SlideShare ist ein Scribd-Unternehmen logo

Web Security Workshop : A Jumpstart

Als PPTX, PDF herunterladen
Satria Ady Pradana
Satria Ady Pradana

Workshop on 12 March 2017 about web security, the concept and how it is executed in real world

Technologie
1 von 46
Web Security Workshop A Jumpstart! Satria Ady Pradana http://xathrya.id/ 1 Lightweight and Powerful Penetration Testing OS Xathrya
# whoami? • Satria Ady Pradana – Junior Security Analyst at MII (Metrodata Group) – Researcher at dracOS Dev Team – Staff ad Reversing.ID – Interest in low level stuffs http://xathrya.id/ 2 Lightweight and Powerful Penetration Testing OS Xathrya
• Now tell me yours http://xathrya.id/ 3 Lightweight and Powerful Penetration Testing OS Xathrya
Dracos Linux is an open source operating system provides to penetration testing. Packed with a ton of pentest tools including information gathering, forensics, malware analysis, mantaining access, and reverse engineering. We Live by Code and Rise by Ethic Lightweight and Powerful Penetration Testing OS Xathrya
Lightweight and Powerful Penetration Testing OS Unix-like operating system for various device and hardware. Free and open source, under the license of GNU. Made by Linux Torvalds in 1991. LINUX :* #screetsec Xathrya
Lightweight and Powerful Penetration Testing OS Making Linux Distro great again #screetsec Xathrya
Lightweight and Powerful Penetration Testing OS Derivate or making a new distro base on existing other distro. Had undergo some modification from the author that make it different from the parent distro. Remastering #screetsec Xathrya
Lightweight and Powerful Penetration Testing OS • A way to build linux from the very start. • Not derivating from existing distro, • Initiated by Gerad Beckmans, • Develop & assembly all part of system by yourself. Linux From Scratch #screetsec Xathrya
Lightweight and Powerful Penetration Testing OS • Teach yourself the inner of operating system. • Flexible, do as you wish. • Positively have full control of your system. Advantages #screetsec Xathrya
INTRODUCING #screetsec Xathrya Lightweight and Powerful Penetration Testing OS
Lightweight and Powerful Penetration Testing OS THE PHILOSOPHY #screetsec Xathrya
Lightweight and Powerful Penetration Testing OS  The name dracOs comes from Dragon Comodos  A rare species and can only be found in Indonesia archipelago.  Inspired by Comodo character • Strong enough to kill its prey with minimum force. • Its mouth has various bactery and virus to immediately kill the prey. #screetsec Xathrya
Lightweight and Powerful Penetration Testing OS #screetsec Xathrya
• Initiate the project on 12 June 2012 by Zico Ekel • Remastering of Ubuntu 10.04 • Update dracOs v2.0 Beta still use Ubuntu • Reinitiate the project on Desember 2015, did radical change, adopting LFS HISTORY #screetsec Xathrya
Lightweight and Powerful Penetration Testing OS STYLE OLD SCHOOL #screetsec Xathrya
Lightweight and Powerful Penetration Testing OS WHY Xathrya
Lightweight and Powerful Penetration Testing OS I am a l33t h@cker LMAO #screetsec Doing something But do not know what they are doing Xathrya
Lightweight and Powerful Penetration Testing OS SOMEWHERE Xathrya
Lightweight and Powerful Penetration Testing OS #screetsec Xathrya
Lightweight and Powerful Penetration Testing OS #screetsec Xathrya
Lightweight and Powerful Penetration Testing OS #screetsec Xathrya
Lightweight and Powerful Penetration Testing OS #screetsec Xathrya
IT HAPPENS
Lightweight and Powerful Penetration Testing OS #screetsec So... DRACOS LINUX Xathrya
Lightweight and Powerful Penetration Testing OS #screetsec Xathrya
FEATURES IN DRACOS GTK MENU #screetsec Xathrya
FEATURES IN DRACOS #screetsec Xathrya
FEATURES IN DRACOS #screetsec Xathrya
FIRE UP THE VM
# In this Lab • Install dracOs • Configure network (use NAT or bridge) • Ping my machine from dracOs • Try the user interface (DWM) • Install a package http://xathrya.id/ 30 Lightweight and Powerful Penetration Testing OS Xathrya
ARE YOU A HACKER? You might be, but I am not
Information Security is Like Football 32 Formation = Framework - ISO/IEC 27001 - NIST SP 800 (Computer Security) - PCI DSS - HIPAA - ISMF GK-DEFENDER MIDFIELDER STRIKER COACH Sysadmin, Network, Firewall, SIEM, etc. InfoSec Officer, Risk Management Internal, Compliance, etc. InfoSec Consultant, Pentester, etc. Top Management, CISO Supporter Soccer Stakeholder rungga_reksya I am sure you are interest in offensive penetration tester. Lightweight and Powerful Penetration Testing OS
33 Three Critical Components for an Information Security Integrity I A C Availability Confidentiality rungga_reksya Lightweight and Powerful Penetration Testing OS
Penetration Testing Methodologies and Standards 34 PENETRATION TESTINGBLACKBOX WHITE BOX GRAY BOX rungga_reksy a Lightweight and Powerful Penetration Testing OS
Framework Penetration Testing 35 Web Application Security Consortium Threat Classification Open Source Security Testing Methodology Manual WASC Open Web Application Security Project Testing Guide OSSTMM OWASP rungga_reksya
36 @rungga_reks ya OWASP Top 10 – 2010 (old) OWASP Top 10 – 2013 (New) 2010-A1 – Injection 2013-A1 – Injection 2010-A2 – Cross Site Scripting (XSS) 2013-A2 – Broken Authentication and Session Management 2010-A3 – Broken Authentication and Session Management 2013-A3 – Cross Site Scripting (XSS) 2010-A4 – Insecure Direct Object References 2013-A4 – Insecure Direct Object References 2010-A5 – Cross Site Request Forgery (CSRF) 2013-A5 – Security Misconfiguration 2010-A6 – Security Misconfiguration 2013-A6 – Sensitive Data Exposure 2010-A7 – Insecure Cryptographic Storage 2013-A7 – Missing Function Level Access Control 2010-A8 – Failure to Restrict URL Access 2013-A8 – Cross-Site Request Forgery (CSRF) 2010-A9 – Insufficient Transport Layer Protection 2013-A9 – Using Known Vulnerable Components (NEW) 2010-A10 – Unvalidated Redirects and Forwards (NEW) 2013-A10 – Unvalidated Redirects and Forwards 3 Primary Changes:  Merged: 2010-A7 and 2010-A9 -> 2013-A6  Added New 2013-A9: Using Known Vulnerable Components  2010-A8 broadened to 2013-A7 https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project Lightweight and Powerful Penetration Testing OS
Lightweight and Powerful Penetration Testing OS • Injecting snippet of SQL syntax to make the database give information to us, unintended by developer. • Unsanitized input. • Things you should know • Basic of SQL • Union • Specific things for DBMS • Unicode and character representation SQL Injection #screetsec Xathrya
Lightweight and Powerful Penetration Testing OS • Injecting client-side script into web page viewed by (other) user. • Unsanitized input. • Things you should know • Reflected • Persistent Cross-Site Scripting (XSS) #screetsec Xathrya
Lightweight and Powerful Penetration Testing OS • Unauthorized commands transmitted from a user that the website trusts thus tricking it as a valid and authorized command. • Exploit the trust that a site has in user’s browser. • Things you should know • Reflected • Persistent Cross-Site Request Forgery (CSRF) #screetsec Xathrya
# In this Lab • Trying SQL Injection • Trying XSS • Trying CSRF Your target is ... http://xathrya.id/ 40 Lightweight and Powerful Penetration Testing OS Xathrya
When you are aiming Professional Career
Exploit Database 36845 Exploit Archieved, 82454 CVE ID, 3000 Modules on Metasploit, etc. https://www.exploit- db.com https://packetstormsecurity.com https://cve.mitre.org https://www.rapid7.com/db/ modules Exploit DB Packet Storm Common Vulnerabilities & Exposures Rapid 7 rungga_reksya 42 41 2 3 Lightweight and Powerful Penetration Testing OS
Bug Bounty Programs 43 https://bugcrowd.co m Bug Crowd http://bugsheet.com Bug Sheet https://hackerone.com Hacker One https://firebounty.co m Fire Bounty https://bountyfactory.io Bounty Factory https://www.openbugbounty. org Open Bug Bounty rungga_reksya Lightweight and Powerful Penetration Testing OS
44 Concept of Takeover System PWN SVR SQL Injection Make Form Upload Phishing XSS Login to MYSQL SHELL Login to APP Upload File rungga_reksya Lightweight and Powerful Penetration Testing OS
45 PORT STATE S 1 Open: This indicates that an application is listening for connections on this port. 3 Filtered: This indicates that the probes were not received and the state could not be established. It also indicates that the probes are being dropped by some kind of filtering. 5 Open/Filtered: This indicates that the port was filtered or open but Nmap couldn't establish the state. 2 Closed: This indicates that the probes were received but there is no application listening on this port. 4 Unfiltered: This indicates that the probes were received but a state could not be established. 6 Closed/Filtered: This indicates that the port was filtered or closed but Nmap couldn't establish the state. rungga_reksy a NMAP Features 45 Lightweight and Powerful Penetration Testing OS
# In this Lab • Good Luck! http://xathrya.id/ 46 Lightweight and Powerful Penetration Testing OS Xathrya

