Web security workshop @ confess 2012

Yesterday was the workshop day of CONFESS 2012. My workshop was called “How to exploit and fix typical web application vulnerabilities” and that was what we did. I provided two JSF web applications, some PHP scripts and some C files, which all were vulnerable. At the workshop, we tried to break them in as many different ways, as possible.

At the beginning we did a lot of SQL injection exploits, at first manually and later using sqlmap. Then we looked into XSS, XSRF and poor session management. And last but not least we took a look at buffer overflows, using metasploit as shellcode generator. Unfortunately, we did not have time to check out the jsf-security web application, which would have shown some vulnerabilities of (old versions of) JSF 2.

The workshop HOW-TO and all the source files used at the workshop are available at github: https://github.com/jakobk/confess-2012

search

Search for:

blogroll

• Adam Bien
• Ali Ok
• Gerhard Petracek
• Hanspeter Dünnenberger
• Leonardo Uribe
• Mark Struberg
• Matthias Wessendorf
• Michael Kurz
• Werner Punz

archive

• Juli 2012
• Mai 2012
• März 2012
• November 2011
• Mai 2011
• April 2011
• Dezember 2010
• Oktober 2010
• September 2010
• August 2010
• Juni 2010
• April 2010

meta

• RSS
• Kommentare als RSS