At CodeMash 2.0.2.0 we covered a lot of topics in Application Security. Can't share my slides (we didn't use many anyway) but I can make a list of resources based on what we talked about. Many of these are OWASP links, and OWASP is transitioning from MediaWiki to GitHub, so it might take a little work over time to find the resource. That said, let's do what we can.
The class started by talking about the OWASP Security Principles. https://wiki.owasp.org/index.php/OWASP_Security_Principles_Project
Then we dove into vulnerability assessment. Our target? OWASP Juice Shop. https://github.com/bkimminich/juice-shop
The browser most used was FireFox. https://www.mozilla.org/en-US/firefox/
And between those we used an attack proxy. For this class we used Burp Suite Community Edition. https://portswigger.net/burp
Access Control was the first topic. Access control - that being authentication, authorization, and session management - is a big topic.
- https://owasp.org/www-project-cheat-sheets/cheatsheets/Access_Control_Cheat_Sheet.html
- https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A5-Broken_Access_Control
Then we moved on to injection in all forms. SQL injection is the most well known but we covered others.
- SQL Injection https://portswigger.net/web-security/sql-injection
- Local file inclusion https://github.com/OWASP/wstg/blob/master/document/4_Web_Application_Security_Testing/4.8_Input_Validation_Testing/4.8.12.1_Testing_for_Local_File_Inclusion.md
- Directory traversal https://github.com/OWASP/wstg/blob/master/document/4_Web_Application_Security_Testing/4.6_Authorization_Testing/4.6.1_Testing_Directory_Traversal_File_Include_OTG-AUTHZ-001.md (technically an authorization attack but hey)
- Prevention https://owasp.org/www-project-cheat-sheets/cheatsheets/Injection_Prevention_Cheat_Sheet.html
A number of tools and resources were discussed.
- The Web Application Hacker's Handbook https://www.amazon.com/Web-Application-Hackers-Handbook-Exploiting-ebook/dp/B005LVQA9S
- Didier Stevens' tools https://blog.didierstevens.com/my-software/
- The CodeMash CTF (Which will go down eventually but for now) https://cmctf2020.ctfd.io/
If I missed anything significant or anyone has any questions, you can find me at bill@pointweb.net, or Slack, Twitter, LinkedIn, or here!