Empfohlen

Docker and-daily-devops
Docker and-daily-devopsDocker and-daily-devops
Docker and-daily-devopsSatria Ady Pradana
 
(Training) Malware - To the Realm of Malicious Code
(Training) Malware - To the Realm of Malicious Code(Training) Malware - To the Realm of Malicious Code
(Training) Malware - To the Realm of Malicious CodeSatria Ady Pradana
 
Dracos forensic flavor
Dracos forensic flavorDracos forensic flavor
Dracos forensic flavorSatria Ady Pradana
 
(Workshop) Memory Forensic - Investigating Memory Artefact
(Workshop) Memory Forensic - Investigating Memory Artefact(Workshop) Memory Forensic - Investigating Memory Artefact
(Workshop) Memory Forensic - Investigating Memory ArtefactSatria Ady Pradana
 
Hunting on the Cheap
Hunting on the CheapHunting on the Cheap
Hunting on the CheapEndgameInc
 
Malware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringMalware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringbartblaze
 
A journey into Application Security
A journey into Application SecurityA journey into Application Security
A journey into Application SecurityChristian Martorella
 
Pa or die
Pa or diePa or die
Pa or dieSetia Juli Irzal Ismail
 

Empfohlen

Docker and-daily-devops
Docker and-daily-devopsDocker and-daily-devops
Docker and-daily-devopsSatria Ady Pradana
 
(Training) Malware - To the Realm of Malicious Code
(Training) Malware - To the Realm of Malicious Code(Training) Malware - To the Realm of Malicious Code
(Training) Malware - To the Realm of Malicious CodeSatria Ady Pradana
 
Dracos forensic flavor
Dracos forensic flavorDracos forensic flavor
Dracos forensic flavorSatria Ady Pradana
 
(Workshop) Memory Forensic - Investigating Memory Artefact
(Workshop) Memory Forensic - Investigating Memory Artefact(Workshop) Memory Forensic - Investigating Memory Artefact
(Workshop) Memory Forensic - Investigating Memory ArtefactSatria Ady Pradana
 
Hunting on the Cheap
Hunting on the CheapHunting on the Cheap
Hunting on the CheapEndgameInc
 
Malware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringMalware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringbartblaze
 
A journey into Application Security
A journey into Application SecurityA journey into Application Security
A journey into Application SecurityChristian Martorella
 
Pa or die
Pa or diePa or die
Pa or dieSetia Juli Irzal Ismail
 
Malware for Red Team
Malware for Red TeamMalware for Red Team
Malware for Red TeamSatria Ady Pradana
 
Hunting on the cheap
Hunting on the cheapHunting on the cheap
Hunting on the cheapAnjum Ahuja
 
