging more women to actively participate in events like security conferences & community meet-ups. https://www.infosecgirls.in/

• Train Middle school girls and College Students.

• Mentoring the women who wish to grow their career in Information security.

Cavelossim Sports Club Hall

Cavelossim, Goa 403731, India

Have an awesome story to share - a recent hack, your Infosec journey, or cool bounty experiences? Come share your experiences and motivate others with your success stories or learn from the pitfalls you've had!

Just fill out the form below. Of course, you'll have to figure out how to get there and where you'll be when you're not busy having fun at OWASP Seasides. That's totally on you! Food and drinks on us and that's about it. Speakers will have to manage their stay and travel.

Still not sure or have more questions? You can reach us at: cfpowaspseasides@owasp.org

OWASP Seasides Tools Demo 2019 aims to provide a platform for security researchers, developers and hackers to showcase their open-source projects.

Venture down to the beach shack in the evening, for an open air environment where you can freely exchange ideas and receive direct feedback from attendees.

CFT closes on 31st January 2019. Selected tools will be announced on 10th February 2019.

The event will be organised in the shack area near the beach, with a projector setup.

OWASP Seasides team will be providing scholarship (shared accommodation and, train tickets) to students who wish to attend seasides.

Big Thanks to the supporters for the scholarship support!

• Xiarch

• Dinesh Bareja (https://twitter.com/bizsprite )

• Arman Pathan (https://twitter.com/armaancrockroax )

• Jinen Patel (https://twitter.com/j4jinen )

Sponsorship has been awarded to the below mentioned students/ individuals.

• Sparsh Kulshreshtha

• Saraswati Maddala

• Ashish Huria

• Eldho George

• Paresh Mishra

• Manju Chufal

• Kartheek Lade

• Vishnu K Murali

• Nimisha Dughyala

• Debolina Basu

Note:- Please do show us a valid ID card at the event to confirm your identity.

OWASP seasides event members facilitated the selection procedure and we have not received any other benefits in the process.

Please fill the below form to get the scholarship.

Workshops (9:00 AM - 6:00 PM, IST)

NOTE* Workshops are 100% FREE to all OWASP Seasides attendees, first come first served basis only!

Tools Showcase

Day 1: 27 Feb 2019

Day 2: 28 Feb 2019

Evening Talks

Day 1: 27 Feb 2019

Day 2: 28 Feb 2019

Platinum Sponsors

Gold Sponsors

Combined Gold Sponsor (Bug Bounty World + Peritus + Secmasters)

Bronze Sponsors

Special Supporters

OWASP is dedicated to providing a harassment-free conference experience for everyone , regardless of gender, sexual orientation, disability, physical appearance, body size, race, or religion. We do not tolerate harassment of conference participants in any form.

Conference participants violating these rules may be sanctioned or expelled from the conference at the discretion of the conference organizers. Harassment includes offensive verbal comments related to gender, sexual orientation, disability, physical appearance, body size, race, religion and actions such as deliberate intimidation, stalking, following, harassing photography or recording, sustained disruption of talks or other events, inappropriate physical contact, and unwelcome sexual attention.

Participants asked to stop any harassing behaviour are expected to comply immediately. If a participant engages in harassing behaviour, the conference organizers may take appropriate action, including warning the offender or expulsion from the conference.

Conference staff will be available to help participants contact hotel/venue security or local law enforcement, provide escorts, or otherwise assist those experiencing harassment to feel safe for the duration of the conference. We value your attendance.

Welcome to the Annual OWASP SeaSides InfoSec conference.

Through OWASP Bangalore chapter we aim to provide free of cost premium workshops and talks to all the participants. We plan to have Workshop on 26th to 28th Feb (9:00 AM to 5:00 PM) and Beach-side talks in the Evening from on 27th Feb and 28th Feb (7:00 PM to 10:00 PM). Mega beach side party on 2nd March.

nullcon has been doing a great job getting researchers from all over the world to India. If you are coming for nullcon 2019 then we are giving you more reasons to come early and participate in OWASP and null community events.

