Overview:The vast majority of cyber attacks against a web application are relatively easy to defend – yet most applications remain vulnerable. In fact many developers aren’t even aware of how simple these attacks are to execute.
Spoiler alert: it’s really, really easy.
During this day-long workshop we’ll learn a variety of tools (including OWASP ZAP) to hack a vulnerable web application written in Node.js, Express and Angular. We’ll cover a variety of approaches to how attackers exploit web applications: everything from XSS and SQL injections, and lots of other hacking tricks.
Be prepared to learn, laugh and cry as we explore security flaws common to most web applications. You’ll leave this workshop with hands-on experience in penetration testing methodology, a deep understanding of the current OWASP best practices, and a broad appreciation for application security.
If you can’t protect your web applications from hackers, who will?
Agenda (3 hours):- 0:00 Intro & Broad discussion of Web App technologies (HTML, CSS, JS)
- 0:15 Tour of Browser DevTools
- 0:30 Use DevTools to find the easter eggs in OWASP Cyber Scavenger Hunt
- 0:45 Browser extensions to help us enumerate Web App technologies
- 1:00 Introduction of OWASP Juice Shop
- 1:15 Using DevTools to find the Juice Shop “scoreboard”
- 1:30 Solving some Juice Shop challenges
- 2:00 Introduction of OWASP ZAP
- 2:00 Enumerating the Juice Shop application with ZAP
- 2:30 Advanced ZAP features
- 3:00 End
Prerequisites:Instance of OWASP Juice Shop (locally or via Heroku)
Install OWASP ZAP
Install Firefox or Chrome
Permissions to Install Browser extensions