Path of Cyber Security
Path of Cyber SecurityPath of Cyber Security
Path of Cyber SecuritySatria Ady Pradana
 
Extracting the Malware Signal from Internet Noise
Extracting the Malware Signal from Internet NoiseExtracting the Malware Signal from Internet Noise
Extracting the Malware Signal from Internet NoiseAshwini Almad
 
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...Andrew Morris
 
Setup Your Personal Malware Lab
Setup Your Personal Malware LabSetup Your Personal Malware Lab
Setup Your Personal Malware LabDigit Oktavianto
 
Corporate Espionage without the Hassle of Committing Felonies
Corporate Espionage without the Hassle of Committing FeloniesCorporate Espionage without the Hassle of Committing Felonies
Corporate Espionage without the Hassle of Committing FeloniesJohn Bambenek
 
ANALYZE'15 - Bulk Malware Analysis at Scale
ANALYZE'15 - Bulk Malware Analysis at ScaleANALYZE'15 - Bulk Malware Analysis at Scale
ANALYZE'15 - Bulk Malware Analysis at ScaleJohn Bambenek
 
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...CODE BLUE
 
IoT Malware: Comprehensive Survey, Analysis Framework and Case Studies
IoT Malware: Comprehensive Survey, Analysis Framework and Case StudiesIoT Malware: Comprehensive Survey, Analysis Framework and Case Studies
IoT Malware: Comprehensive Survey, Analysis Framework and Case StudiesPriyanka Aash
 
Detecting Evasive Malware in Sandbox
Detecting Evasive Malware in SandboxDetecting Evasive Malware in Sandbox
Detecting Evasive Malware in SandboxRahul Mohandas
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat HuntingGIBIN JOHN
 
IOT Exploitation
IOT Exploitation IOT Exploitation
IOT Exploitation Cysinfo Cyber Security Community
 
Malicious Client Detection Using Machine Learning
Malicious Client Detection Using Machine LearningMalicious Client Detection Using Machine Learning
Malicious Client Detection Using Machine Learningsecurityxploded
 
H@dfex 2015 malware analysis
H@dfex 2015 malware analysisH@dfex 2015 malware analysis
H@dfex 2015 malware analysisCharles Lim
 
Password Cracking
Password Cracking Password Cracking
Password Cracking Sina Manavi
 
Understand How Machine Learning Defends Against Zero-Day Threats
Understand How Machine Learning Defends Against Zero-Day ThreatsUnderstand How Machine Learning Defends Against Zero-Day Threats
Understand How Machine Learning Defends Against Zero-Day ThreatsRahul Mohandas
 
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...AlienVault
 
Android Malware Analysis
Android Malware AnalysisAndroid Malware Analysis
Android Malware AnalysisJongWon Kim
 
From Thousands of Hours to a Couple of Minutes: Automating Exploit Generation...
From Thousands of Hours to a Couple of Minutes: Automating Exploit Generation...From Thousands of Hours to a Couple of Minutes: Automating Exploit Generation...
From Thousands of Hours to a Couple of Minutes: Automating Exploit Generation...Priyanka Aash
 
30 phenomenes naturels sur notre planete111
30 phenomenes naturels sur notre planete11130 phenomenes naturels sur notre planete111
30 phenomenes naturels sur notre planete111Renée Bukay
 
Tugas Akhir 13510030 - Analisis Keamanan Dalam Pengembangan Sistem Transaksi ...
Tugas Akhir 13510030 - Analisis Keamanan Dalam Pengembangan Sistem Transaksi ...Tugas Akhir 13510030 - Analisis Keamanan Dalam Pengembangan Sistem Transaksi ...
Tugas Akhir 13510030 - Analisis Keamanan Dalam Pengembangan Sistem Transaksi ...Satria Ady Pradana
 

Weitere ähnliche Inhalte

Was ist angesagt?

Hunting on the cheap
Hunting on the cheapHunting on the cheap
Hunting on the cheapAnjum Ahuja
 
Extracting the Malware Signal from Internet Noise
Extracting the Malware Signal from Internet NoiseExtracting the Malware Signal from Internet Noise
Extracting the Malware Signal from Internet NoiseAshwini Almad
 
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...Andrew Morris
 
Setup Your Personal Malware Lab
Setup Your Personal Malware LabSetup Your Personal Malware Lab
Setup Your Personal Malware LabDigit Oktavianto
 
Corporate Espionage without the Hassle of Committing Felonies
Corporate Espionage without the Hassle of Committing FeloniesCorporate Espionage without the Hassle of Committing Felonies
Corporate Espionage without the Hassle of Committing FeloniesJohn Bambenek
 
ANALYZE'15 - Bulk Malware Analysis at Scale
ANALYZE'15 - Bulk Malware Analysis at ScaleANALYZE'15 - Bulk Malware Analysis at Scale
ANALYZE'15 - Bulk Malware Analysis at ScaleJohn Bambenek
 
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...CODE BLUE
 
IoT Malware: Comprehensive Survey, Analysis Framework and Case Studies
IoT Malware: Comprehensive Survey, Analysis Framework and Case StudiesIoT Malware: Comprehensive Survey, Analysis Framework and Case Studies
IoT Malware: Comprehensive Survey, Analysis Framework and Case StudiesPriyanka Aash
 
Detecting Evasive Malware in Sandbox
Detecting Evasive Malware in SandboxDetecting Evasive Malware in Sandbox
Detecting Evasive Malware in SandboxRahul Mohandas
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat HuntingGIBIN JOHN
 
Malicious Client Detection Using Machine Learning
Malicious Client Detection Using Machine LearningMalicious Client Detection Using Machine Learning
Malicious Client Detection Using Machine Learningsecurityxploded
 
H@dfex 2015 malware analysis
H@dfex 2015 malware analysisH@dfex 2015 malware analysis
H@dfex 2015 malware analysisCharles Lim
 
Password Cracking
Password Cracking Password Cracking
Password Cracking Sina Manavi
 
Understand How Machine Learning Defends Against Zero-Day Threats
Understand How Machine Learning Defends Against Zero-Day ThreatsUnderstand How Machine Learning Defends Against Zero-Day Threats
Understand How Machine Learning Defends Against Zero-Day ThreatsRahul Mohandas
 