If you want to be part of event and speak at the events then please fill the CFP/CFT form.

General Inquiries : cfpowaspseasides@owasp.org

Overview

Machine learning is an application of artificial intelligence (AI) that provides systems the ability to automatically learn and improve from experience without being explicitly programmed. Machine learning focuses on the development of computer programs that can access data and use it learn for themselves.

The process of learning begins with observations or data, such as examples, direct experience, or instruction, in order to look for patterns in data and make better decisions in the future based on the examples that we provide. The primary aim is to allow the computers learn automatically without human intervention or assistance and adjust actions accordingly.

Table of Content

Phase – I: Theory

• Brief history of Machine Learning

• Type of Algorithms

• Data visualisation hands on with Matplotlib

• Data Aggregation, manipulation, and cleaning hands on problem solving with Pandas

• Hands on Mathematical operations on data with Numpy

• Theoretical understanding of Classification, Regression, and Clustering

Phase – II: Hands-on

• Deal with imperfect real-world dataset

• Validate a machine learning result using test data

• Evaluate a machine learning result using quantitative metrics

• Create, select, and transform features compare the performance of machine

• learning algorithms

• Tune machine learning algorithm for maximum performance

• Communicate your machine learning results clearly

Phase – III: Case Study

• Case Study 1: Network traffic classification using ML

• Case Study 2: Malicious URL detection using ML

• Case Study 3: Detecting password strength using ML based Web Firewall

Prerequisites

Basics of Python programming

What to bring

• A laptop with administrative privileges

• Minimum of 30GB of free hark disk space

• Minimum 8GB RAM

• Laptop should have ethernet and wifi capability

• Virtualbox installed

Trainer Profile

Trainer : 1 - Gaurav Gandhi is hard core programmer with 10 years of experience in Software industry. He currently hold Co-Founder & CTO position at Praemineo, Inc., an Artificial Intelligence company. He is responsible to research & development of tools and pipelines for products around Artificial Intelligence.

He has worked extensively in application development specializing in anything and everything around JavaScript. Application architecture design / review, code review, database architecture design, cloud services like AWS, Microsoft Azure, and Google Cloud Platform.

He has spend last 3 years researching and building applications around Artificial Intelligence, Machine Learning, Deep Learning, and Computer Vision for various clients all over the worlds in domains as varied as GIS, Financial Tech, HR & Staffing, Edtech etc.

Trainer : 2 - Tamaghna Basu, the co-founder/CTO of neoEYED Inc. is on the mission to www.killthepassword.com to build a safer world with stronger, yet very convenient authentication mechanism for companies and end-users. He is a hacker, speaker, trainer and a developer too. He has more than 14 years of experience in cyber-security domain and worked in large enterprises like PwC, Paypal, Walmart etc. to help them secure their products. His main areas of research include application security and network pen‐testing, incident handling and cyber forensic. Being a software developer earlier, he worked in python, java, .net, ruby etc. and various domains like finance, insurance, gaming etc. He is a frequent speaker/trainer in various conferences like NULLCON, C0C0N, OWASP, ISACA etc. and member of NULL, DSCI and other communities. He also contributed to security magazines like Clubhack and ISACA journal. He has accomplished various other certifications like Cyber Crime Investigation, Diploma in Cyber Law, OSCP, GCIH etc.

Trainer : 3 - Chinmay Bag, Sr. Software Engineer at Praemineo, Inc. Praemineo, Inc. is a boutique software startup focused on Machine Learning and Full Stack Development. Highly resourceful Full Stack Engineer with passion for finding elegant solutions to complex Software Engineering problems with emphasis on efficient and readable code. 4+ years of experience in Software Industry in domains eg. Fintech, HRtech etc. He is a Maths Ninja and Machine Learning Enthusiast always tinkering around latest trends in ML. Interested in working on collaborative projects.

*Note: Registration details will be shared with Trainers and Sponsors

The registration is closed. However, all the events and workshops are on first come first serve basis. Please reach the venue early to grab your spot.

