OWASP AppSec Latam 2013

Today, all the well-known companies have lots of Web applications with vulnerabilities such as INJECTIONS; somehow they remain confident about them, WHY??

Well, this is mainly because they think they have a silver bullet called Web Application Firewall (WAF). This device is like IPS or IDS. WAF catches the requests and analyzes them looking for some malicious code like SQL, JAVA Script, LDAP, etc. If it finds any of them, the WAF blocks the request and sends an alert or just drops the request.

This is the ideal scenario but, as it always happens with any defense tool, there are lots of ways to bypass them. In this case, the way is using a new framework that is called ByWaf. ByWaf has the ability to bypass a WAF but also it can be a complete tool to exploit vulnerability in web applications.

The idea came three months ago, when I was pentesting a Web Application and found that it had a WAF, and that there were a few tools that could be useful for this objective.

A couple of weeks after, I found some other people with the same issue like mine. We got along and agreed to make this new framework for the OWASP community.

The topics covered in this talk are:

About me
Some references about me in the battle field in Web Application Penetration Testing and how I heard from OWASP?

About OWASP (real life)
How companies, consultants, hackers and so on, use OWASP on a daily basis. What can we find into it?

What is an OWASP Project?
Concepts about OWASP projects, types, how to get into them.

What is WAF?
Colors, flavors, and more about them.

How it works?
How the devil works trying to give us a hard time.

How to detect WAFs?
From console to some tools.

How to bypass them?
Some ways to make it look like fool

ByWaf Project
Past
Present
Future

Demo

After several security conferences and trainings and explaining to the management about the importance of security in the Software Development Life Cycle (SDLC) there are several companies and development teams creating "secure software" implementing OWASP Top 10 controls and other security best practices of the market.



The main objective of this paper is to make a review of those best practices implemented in companies with a mature view of software security and as a second objective to explain how to exploit those applications.



_We believe in Software Security

- How to embed security in the SDLC

- OWASP Top 10 2013

- Best Practices

- Integrated Tools

- I don´t want pentesters saying "LoL" about our software



_Exploiting is sexy!

- What we missed up?

- What after OWASP Top 10?

- Where can I find exploits?

- Where can I find new exploits?

- How to exploit "Secure Software"?



_LAB - Exploiting Secure Software Life Cycle (ESSLC)

- Secure Software Development

- Secure OS Hardening

- Secure Configuration & Architecture

- OWASP Top 10 Compliance Phase

- Code Review (internal and external)

- Secure Testing

- External VA

- External pentesting

- EXPLOTATION



_Conclusion

We´ve a long road to ride in other to protect agains all the OWASP Top 10 risks but attackers knows the OWASP TOP 10 and they know the companies who are working on protection because of the information disclosed in job post, RFPs, etc so we could predict the use of different types of attacks across those kind of companies across the globe. So we need to define OWASP Top 10 as the minimal baseline that we need to implement but always remembering that it is not the only thing that we should be aware of. Let´s protect our software agains well-known and also new vulnerabilities or new technology breaches.

Cada vez más empresas están poniendo sus infraestructuras en la nube. Esta alternativa brinda grandes beneficios a nivel de los costos y la gestión, pero introduce riesgos de seguridad diferentes a los que presentan las infraestructuras tradicionales. Esta charla esta orientada a conocer los principales riesgos de seguridad identificados en el OWASP Cloud Top 10 y acciones que pueden tomarse para mitigarlos y mejorar la seguridad en la nube.

En esta charla se hablará de los diferentes tipos de ataque del lado cliente que se pueden dar debido a un mal filtro de inputs y outputs.

El dom de un navegador es un lugar cada vez mas interesante para explorar, debido a que muchos sites no validan el javascript y quedan vulnerables, casi ningun scanner incluye busqueda de dom xss.

Se hablará de como encontrarlos, como explotarlos y como mitigarlos.