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...AlienVault
 
Android Malware Analysis
Android Malware AnalysisAndroid Malware Analysis
Android Malware AnalysisJongWon Kim
 
From Thousands of Hours to a Couple of Minutes: Automating Exploit Generation...
From Thousands of Hours to a Couple of Minutes: Automating Exploit Generation...From Thousands of Hours to a Couple of Minutes: Automating Exploit Generation...
From Thousands of Hours to a Couple of Minutes: Automating Exploit Generation...Priyanka Aash
 

Was ist angesagt? (20)

Malware for Red Team
Malware for Red TeamMalware for Red Team
Malware for Red Team
 
Hunting on the cheap
Hunting on the cheapHunting on the cheap
Hunting on the cheap
 
Path of Cyber Security
Path of Cyber SecurityPath of Cyber Security
Path of Cyber Security
 
Extracting the Malware Signal from Internet Noise
Extracting the Malware Signal from Internet NoiseExtracting the Malware Signal from Internet Noise
Extracting the Malware Signal from Internet Noise
 
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
 
Setup Your Personal Malware Lab
Setup Your Personal Malware LabSetup Your Personal Malware Lab
Setup Your Personal Malware Lab
 
Corporate Espionage without the Hassle of Committing Felonies
Corporate Espionage without the Hassle of Committing FeloniesCorporate Espionage without the Hassle of Committing Felonies
Corporate Espionage without the Hassle of Committing Felonies
 
ANALYZE'15 - Bulk Malware Analysis at Scale
ANALYZE'15 - Bulk Malware Analysis at ScaleANALYZE'15 - Bulk Malware Analysis at Scale
ANALYZE'15 - Bulk Malware Analysis at Scale
 
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...
 
IoT Malware: Comprehensive Survey, Analysis Framework and Case Studies
IoT Malware: Comprehensive Survey, Analysis Framework and Case StudiesIoT Malware: Comprehensive Survey, Analysis Framework and Case Studies
IoT Malware: Comprehensive Survey, Analysis Framework and Case Studies
 
Detecting Evasive Malware in Sandbox
Detecting Evasive Malware in SandboxDetecting Evasive Malware in Sandbox
Detecting Evasive Malware in Sandbox
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat Hunting
 
IOT Exploitation
IOT Exploitation IOT Exploitation
IOT Exploitation
 
Malicious Client Detection Using Machine Learning
Malicious Client Detection Using Machine LearningMalicious Client Detection Using Machine Learning
Malicious Client Detection Using Machine Learning
 
H@dfex 2015 malware analysis
H@dfex 2015 malware analysisH@dfex 2015 malware analysis
H@dfex 2015 malware analysis
 
Password Cracking
Password Cracking Password Cracking
Password Cracking
 
Understand How Machine Learning Defends Against Zero-Day Threats
Understand How Machine Learning Defends Against Zero-Day ThreatsUnderstand How Machine Learning Defends Against Zero-Day Threats
Understand How Machine Learning Defends Against Zero-Day Threats
 
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
 
Android Malware Analysis
Android Malware AnalysisAndroid Malware Analysis
Android Malware Analysis
 
From Thousands of Hours to a Couple of Minutes: Automating Exploit Generation...
From Thousands of Hours to a Couple of Minutes: Automating Exploit Generation...From Thousands of Hours to a Couple of Minutes: Automating Exploit Generation...
From Thousands of Hours to a Couple of Minutes: Automating Exploit Generation...
 

Andere mochten auch

30 phenomenes naturels sur notre planete111
30 phenomenes naturels sur notre planete11130 phenomenes naturels sur notre planete111
30 phenomenes naturels sur notre planete111Renée Bukay
 
Tugas Akhir 13510030 - Analisis Keamanan Dalam Pengembangan Sistem Transaksi ...
Tugas Akhir 13510030 - Analisis Keamanan Dalam Pengembangan Sistem Transaksi ...Tugas Akhir 13510030 - Analisis Keamanan Dalam Pengembangan Sistem Transaksi ...
Tugas Akhir 13510030 - Analisis Keamanan Dalam Pengembangan Sistem Transaksi ...Satria Ady Pradana
 
Benefits of Technology
Benefits of TechnologyBenefits of Technology
Benefits of TechnologyIntikhab Alam
 
3Com 10005321 REV AF
3Com 10005321 REV AF3Com 10005321 REV AF
3Com 10005321 REV AFsavomir
 
Ppt psycholinguistic basis of Curriculum
Ppt psycholinguistic basis of CurriculumPpt psycholinguistic basis of Curriculum
Ppt psycholinguistic basis of CurriculumAbhimanyu Sharma
 
Utrpení mladého Werthera
Utrpení mladého WertheraUtrpení mladého Werthera
Utrpení mladého WertheraRoman Věžník
 
Rcs1 -chapter6-SLS
Rcs1 -chapter6-SLSRcs1 -chapter6-SLS
Rcs1 -chapter6-SLSMarwan Sadek
 
Внешний Совет Директоров
Внешний Совет ДиректоровВнешний Совет Директоров
Внешний Совет ДиректоровIgor Seleznev
 
Aυτός που αγαπώ έχει δύο ρόδινα αυτάκια
Aυτός που αγαπώ έχει δύο ρόδινα αυτάκιαAυτός που αγαπώ έχει δύο ρόδινα αυτάκια
Aυτός που αγαπώ έχει δύο ρόδινα αυτάκιαΓιώργος Γαμβρινός
 
3Com 5064-7429 I I
3Com 5064-7429 I I3Com 5064-7429 I I
3Com 5064-7429 I Isavomir
 
LODを誰でも簡単に「Simple LODI」
LODを誰でも簡単に「Simple LODI」LODを誰でも簡単に「Simple LODI」
LODを誰でも簡単に「Simple LODI」uedayou
 

Andere mochten auch (19)

30 phenomenes naturels sur notre planete111
30 phenomenes naturels sur notre planete11130 phenomenes naturels sur notre planete111
30 phenomenes naturels sur notre planete111
 
Tugas Akhir 13510030 - Analisis Keamanan Dalam Pengembangan Sistem Transaksi ...
Tugas Akhir 13510030 - Analisis Keamanan Dalam Pengembangan Sistem Transaksi ...Tugas Akhir 13510030 - Analisis Keamanan Dalam Pengembangan Sistem Transaksi ...
Tugas Akhir 13510030 - Analisis Keamanan Dalam Pengembangan Sistem Transaksi ...
 