Abstract :

Let's Attack the Bitcoin's Blockchain implementation and learn how worlds most valued financial network is also worlds most secure given the fact its completely open and autonomous.

In this Village, we will do threat modelling of a Bitcoin's blockchain implementation and study its layer by layer design to thwart the listed threats.We enumerate and understand each single crypto constructs used in every layer and how it is secure now and also in the wake of Quantum Computing realisation in near future.

Overview:

1. Introduction to Blockchain

2. How a block looks like on the disc

3. What crypto-constructs go in each block

4. Threat Modelling of Blockchain.* List down all applicable threat to blockchain with the help of the participants

5. Learning defence in depth, built in the block design

6. Scripts in Bitcoins

7. Smart Contracts and security issues with a case study of Ethereum

8. Where Bitcoins go wrong?

9. Summing it up

Take Aways:

1. Understanding of the building blocks of cryptography used in Blockchain technology

2. How to threat model a complex system

3. How to deal with security threats in an un-trusted, distributed environment

4. How to build a financial system securely.

5. Smart contracts, dumb implementation

6. Dos and Dont's of cryptography considering the quantum threat

7. Above all, understand What blockchain is and what it is Not.

Who should attend : Professionals from enterprise, banking and financial organisations, LEA and any one who wish to understand how Blockchain works and how they are secure by design.

About Trainer : Ajit Hatti is founder of PureID and has recently conducted Blockchain Security Village in DEF CON 26 at Las Vegas. He has been working on Securing Crypto Implementations from last 5 years and is also author of LAMMA and GibberSense, SCODA the crypto auditing tools. Ajit is also the co-founder of Null Open security community and Nullcon. He loves to volunteer and present some thing at DEFCON and BlackHat USA, every year.

Reference:- https://www.blockchainvillage.net/

*Note: Registration details will be shared with Trainers and Sponsors

The registration is closed. However, all the events and workshops are on first come first serve basis. Please reach the venue early to grab your spot.

First Half - 27th February 2019 (9AM - 1PM)

Android App Security Workshop

Android Application Penetration Testing Training is intended for students/professionals who are interested to make career in Mobile application penetration testing domain. It involves decompiling, real-time analysing and testing android application from security point of view. This training covers understanding the internals of android app, Real-time testing of android applications and some OWASP Mobile Top-10 security issues like Insecure logging, Unintended data leakage, Insecure communication, Insufficient cryptography, Insecure authentication and Poor code quality.

WHO THIS TRAINING IS FOR

• Students interested in Mobile Security

• Security Analysts/Researchers.

• IT Professionals working in Android Development domain

• IT professionals working in Information Technology-Security domain.

KEY TAKEAWAYS

• A detailed understanding of the Android Application internals

• A clear understanding of the Android Application Penetration Testing

• Ability to analyse an Android Application from a Security Standpoint

• Understanding of multiple security tools to be used for Mobile Pentesting

DELIVERABLES

• Training Slides

• Custom made VM’s

• Updated Toolset of softwares/applications used for Mobile Pentesting

REQUIREMENTS

• Laptop with minimum 30 GB Hard Disk Space & 6GB RAM with administrative privileges

• Updated Virtual-box installed

• 2 Functional USB Ports

TABLE OF CONTENT

• Introduction to Android

• Android Security Architecture

• Android Permission Model

• Application Sandboxing

• Setting up Mobile Pentest Environment

• Android Application Architecture

• Reverse Engineering

• Bypassing Android Permissions

• Dynamic and static analysis of the application

• Insecure Data Storage

• Insecure Communication

• Insufficient Cryptography

• Insecure Authentication

• Poor Code Quality

About Trainers

Trainer 1: Nikhil P K is a Security Engineering Lead at IGS-India" and an International Security Trainer. His area of interest includes Web Application Penetration Testing, Mobile Application Security and Machine Learning. He has presented his talks at International and National level Conferences and meets such as Nuit Du Hack Paris, OWASP AppSec, Cocon International Cyber Policing and Security Conference, DEFCON Bangalore Chapter, Null Open Security Meet Bangalore, Null Open Security Meet Mysore. He is also a Bug Bounty Hunter and has been listed and Acknowledged in the Hall Of Fames of Companies such as Microsoft, Apple, Adobe, Nokia, Engine Yard and AVIRA Antivirus.

