hacking, owasp, web application security

Slides from Hacking OWASP Top 10 – Infinity Stones + Walkthrough at Blacks in Cybersecurity

On Friday February 5, 2021, I provided a training on teaching Application Security concepts using the OWASP Top 10.

The Open Web Application Security Project or OWASP is a non-profit organization whose mission is to make application security better. Members of OWASP meet every few years to create a top 10 list of the prevalent vulnerabilities in the industry. The last list was from 2017.

The structure of my training is the first part is to present the theoretical part – concepts and definitions. The last part of the training is a practical or application of the first part of the training (theoretical).

For the practical piece I used the website – BodgeIt Store. The BodgeIt Store is an insecure app, that should NOT be deployed in commercial servers. Many will say that the BodgeIt Store is a SUPER old insecure app (it’s close to 10 years old).

The app is close to 10 years old, but I find this app is good to teach application security as there’s a scoreboard and 12 challenges to complete.

Anyway, without further ado below are my slides from my training

I also provided documents that provide a walkthrough of the BodgeIt store as well as installing and using an interception proxy such as Burp Suite.

Finally, I included instructions on how to import the OWASP Broken Authentication VM which have a series of insecure apps.

See below.

Enjoy and keep hacking!

hacking, mobile

Slides from – Is Your App Safe? Reverse Engineering An Android App Training + Walkthrough from Blacks in Cybersecurity Winter Conference

During the weekend I participated as a speaker at the Blacks in Cybersecurity Winter Conference. This conference was online, and was a GREAT experience. I learned a lot of information and was able to meet with a lot of people and recruiters.

Anyway, my training today (Saturday February 6, 2021) was on reversing an Android application. In my training I talked about how apps are not safe by showing case studies (as recent as last week!) along with describing the components of an Android app. Next, I talked about how to reverse an Android app and how to do dynamic analysis using Frida. I finished the course by having a lab where I put all of the pieces together with the UnCrackable-Level1.apk.

Note – The virtual machine we’re using for this training is one that I created. The VM is titled, IntroToAndroidSecurity version 1.1.2. This VM has the common tools for Android Hacking in one place. I also included insecure Android apps in the virtual machine as well for participants to continue their learning/growth in mobile security. For the training I also used an Android emulator (Androidx86). I did this as I wanted all the participants to be on the same playing field. If we were doing mobile security as a job, we would want to have a real physical device.

Without further ado – here are my slides from the training.

Also, if you want to download the virtual machines (IntroToAndroidSecurity and Androidx86) from my training go to my Source Forge link here.

Note – Click on the External Links tab to get the VMs.

I am also including the documents I created for this training as well –

To set up the mobile lab, you will need the first two documents. I included the third document just in case the second document (importing Androidx86) does not work.

Document 4 is the walkthrough of the lab that I completed during the training.

hacking, web application security

How to Get Started in Pentesting #infosec, #pentesting, #appsec, #security @j0emccray, @infosecaddicts, @ppentestlabs, @pentesterlab, @blackroomsec, @securitytube

Happy Hacking!

Today’s blog post will be on how to get started with pentesting… on a budget.

If you’re following or reading my twitter timeline (@devsecopsgrl007), you will know that I am currently taking SANS SEC542 – Web App Penetration Testing. I am doing this class OnDemand (online), and I have access to the training for 4 months, along with two practice tests, and the certification (once I pass, putting it into existence!) While this course is GREAT, it is EXPENSIVE!

I know if you’re a student, this is WAY out of your price range. So, I would like to list alternatives where you will learn the same content, but it might take you a bit longer.

So without further ado here’s my list:

  1. Skillshare has a Ethical Hacking package that is $19 for 8 courses. These courses original value was $1,273 – which is a 99% savings. You can buy the class HERE.
  2. There’s a book that is the holy grail for Web Pentesting called, “The Web Application Hacker’s Handbook: Finding and Exploiting Security Flaws” This book has a lab accompanied with the book that is $7/hour. You can buy the book HERE.
  3. Another book, Penetration Testing Essentials, is another GREAT book. It gives an overview of the different concepts of pentesting. You can buy the book HERE.
  4. Joe McCray has a Pentester Candidate Program that is also a GREAT program. Follow Joe on twitter (j0emccray) or his program – @infosecaddicts
  5. PentesterLab has a program – PentesterLabPro where you can pay $19.99/month, or pay for a year and get two months free. More information can be found HERE. PentesterLab also has a bootcamp which is free. More information can be found HERE.
  6. PentesterAcademy has a monthly subscription for $39.99/month. The good thing about PentesterAcademy is they have A LOT of information. Web App Pentesting, Python, etc. More information can be found HERE.
  7. PracticalPentestLab has a promotion where you can pay a one time fee of $42.99 to get the VIP content which has subjects in pentesting, windows exploit, etc. You can contact them on twitter @ppentestlabs. More information can be found HERE.
  8. Hacking-Lab is a free online platform where you can learn hacking skills. More information can be found HERE.
  9. Cybrary is another free website that has an assortment of courses. More information can be found HERE.
  10. PicoCTF is an online CTF platform that is geared towards high school students, but it’s open to anyone. All you need to do is sign-up. More information can be found HERE.

Another big piece is to practice the skills that you have learned.

To do this you will need vulnerable machines to hack 🙂

One of my favorites is HackTheBox which has an assortment of machines. More information can be found HERE. Note: That you will need to hack the site to get the invite code.

Another website that I love is VulnHub. VulnHub has an assortment of machines. The good thing about VulnHub is that some of the machines have been used in CTFs and other security conferences. More information can be found HERE.

The next website is my favorite, called OverTheWire. OverTheWire is a website that has multiple challenges in different areas, web app pentesting, linux, etc. More information can be found HERE.

There’s another website RootMe which is a free online platform to practice pentesting. More information can be found HERE.

I can’t stress enough that you will need to practice. The old adage holds true in this case, practice makes perfect.

Finally, please follow @blackroomsec on twitter who’s a sweetheart! She has a website that lists even more free or inexpensive opportunities to learn pentesting.

 

hacking, owasp, web application security

OverTheWire: Natas Level 1 – #appsec #webapp #websecurity #wargames

Another day, another challenge…

In today’s blog post we’re going to solve level 1 of the Natas challenge.

Let’s begin.

Going to the following URL we see:

Natas1_WarGame_1

From level 0, we were able to find the password of level 1 (screenshot below):

Natas_WarGame4

Entering the username of “Natas1” and password from the screenshot we see:

Natas1_WarGame_2

Looking at the message we noticed that right-clicking has been blocked. How can we get around this?

By adding “view-source” in the beginning of the URL.

Doing this we see:

Natas1_WarGame_3

We’ve acquired the password for level 2!

hacking, owasp, web application security

OverTheWire: Natas Level 0 #appsec #webapp #websecurity #wargames

Another day, another challenge…

Today’s challenge we’re going to solve the first level of the Natas wargame challenge.

Let’s begin.

Going to the first level, we see the following:

Natas0_WarGame

Entering the URL we see the following prompt:

Natas0_WarGame2

Entering the username and password of “Natas0” we see the following:

Natas_WarGame3

Doing a right click, and selecting “View Page Source” we see:

Natas_WarGame4

We found the password for natas1! We’ll solve that challenge in the next blog post…