Benefits of Technology
Benefits of TechnologyBenefits of Technology
Benefits of Technology
 
3Com 10005321 REV AF
3Com 10005321 REV AF3Com 10005321 REV AF
3Com 10005321 REV AF
 
Ppt psycholinguistic basis of Curriculum
Ppt psycholinguistic basis of CurriculumPpt psycholinguistic basis of Curriculum
Ppt psycholinguistic basis of Curriculum
 
Chatbots and AI
Chatbots and AIChatbots and AI
Chatbots and AI
 
Viruses, worms, and trojan horses
Viruses, worms, and trojan horsesViruses, worms, and trojan horses
Viruses, worms, and trojan horses
 
Defense of the assets
Defense of the assetsDefense of the assets
Defense of the assets
 
Revizor
RevizorRevizor
Revizor
 
Utrpení mladého Werthera
Utrpení mladého WertheraUtrpení mladého Werthera
Utrpení mladého Werthera
 
Tyrolské elegie
Tyrolské elegieTyrolské elegie
Tyrolské elegie
 
Stařec a moře
Stařec a mořeStařec a moře
Stařec a moře
 
Romeo a Julie
Romeo a JulieRomeo a Julie
Romeo a Julie
 
Rcs1 -chapter6-SLS
Rcs1 -chapter6-SLSRcs1 -chapter6-SLS
Rcs1 -chapter6-SLS
 
Внешний Совет Директоров
Внешний Совет ДиректоровВнешний Совет Директоров
Внешний Совет Директоров
 
Debates em Psiquiatria
Debates em PsiquiatriaDebates em Psiquiatria
Debates em Psiquiatria
 
Aυτός που αγαπώ έχει δύο ρόδινα αυτάκια
Aυτός που αγαπώ έχει δύο ρόδινα αυτάκιαAυτός που αγαπώ έχει δύο ρόδινα αυτάκια
Aυτός που αγαπώ έχει δύο ρόδινα αυτάκια
 
3Com 5064-7429 I I
3Com 5064-7429 I I3Com 5064-7429 I I
3Com 5064-7429 I I
 
LODを誰でも簡単に「Simple LODI」
LODを誰でも簡単に「Simple LODI」LODを誰でも簡単に「Simple LODI」
LODを誰でも簡単に「Simple LODI」
 

Ähnlich wie Web Security Workshop : A Jumpstart

Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopPaul Ionescu
 
Order vs. Mad Science: Analyzing Black Hat Swarm Intelligence
Order vs. Mad Science: Analyzing Black Hat Swarm IntelligenceOrder vs. Mad Science: Analyzing Black Hat Swarm Intelligence
Order vs. Mad Science: Analyzing Black Hat Swarm IntelligencePriyanka Aash
 
Weaponizing Recon - Smashing Applications for Security Vulnerabilities & Profits
Weaponizing Recon - Smashing Applications for Security Vulnerabilities & ProfitsWeaponizing Recon - Smashing Applications for Security Vulnerabilities & Profits
Weaponizing Recon - Smashing Applications for Security Vulnerabilities & ProfitsHarsh Bothra
 
Oleh Shpyrna "Security Testing Basics: Check your Webapp for gaps before l_unch"
Oleh Shpyrna "Security Testing Basics: Check your Webapp for gaps before l_unch"Oleh Shpyrna "Security Testing Basics: Check your Webapp for gaps before l_unch"
Oleh Shpyrna "Security Testing Basics: Check your Webapp for gaps before l_unch"Dakiry
 
Splunk Enterprise for InfoSec Hands-On Breakout Session
Splunk Enterprise for InfoSec Hands-On Breakout SessionSplunk Enterprise for InfoSec Hands-On Breakout Session
Splunk Enterprise for InfoSec Hands-On Breakout SessionSplunk
 
Cyber Crime / Cyber Secuity Testing Architecture by MRITYUNJAYA HIKKALGUTTI (...
Cyber Crime / Cyber Secuity Testing Architecture by MRITYUNJAYA HIKKALGUTTI (...Cyber Crime / Cyber Secuity Testing Architecture by MRITYUNJAYA HIKKALGUTTI (...
Cyber Crime / Cyber Secuity Testing Architecture by MRITYUNJAYA HIKKALGUTTI (...MrityunjayaHikkalgut1
 
Crash Course In Brain Surgery
Crash Course In Brain SurgeryCrash Course In Brain Surgery
Crash Course In Brain Surgerymorisson
 
How to be come a hacker slide for 2600 laos
How to be come a hacker slide for 2600 laosHow to be come a hacker slide for 2600 laos
How to be come a hacker slide for 2600 laosOuthai SAIOUDOM
 
Adversary Emulation - DerpCon
Adversary Emulation - DerpConAdversary Emulation - DerpCon
Adversary Emulation - DerpConJorge Orchilles
 
How to get along with HATEOAS without letting the bad guys steal your lunch?
How to get along with HATEOAS without letting the bad guys steal your lunch?How to get along with HATEOAS without letting the bad guys steal your lunch?
How to get along with HATEOAS without letting the bad guys steal your lunch?Graham Charters
 
Cyber Security Workshop GDSC-BITW
Cyber Security Workshop GDSC-BITWCyber Security Workshop GDSC-BITW
Cyber Security Workshop GDSC-BITWChanchalHiwanj1
 
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022lior mazor
 
Zen and the art of Security Testing
Zen and the art of Security TestingZen and the art of Security Testing
Zen and the art of Security TestingTEST Huddle
 
Managed Threat Detection & Response for AWS Applications
Managed Threat Detection & Response for AWS ApplicationsManaged Threat Detection & Response for AWS Applications
Managed Threat Detection & Response for AWS ApplicationsAlert Logic
 
hacking your website with vega, confoo2011
hacking your website with vega, confoo2011hacking your website with vega, confoo2011
hacking your website with vega, confoo2011Bachkoutou Toutou
 