Trainer 2: Asha Muniyappa is a Mobile application security researcher. She is a CEH certified professional and is responsible for innovating the mobile app security assets to ensure secure delivery of mobile apps. Her expertise is in Application Security, with key research areas of interest including Mobile Apps, Hacking. She is passionate to learn new techniques for attacking mobile apps and have been researching on performing attack simulations on the apps to determine and exploit security flaws.

Second Half - 27th February 2019 (2PM - 6PM)

Modern iOS App Pentesting And Security for Fun and Profit

Is your product or application has a mobile app? Do you use any of AWS services? Are your product security engineers working on mobile application security? Looking for information about the importance of mobile app security? If your answer is yes to any of these questions, then this talk is for you!

This hands-on session will discuss recent case studies of critical findings in iOS apps and also help to address important issues as encryption key management, authentication issues along with OWASP Top 10 for Mobile (iOS). This training will focus on Pentesting both Objective C and Swift iOS Applications.

Pre-requisites

• Macbook with Xcode (10.1) Installed

• Docker Installed

Training Contents (not limited to)

• Introduction to iOS App Security

• iOS Bug Bounty Case Studies

• iOS Pentesting Lab Setup

• Approach for Objective C and Swift App Pentesting

• Reverse Engineering and Binary Analysis

• Exploiting iOS Local Data Storage

• Exploiting Broken Cryptography

• Exploiting Cloud Misconfigurations

• Runtime Analysis of iOS Apps

• Frida for iOS Pentesting

• Analyzing iOS Network Traffic

• iOS Secure Coding

• iOS CTF

WHO SHOULD ATTEND?

• Security Professionals

• Mobile Application Pentesters

• Bug Bounty Hunters

• iOS Application Developers

• Security Architects

• People interested to start into Mobile security

Key Takeaways

• End to end iOS App Pentesting

• iOS Secure Coding

• iOS reverse engineering, runtime analysis

• Encryption key management, Defending crypto attacks

• Designing secure iOS applications

About Trainers

Trainer 3: Swaroop Yermalkar works as Lead Security Engineer and has authored the popular book “Learning iOS Pentesting” (https://goo.gl/T8jvjJ). Swaroop also lead an open source project - OWASP iGoat (https://igoatapp.com/) which is developed for mobile security. He is one of the top bug bounty researchers worldwide, working with Cobalt.io (https://app.cobalt.io/swaroopsy), Synack.inc. _**_He has given talks and workshops at many security conferences including AppSec Israel, AppSec USA 2018, BruCON, SEC-T, EuropeanSec, Hacks in Taiwan (HITCON), GroundZero, c0c0n, 0x90, GNUnify. You can reach out to Swaroop at @swaroopsy.

Trainer 4: Shilpa Ranganatha is an iOS application security researcher. She is a CEH certified professional and is responsible for innovating the mobile app security assets to ensure secure delivery of mobile apps. She is keen to expand her horizons and constantly strives to find zero-day vulnerabilities in client applications.

*Note: Registration details will be shared with Trainers and Sponsors

The registration is closed. However, all the events and workshops are on first come first serve basis. Please reach the venue early to grab your spot.

Abstract

Today all vehicles are connected through V2X technologies. All manufacturers are coming with new technologies which can be added technologies for Vehicle industries like Fleet management systems, diagnosis toolset etc. These systems are from third-party vendors which are still in the vulnerable state. So addressing their weaknesses requires specific skillset in cybersecurity of vehicle industries. In this course will provide real CAR to get Hands On the experience of CAR and their component security testing. "Reversing and exploitation of Vehicle" course targeted from Basic level to advance level. During course will provide Virtual machine which has an all necessary toolkit which can be used after training for Vehicle security testing.