Ethical hacking : Its methodologies and tools
Ethical hacking : Its methodologies and toolsEthical hacking : Its methodologies and tools
Ethical hacking : Its methodologies and toolschrizjohn896
 
Security testing presentation
Security testing presentationSecurity testing presentation
Security testing presentationConfiz
 
My tryst with sourcecode review
My tryst with sourcecode reviewMy tryst with sourcecode review
My tryst with sourcecode reviewAnant Shrivastava
 

Ähnlich wie Web Security Workshop : A Jumpstart (20)

Kali presentation
Kali presentationKali presentation
Kali presentation
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa Workshop
 
Order vs. Mad Science: Analyzing Black Hat Swarm Intelligence
Order vs. Mad Science: Analyzing Black Hat Swarm IntelligenceOrder vs. Mad Science: Analyzing Black Hat Swarm Intelligence
Order vs. Mad Science: Analyzing Black Hat Swarm Intelligence
 
Weaponizing Recon - Smashing Applications for Security Vulnerabilities & Profits
Weaponizing Recon - Smashing Applications for Security Vulnerabilities & ProfitsWeaponizing Recon - Smashing Applications for Security Vulnerabilities & Profits
Weaponizing Recon - Smashing Applications for Security Vulnerabilities & Profits
 
Oleh Shpyrna "Security Testing Basics: Check your Webapp for gaps before l_unch"
Oleh Shpyrna "Security Testing Basics: Check your Webapp for gaps before l_unch"Oleh Shpyrna "Security Testing Basics: Check your Webapp for gaps before l_unch"
Oleh Shpyrna "Security Testing Basics: Check your Webapp for gaps before l_unch"
 
Splunk Enterprise for InfoSec Hands-On Breakout Session
Splunk Enterprise for InfoSec Hands-On Breakout SessionSplunk Enterprise for InfoSec Hands-On Breakout Session
Splunk Enterprise for InfoSec Hands-On Breakout Session
 
Cyber Crime / Cyber Secuity Testing Architecture by MRITYUNJAYA HIKKALGUTTI (...
Cyber Crime / Cyber Secuity Testing Architecture by MRITYUNJAYA HIKKALGUTTI (...Cyber Crime / Cyber Secuity Testing Architecture by MRITYUNJAYA HIKKALGUTTI (...
Cyber Crime / Cyber Secuity Testing Architecture by MRITYUNJAYA HIKKALGUTTI (...
 
Crash Course In Brain Surgery
Crash Course In Brain SurgeryCrash Course In Brain Surgery
Crash Course In Brain Surgery
 
How to be come a hacker slide for 2600 laos
How to be come a hacker slide for 2600 laosHow to be come a hacker slide for 2600 laos
How to be come a hacker slide for 2600 laos
 
Adversary Emulation - DerpCon
Adversary Emulation - DerpConAdversary Emulation - DerpCon
Adversary Emulation - DerpCon
 
How to get along with HATEOAS without letting the bad guys steal your lunch?
How to get along with HATEOAS without letting the bad guys steal your lunch?How to get along with HATEOAS without letting the bad guys steal your lunch?
How to get along with HATEOAS without letting the bad guys steal your lunch?
 
Cyber Security Workshop GDSC-BITW
Cyber Security Workshop GDSC-BITWCyber Security Workshop GDSC-BITW
Cyber Security Workshop GDSC-BITW
 
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
 
Zen and the art of Security Testing
Zen and the art of Security TestingZen and the art of Security Testing
Zen and the art of Security Testing
 
Managed Threat Detection & Response for AWS Applications
Managed Threat Detection & Response for AWS ApplicationsManaged Threat Detection & Response for AWS Applications
Managed Threat Detection & Response for AWS Applications
 
Ethical Hacking.pptx
Ethical Hacking.pptxEthical Hacking.pptx
Ethical Hacking.pptx
 
hacking your website with vega, confoo2011
hacking your website with vega, confoo2011hacking your website with vega, confoo2011
hacking your website with vega, confoo2011
 
Ethical hacking : Its methodologies and tools
Ethical hacking : Its methodologies and toolsEthical hacking : Its methodologies and tools
Ethical hacking : Its methodologies and tools
 
Security testing presentation
Security testing presentationSecurity testing presentation
Security testing presentation
 
My tryst with sourcecode review
My tryst with sourcecode reviewMy tryst with sourcecode review
My tryst with sourcecode review
 

Mehr von Satria Ady Pradana

Rekayasa Balik - Sebuah Hikayat dari Dunia Digital
Rekayasa Balik - Sebuah Hikayat dari Dunia DigitalRekayasa Balik - Sebuah Hikayat dari Dunia Digital
Rekayasa Balik - Sebuah Hikayat dari Dunia DigitalSatria Ady Pradana
 
The Offensive Python - Practical Python for Penetration Testing
The Offensive Python - Practical Python for Penetration TestingThe Offensive Python - Practical Python for Penetration Testing
The Offensive Python - Practical Python for Penetration TestingSatria Ady Pradana
 
From Reversing to Exploitation
From Reversing to ExploitationFrom Reversing to Exploitation
From Reversing to ExploitationSatria Ady Pradana
 
Android Security : A Hacker's Perspective
Android Security : A Hacker's PerspectiveAndroid Security : A Hacker's Perspective
Android Security : A Hacker's PerspectiveSatria Ady Pradana
 
Bypass Security Checking with Frida
Bypass Security Checking with FridaBypass Security Checking with Frida
Bypass Security Checking with FridaSatria Ady Pradana
 
(Workshop) Reverse Engineering - Protecting and Breaking the Software
(Workshop) Reverse Engineering - Protecting and Breaking the Software(Workshop) Reverse Engineering - Protecting and Breaking the Software
(Workshop) Reverse Engineering - Protecting and Breaking the SoftwareSatria Ady Pradana
 
Reverse Engineering - Protecting and Breaking the Software
Reverse Engineering - Protecting and Breaking the SoftwareReverse Engineering - Protecting and Breaking the Software
Reverse Engineering - Protecting and Breaking the SoftwareSatria Ady Pradana
 