• Introduction of Vehicle (Vehicle network)

  • Briefing of ECU

  • Briefing of Vehicle Protocols

  • Understanding and briefing CANBUS protocol

  • Briefing of CANBUS frame

  • Briefing of CAR hacking Tools

  • Eavesdropping of Canbus messages

  • Reverse Engineering of CANBUS

  • Identify the Arbitration ID of a specific vehicle event

  • Attacks on cluster

  • Replay attacks

  • Sending Forged CANBUS messages

  • DOS Attack on CANBUS network

• Key fobs

  • Introduction

  • Recon of Key fobs frequency

  • Reverse engineering of Key fob data

  • Sending malformed key fobs request

  • Jamming at RX and TX

  • Defeating encoding mechanism

  • Replay Attack

  • Attack on key fob

  • Cloning of Key fobs

• Infotainment

  • USB

  • Fuzzing on USB stack

  • USB interception for software update

About Trainer

Arun Mane

Arun is a Hardware, IOT and ICS Security Researcher. His areas of interest are Hardware Security, SCADA,Automotive security, Fault Injection, RF protocols and Firmware Reverse Engineering. He also has experience in performing Security Audits for both Government and private clients. He has presented a talk at the nullcon 2016,2017,2018 Goa, GNUnify 2017, Defcamp 2017, 2018 Romania, BsidesDelhi 2017, c0c0n x 2017, EFY 2018, x33fcon2018, BlackHat USA 2018, Defcon USA 2018 Also Trainer for Practical Industrial Control Systems (ICS) hacking training, delivered in x33fcon2018, HIP 2018 and also delivered training for IoT hacking in HITB 2017, HIP 2017, BlackHat Asia 2018 and private clients in London, Australia, Sweden, Netherlands etc. He is an active member of null open community.

*Note: Registration details will be shared with Trainers and Sponsors

The registration is closed. However, all the events and workshops are on first come first serve basis. Please reach the venue early to grab your spot.

Abstract of the workshop:

In this workshop we will learn and get a good understanding how to set up security test automation into your CI/CD pipelines.

Most customers in need for security test automation all utilise different CI tools that fit their needs. Getting your security tools in these CI environments makes you fully dependent on the plugins the CI environment provides. Now, imagine a world where we could configure our security tools once and use this as a blueprint over all the CI tools?

Docker helps security engineers to weaponise the customers CI/CD pipe-lines in a heartbeat with hard to configure security tools. Delivering the entire security test automation and vulnerability management solution a scripted manner that roles out in the blink of an eye!

After we have the basic set-up configured correctly we can start collecting the right tooling to get the job done. There are a lot of things we should take into consideration if we want to cover the entire attack surface. How to secure the application host, containers, manage secrets, and implement static/dynamic analysis tools. Even more importantly, how to ultimately manage all the vulnerabilities in an effective way where we can do delta reporting and false positive suppression to make everything more maintainable?

Trough pain and lessons learned we want to share our experiences in the form of a workshop to give handles and guides to get security automation started in your company!

Why:This workshop aims at helping developers to improve their security skill: when you go devops style, you need to onboard security as well. However, you don’t want to have huge manual quality gates: instead you need to automate! This workshop will help developers understanding the basics and various levels of security checks involved in an AppSec pipeline

About the Trainers

Trainer 1: Glenn ten Cate as a coder, hacker, speaker, trainer and security researcher Glenn has over 10 years experience in the field of security. One of the founders of defensive development [defdev] a security trainings series dedicated to helping you build and maintain secure software and also speaking at multiple other security conferences in the world. His goal is to create an open-source software development life cycle with the tools and knowledge gathered over the years.

Trainer 2: Riccardo ten Cate as a penetration tester from the Netherlands Riccardo specialises in application security and has extensive knowledge in securing applications in multiple coding languages. Riccardo has many years of experience in training and guiding development teams becoming more mature and making their applications secure by design. Not only does Riccardo train developers, he and his brother Glenn also donated an entire knowledge framework solely dedicated to help developers make their code secure by design to OWASP. See: SKF (Security knowledge framework) .

Riccardo also has expertise on implementing security test automation in CI/CD pipelines. This helps create short feedback loops back to the developer and prevents bugs from getting into production into an early phase of the development lifecycle.

*Note: Registration details will be shared with Trainers and Sponsors

The registration is closed. However, all the events and workshops are on first come first serve basis. Please reach the venue early to grab your spot.

Soldering is one of the essential skills in today’s world with applications ranging from electronics, jewellery, craft items to plumbing and metal work. Our goal is to teach soldering and basic electronics to anyone and everyone in the most creative and fun way possible.

Traditional electronics and soldering learning approach seemed boring and lethargic. So we took inspiration from nature and crafted a Bee entirely made out of electronic components. We call it BugZee and like a real life bee, it moves around making a buzzing sound. Did we mention it glows its wings in the dark? No, it won't bite you but it'll definitely get you hooked to it.

The soldering village will consist of multiple soldering stations. All attendees will be trained to handle the equipment carefully while still keeping it a very fun learning experience. With this village, attendees will acquire the skills required for soldering and knowledge about basic electronics.

There are no prerequisites. Just an open mind and willingness to turn electronic components into a moving-buzzing Bee. Attendees are encouraged to experiment further with different components post village on their own and build their own Bee of creativity. Most creative Bees will win swag from Hackerwares. Solder On!

*Note: Registration details will be shared with Trainers and Sponsors

The registration is closed. However, all the events and workshops are on first come first serve basis. Please reach the venue early to grab your spot.

Security Innovation is teaming up with OWASP Seasides to offer attendees a fun "find the vulnerabilities" game - CMD+CTRL Cyber Range - that shows how hackers break into websites and teaches the importance of secure coding habits.

The CMD+CTRL Cyber Range we will be using is called ShadowBank, a banking website where players compete to find vulnerabilities, score points, and move up the leaderboard. "Leveraging cheat sheets, players take their shot at stealing money, manipulating share prices, and conducting other nefarious acts. "

NOTE: Just bring your computer and evil inner-doer and you are ready to roll!

****

****

Abstract

In this completely hands-on workshop, you can get in the shoes of a young software engineer who joins the security champions team of a company to watch over the trust in web applications. As time progresses, the regular assignment becomes an involved investigation to solve a computing puzzle.

Throughout this introductory workshop, you would be using the Avatao online AppSec platform to solve a series of technical challenges related to OWASP top 10 and beyond. This technical game teaches you the basic pitfalls in web security and the best practices to fix the problems.

The workshop will be an early-preview of a new Avatao story we are going to release on the platform soon. The workshop is intended to software engineers who might be beginners in application security.

Upon Completion of this Workshop, attendees will:

• Understand the basic issues in web security

• Get insight into OWASP top 10 and how to fix those issues in practice

• Have fun in solving game challenges in AppSec

• Have developed a team attitude and skills to solve problems together

• Have serious craving to become better in web security

• Learn a few words in leetspeak

Prerequisites for attendees:

• Attendees should bring: Laptop with a contemporary browser (mandatory)

• This is an introductory Workshop for web application developers, students, including those new to application security.

• The course has been developed to train learners at all levels, but it is mostly geared towards beginners.

Trainer(s):

Kristof Toth is a SOLID software engineer at Avatao. He is the main driving force behind the gamified Tutorial Framework that makes the Avatao platform sleek and enjoyable. Besides a deep passion for clean code and software craftsmanship, Kristof likes cats and is a beer aficionado.

*Note: Registration details will be shared with Trainers and Sponsors Its mandatory register your spot in advance as we need to organise the seating logistics.

Please fill below form to register.

What’s the Plan?

Workshop starts with the basic idea on what exactly is a CTF and why it should matter to you regardless of the background?

1. Then we start with basic introduction to the following categories with talk and doing up live challenges to learn some neat tricks along the way!

   1. Web : It’s the time we look beyond the old boring web application and introduce some fun tasks to this scenario, learn the fundamentals and different tricks like breaking OAuth, SSRF, Testing REST APIs and more.

   2. Crypto : Time to break those obfuscated code, and understand what exactly RSA does and many other popular encryptions lack and the fun part exploit them LIVE!