Memory Forensic - Investigating Memory Artefact
Memory Forensic - Investigating Memory ArtefactMemory Forensic - Investigating Memory Artefact
Memory Forensic - Investigating Memory ArtefactSatria Ady Pradana
 
Drac lab automatic malware analysis & repository
Drac lab automatic malware analysis & repositoryDrac lab automatic malware analysis & repository
Drac lab automatic malware analysis & repositorySatria Ady Pradana
 

Mehr von Satria Ady Pradana (10)

Rekayasa Balik - Sebuah Hikayat dari Dunia Digital
Rekayasa Balik - Sebuah Hikayat dari Dunia DigitalRekayasa Balik - Sebuah Hikayat dari Dunia Digital
Rekayasa Balik - Sebuah Hikayat dari Dunia Digital
 
The Offensive Python - Practical Python for Penetration Testing
The Offensive Python - Practical Python for Penetration TestingThe Offensive Python - Practical Python for Penetration Testing
The Offensive Python - Practical Python for Penetration Testing
 
From Reversing to Exploitation
From Reversing to ExploitationFrom Reversing to Exploitation
From Reversing to Exploitation
 
Android Security : A Hacker's Perspective
Android Security : A Hacker's PerspectiveAndroid Security : A Hacker's Perspective
Android Security : A Hacker's Perspective
 
Bypass Security Checking with Frida
Bypass Security Checking with FridaBypass Security Checking with Frida
Bypass Security Checking with Frida
 
(Workshop) Reverse Engineering - Protecting and Breaking the Software
(Workshop) Reverse Engineering - Protecting and Breaking the Software(Workshop) Reverse Engineering - Protecting and Breaking the Software
(Workshop) Reverse Engineering - Protecting and Breaking the Software
 
Reverse Engineering - Protecting and Breaking the Software
Reverse Engineering - Protecting and Breaking the SoftwareReverse Engineering - Protecting and Breaking the Software
Reverse Engineering - Protecting and Breaking the Software
 
Memory Forensic - Investigating Memory Artefact
Memory Forensic - Investigating Memory ArtefactMemory Forensic - Investigating Memory Artefact
Memory Forensic - Investigating Memory Artefact
 
Another Side of Hacking
Another Side of HackingAnother Side of Hacking
Another Side of Hacking
 
Drac lab automatic malware analysis & repository
Drac lab automatic malware analysis & repositoryDrac lab automatic malware analysis & repository
Drac lab automatic malware analysis & repository
 

Kürzlich hochgeladen

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 

Kürzlich hochgeladen (20)