   3. Forensics : It’s your time to DFIR like professional learn all you need to know about images, process, handles, dll and injections!

   4. Pwn : Nothing beats the good old “pop pop ret?” not sure what does that mean you will probably know it all after the workshop and automate overflows like you always wanted to!

   5. Misc : It’s always handy to move stuff around with netcat, automate the boring stuff and even look at the stuff beyond “some language”

Upon completion, the attendees will know:

Techniques commonly used to solving problems in the realm of security, basic idea about overflows, commonly used encryptions, common forensics techniques, web application reconnaissance and exploitation and lots of tips and trick to save your time while working.

Attendees should bring:

Laptop, preferably running a Linux distro (Kali Linux full boot or VirtualMachine)

Pre-requisites for attendees:

General idea about linux. And a knack of programming.

Course Abstract

Bugcrowd is happy to offer a full day workshop for bug hunters to learn both intro and advanced topics in web bug hunting. Each BCU module will go over a vulnerability describing it's nature, how to identify it, how to exploit it, relevant tools associated to it, and have labs for students to test their skills. These Bugcrowd University modules are designed to enable the crowd to spot and exploit Priority One level bugs, even in seemingly complex web applications.

• (Intro) What makes a good submission

• (Intro) Burp Suite Workshop

• (Intermediate) Asset Discovery and Recon- IP enumeration (ASNs and Cloud)

  • Brand Enumeration (Acquisitions, RevWHOIS, Reverse tracker Analysis)

  • Subdomain Enumeration (Scraping and Bruteforcing)

  • Effective Port Scanning

  • Version based vulnerability analysis

  • Directory Bruteforcing / Content Discovery best practices

  • Prioritizing target testing areas by technology and features(Advanced)

• (Advanced) XML External Entity Injection

  • An introduction to XXE

  • XXE Identification

  • XXE Tooling / payloads

    • XXE LABS

• (Advanced) Authorization & Access Control Testing (MFLAC, IDOR)

  • The ever-giving IDOR and MFLAC

  • Examples

    • LABS

• (Advanced) Server Side Request Forgery- An introduction to SSRF

  • SSRF Identification

  • SSRF Tooling

    • SSRF LABS

• (Advanced) Security Misconfiguration (Git, AWS, Subdomain, ++)

  • introduction to AWS s3 Permissions

    • Labs

  • git pillaging

    • Labs

  • Github robbing

    • Live exercise

  • CI/Code repositories exploitation (no lab)

  • Subdomain takeover

    • Labs

Upon Completion of this training, attendees will know: At the end of this course, students should have some solid fundamentals in web testing for vulnerabilities that are more likely to show up in the wild TODAY. Not only does the course aim to arm the student with the technique, tools, and labs, but also a contextual and data-driven methodology on where and how to look for each vulnerability.

Attendees should bring: Laptop, Burp Suite (PRO preferably), VM or equivalent access to *nix command line.

Pre-requisites for attendees: General Web application security testing knowledge required. Some topics will assume some knowledge of OWASP Top Ten type vulnerabilities.

These trainings are 100% FREE to all OWASP Seasides attendees, first come first served basis only!

About the trainer Jason Haddix is the VP of Researcher Growth at Bugcrowd. Jason trains and works with internal analysts to triage and validate hardcore vulnerabilities in mobile, web, and IoT applications/devices. He also works with Bugcrowd to improve the security industries relations with the researchers. Jason’s interests and areas of expertise include mobile penetration testing, black box web application auditing, network/infrastructural security assessments, wireless network assessment, binary reverse engineering, and static analysis.

The registration is closed. However, all the events and workshops are on first come first serve basis. Please reach the venue early to grab your spot.

Abstract

In this completely hands-on workshop, you would get to understand the techniques and methodologies that could be applied when performing a web application penetration testing. Throughout this workshop, you would be using Burp Suite tool + OWASP ZAP, which is a conglomerate of distinct tools with powerful features. Apart from gaining familiarity with the tools and the techniques involved in application security testing, you would also get an opportunity to understand some of the common vulnerabilities from the OWASP Top 10 – 2017 list. We would provide you with a vulnerable website, and you would uncover security issues in it even if you have never done this before!