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 

Web Security Workshop : A Jumpstart

  • 1. Web Security Workshop A Jumpstart! Satria Ady Pradana http://xathrya.id/ 1 Lightweight and Powerful Penetration Testing OS Xathrya
  • 2. # whoami? • Satria Ady Pradana – Junior Security Analyst at MII (Metrodata Group) – Researcher at dracOS Dev Team – Staff ad Reversing.ID – Interest in low level stuffs http://xathrya.id/ 2 Lightweight and Powerful Penetration Testing OS Xathrya
  • 3. • Now tell me yours http://xathrya.id/ 3 Lightweight and Powerful Penetration Testing OS Xathrya
  • 4. Dracos Linux is an open source operating system provides to penetration testing. Packed with a ton of pentest tools including information gathering, forensics, malware analysis, mantaining access, and reverse engineering. We Live by Code and Rise by Ethic Lightweight and Powerful Penetration Testing OS Xathrya
  • 5. Lightweight and Powerful Penetration Testing OS Unix-like operating system for various device and hardware. Free and open source, under the license of GNU. Made by Linux Torvalds in 1991. LINUX :* #screetsec Xathrya
  • 6. Lightweight and Powerful Penetration Testing OS Making Linux Distro great again #screetsec Xathrya
  • 7. Lightweight and Powerful Penetration Testing OS Derivate or making a new distro base on existing other distro. Had undergo some modification from the author that make it different from the parent distro. Remastering #screetsec Xathrya
  • 8. Lightweight and Powerful Penetration Testing OS • A way to build linux from the very start. • Not derivating from existing distro, • Initiated by Gerad Beckmans, • Develop & assembly all part of system by yourself. Linux From Scratch #screetsec Xathrya
  • 9. Lightweight and Powerful Penetration Testing OS • Teach yourself the inner of operating system. • Flexible, do as you wish. • Positively have full control of your system. Advantages #screetsec Xathrya
  • 10. INTRODUCING #screetsec Xathrya Lightweight and Powerful Penetration Testing OS
  • 11. Lightweight and Powerful Penetration Testing OS THE PHILOSOPHY #screetsec Xathrya
  • 12. Lightweight and Powerful Penetration Testing OS  The name dracOs comes from Dragon Comodos  A rare species and can only be found in Indonesia archipelago.  Inspired by Comodo character • Strong enough to kill its prey with minimum force. • Its mouth has various bactery and virus to immediately kill the prey. #screetsec Xathrya
  • 13. Lightweight and Powerful Penetration Testing OS #screetsec Xathrya
  • 14. • Initiate the project on 12 June 2012 by Zico Ekel • Remastering of Ubuntu 10.04 • Update dracOs v2.0 Beta still use Ubuntu • Reinitiate the project on Desember 2015, did radical change, adopting LFS HISTORY #screetsec Xathrya
  • 15. Lightweight and Powerful Penetration Testing OS STYLE OLD SCHOOL #screetsec Xathrya
  • 16. Lightweight and Powerful Penetration Testing OS WHY Xathrya
  • 17. Lightweight and Powerful Penetration Testing OS I am a l33t h@cker LMAO #screetsec Doing something But do not know what they are doing Xathrya
  • 18. Lightweight and Powerful Penetration Testing OS SOMEWHERE Xathrya
  • 19. Lightweight and Powerful Penetration Testing OS #screetsec Xathrya
  • 20. Lightweight and Powerful Penetration Testing OS #screetsec Xathrya
  • 21. Lightweight and Powerful Penetration Testing OS #screetsec Xathrya
  • 22. Lightweight and Powerful Penetration Testing OS #screetsec Xathrya
  • 24. Lightweight and Powerful Penetration Testing OS #screetsec So... DRACOS LINUX Xathrya
  • 25. Lightweight and Powerful Penetration Testing OS #screetsec Xathrya
  • 26. FEATURES IN DRACOS GTK MENU #screetsec Xathrya
  • 30. # In this Lab • Install dracOs • Configure network (use NAT or bridge) • Ping my machine from dracOs • Try the user interface (DWM) • Install a package http://xathrya.id/ 30 Lightweight and Powerful Penetration Testing OS Xathrya
  • 31. ARE YOU A HACKER? You might be, but I am not
  • 32. Information Security is Like Football 32 Formation = Framework - ISO/IEC 27001 - NIST SP 800 (Computer Security) - PCI DSS - HIPAA - ISMF GK-DEFENDER MIDFIELDER STRIKER COACH Sysadmin, Network, Firewall, SIEM, etc. InfoSec Officer, Risk Management Internal, Compliance, etc. InfoSec Consultant, Pentester, etc. Top Management, CISO Supporter Soccer Stakeholder rungga_reksya I am sure you are interest in offensive penetration tester. Lightweight and Powerful Penetration Testing OS
  • 33. 33 Three Critical Components for an Information Security Integrity I A C Availability Confidentiality rungga_reksya Lightweight and Powerful Penetration Testing OS
  • 34. Penetration Testing Methodologies and Standards 34 PENETRATION TESTINGBLACKBOX WHITE BOX GRAY BOX rungga_reksy a Lightweight and Powerful Penetration Testing OS
  • 35. Framework Penetration Testing 35 Web Application Security Consortium Threat Classification Open Source Security Testing Methodology Manual WASC Open Web Application Security Project Testing Guide OSSTMM OWASP rungga_reksya
  • 36. 36 @rungga_reks ya OWASP Top 10 – 2010 (old) OWASP Top 10 – 2013 (New) 2010-A1 – Injection 2013-A1 – Injection 2010-A2 – Cross Site Scripting (XSS) 2013-A2 – Broken Authentication and Session Management 2010-A3 – Broken Authentication and Session Management 2013-A3 – Cross Site Scripting (XSS) 2010-A4 – Insecure Direct Object References 2013-A4 – Insecure Direct Object References 2010-A5 – Cross Site Request Forgery (CSRF) 2013-A5 – Security Misconfiguration 2010-A6 – Security Misconfiguration 2013-A6 – Sensitive Data Exposure 2010-A7 – Insecure Cryptographic Storage 2013-A7 – Missing Function Level Access Control 2010-A8 – Failure to Restrict URL Access 2013-A8 – Cross-Site Request Forgery (CSRF) 2010-A9 – Insufficient Transport Layer Protection 2013-A9 – Using Known Vulnerable Components (NEW) 2010-A10 – Unvalidated Redirects and Forwards (NEW) 2013-A10 – Unvalidated Redirects and Forwards 3 Primary Changes:  Merged: 2010-A7 and 2010-A9 -> 2013-A6  Added New 2013-A9: Using Known Vulnerable Components  2010-A8 broadened to 2013-A7 https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project Lightweight and Powerful Penetration Testing OS
  • 37. Lightweight and Powerful Penetration Testing OS • Injecting snippet of SQL syntax to make the database give information to us, unintended by developer. • Unsanitized input. • Things you should know • Basic of SQL • Union • Specific things for DBMS • Unicode and character representation SQL Injection #screetsec Xathrya
  • 38. Lightweight and Powerful Penetration Testing OS • Injecting client-side script into web page viewed by (other) user. • Unsanitized input. • Things you should know • Reflected • Persistent Cross-Site Scripting (XSS) #screetsec Xathrya
  • 39. Lightweight and Powerful Penetration Testing OS • Unauthorized commands transmitted from a user that the website trusts thus tricking it as a valid and authorized command. • Exploit the trust that a site has in user’s browser. • Things you should know • Reflected • Persistent Cross-Site Request Forgery (CSRF) #screetsec Xathrya
  • 40. # In this Lab • Trying SQL Injection • Trying XSS • Trying CSRF Your target is ... http://xathrya.id/ 40 Lightweight and Powerful Penetration Testing OS Xathrya
  • 41. When you are aiming Professional Career
  • 42. Exploit Database 36845 Exploit Archieved, 82454 CVE ID, 3000 Modules on Metasploit, etc. https://www.exploit- db.com https://packetstormsecurity.com https://cve.mitre.org https://www.rapid7.com/db/ modules Exploit DB Packet Storm Common Vulnerabilities & Exposures Rapid 7 rungga_reksya 42 41 2 3 Lightweight and Powerful Penetration Testing OS
  • 43. Bug Bounty Programs 43 https://bugcrowd.co m Bug Crowd http://bugsheet.com Bug Sheet https://hackerone.com Hacker One https://firebounty.co m Fire Bounty https://bountyfactory.io Bounty Factory https://www.openbugbounty. org Open Bug Bounty rungga_reksya Lightweight and Powerful Penetration Testing OS
  • 44. 44 Concept of Takeover System PWN SVR SQL Injection Make Form Upload Phishing XSS Login to MYSQL SHELL Login to APP Upload File rungga_reksya Lightweight and Powerful Penetration Testing OS
  • 45. 45 PORT STATE S 1 Open: This indicates that an application is listening for connections on this port. 3 Filtered: This indicates that the probes were not received and the state could not be established. It also indicates that the probes are being dropped by some kind of filtering. 5 Open/Filtered: This indicates that the port was filtered or open but Nmap couldn't establish the state. 2 Closed: This indicates that the probes were received but there is no application listening on this port. 4 Unfiltered: This indicates that the probes were received but a state could not be established. 6 Closed/Filtered: This indicates that the port was filtered or closed but Nmap couldn't establish the state. rungga_reksy a NMAP Features 45 Lightweight and Powerful Penetration Testing OS
  • 46. # In this Lab • Good Luck! http://xathrya.id/ 46 Lightweight and Powerful Penetration Testing OS Xathrya