Upon Completion of this Workshop, attendees will know:

• Scope a security review and prioritise the work.

• Understand the manual and automated tools and techniques available and when to apply them.

• Understanding of DevSecOps including Agile Framework.

• Gain confidence in customising your Web Application Security Testing approach to suit application-specific pen-testing needs, by gaining clarity on the powerful features provided by the Burp Suite tool.

• A Lots of hands-on web application hacking labs and exercises along with core concepts of web application security.

Attendees should bring:

• Laptop with administrator access (mandatory)

• Minimum 4 GB RAM

• At least 10 GB of free hard disk space.

• Oracle VirtualBox 5.x or later installed.

Prerequisites for attendees:

This is an introductory Workshop for web application developers, students, including those new to application security. The course has been developed to train learners at all levels.

Trainers:

• ****Vandana Verma

• Geeta Handa

Co-Trainers:

• Namrata Mallick

• Sri Lakshmi

*Note: Registration details will be shared with Trainers and Sponsors

The registration is closed. However, all the events and workshops are on first come first serve basis. Please reach the venue early to grab your spot.

Panel Discussion

• Bug Bounty Craft

Panelists:

• Jason Haddix

• Saubhagya Srivastava339

• Abartan Dhakal

Moderator:

• Chloé Messdaghi

Evening Talks

Panel Discussion

• Entrepreneurs in cyber security business

Panelists

• Rahul sasi - Founder at Cloudsek

• Ricky Rajkumar - Founder at IntouchWorld

• Mark Felegyhazi - CEO at Avatao

Panel Moderator

• Ajit Hatti - Founder at Pureid

  Evening Talks

Red Team Village is a community driven combat readiness platform for Red teaming and full scope Cyber security assessments.This community is managed by a group of cyber security and red team tactics enthusiasts. A red teamer needs to be skilled in every aspect of offensive security. We can consider this as a platform to share tactics, techniques, and tools related to various domains of adversarial attack simulation.

Agenda:

1. Sessions about Red Team tactics and tools

2. CTF - There will be CTF challenges and the winners can go home with cool prizes and goodies.

The CTF challenges would be based on red teaming activities and attacks.

• The participant needs to compromise various levels of infrastructure assets owned by the target corporation.

• Challenges unlocking a physical safe / locker, by obtaining the locker key stored in the domain admin user folder.

• Final challenge would be, discreetly compromising a corporate asset monitored by Blue team / SOC.

Innovation

The primary purpose of the Red Team assessment is to validate your organisations effectiveness against credible and realistic cyber threats. Threats are real and it makes the organisations to concentrate on full scope adversarial attack simulation engagements.

• Red team village is one of it's kind. Our end goal is to act as a platform form red team tactics knowledge sharing and exercises.

• We keep creating real world scenarios and challenges for our events.

• We're planning to create a permanent Red team related CTF platform which contains all of our previous challenges, where the red team enthusiasts can join and participate in real time challenges and learn new attack vectors, techniques etc.

• Also we organise combined exercises which includes both red team and blue team. So that tactics can be shared and helps to create a Purple team structure.

TECHNICAL DETAILS – CTF CHALLENGES

There is a target company named Victim Corporation. Victim Corp has a wide list of assets.

• The assets can be Digital, Physical or even Employees.

• The participants needs to attack each assets to get flags.

• There will be Windows Active Directory infrastructure, Linux, IoT, even Phishing campaigns and other attack frameworks will be there.

• Digital Lockers and other physical challenges will be introduced.

• The final challenge would be, attacking a target monitored by Blue team/SOC and get the flags without getting caught in their Radar.

• Idea is to touch a little bit of everything. OSINT to Post exploitation techniques.

Vishnu Prasad Working at HackerOps as Sr. security specialist, has 7 years of experience in the Information security Industry.Organizer of DEF CON group - Trivandrum, and Red team village community. **