Loading…
This event has ended. View the official site or create your own event → Check it out
This event has ended. Create your own
View analytic

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Conference Talk [clear filter]
Thursday, October 3
 

3:10pm

WAFs are for excuses, ByWaf knows it
Today, all the well-known companies have lots of Web applications with vulnerabilities such as INJECTIONS; somehow they remain confident about them, WHY??

Well, this is mainly because they think they have a silver bullet called Web Application Firewall (WAF). This device is like IPS or IDS. WAF catches the requests and analyzes them looking for some malicious code like SQL, JAVA Script, LDAP, etc. If it finds any of them, the WAF blocks the request and sends an alert or just drops the request.

This is the ideal scenario but, as it always happens with any defense tool, there are lots of ways to bypass them. In this case, the way is using a new framework that is called ByWaf. ByWaf has the ability to bypass a WAF but also it can be a complete tool to exploit vulnerability in web applications.

The idea came three months ago, when I was pentesting a Web Application and found that it had a WAF, and that there were a few tools that could be useful for this objective.

A couple of weeks after, I found some other people with the same issue like mine. We got along and agreed to make this new framework for the OWASP community.

The topics covered in this talk are:

About me
Some references about me in the battle field in Web Application Penetration Testing and how I heard from OWASP?

About OWASP (real life)
How companies, consultants, hackers and so on, use OWASP on a daily basis. What can we find into it?

What is an OWASP Project?
Concepts about OWASP projects, types, how to get into them.

What is WAF?
Colors, flavors, and more about them.

How it works?
How the devil works trying to give us a hard time.

How to detect WAFs?
From console to some tools.

How to bypass them?
Some ways to make it look like fool

ByWaf Project
Past
Present
Future

Demo

Speakers
avatar for Rafael Gil Larios

Rafael Gil Larios

Supervising Sr., KPMG
Ha desarrollo consultoría, pruebas de penetración, revisión de aplicaciones Web y revisión de código en industrias como: Financieras, Retail, Bancarias, Legales, Broadcasting, Telecomunicaciones, Hosting, Hoteleras, Manufactura, etc. Ha realizado auditorías, revisiones e implementaciones de controles del estándar ISO 27001 en industrias como: Financieras, Call Centers, Servicios, etc. Ha realizado revisiones y consultoria en... Read More →


Thursday October 3, 2013 3:10pm - 4:00pm
Conference Auditorium Escuela de Postgrado UTP Salaverry 2443, Lima, Peru
 
Friday, October 4
 

9:50am

Exploiting Secure Software
After several security conferences and trainings and explaining to the management about the importance of security in the Software Development Life Cycle (SDLC) there are several companies and development teams creating "secure software" implementing OWASP Top 10 controls and other security best practices of the market.



The main objective of this paper is to make a review of those best practices implemented in companies with a mature view of software security and as a second objective to explain how to exploit those applications.



_We believe in Software Security

- How to embed security in the SDLC

- OWASP Top 10 2013

- Best Practices

- Integrated Tools

- I don´t want pentesters saying "LoL" about our software



_Exploiting is sexy!

- What we missed up?

- What after OWASP Top 10?

- Where can I find exploits?

- Where can I find new exploits?

- How to exploit "Secure Software"?



_LAB - Exploiting Secure Software Life Cycle (ESSLC)

- Secure Software Development

- Secure OS Hardening

- Secure Configuration & Architecture

- OWASP Top 10 Compliance Phase

- Code Review (internal and external)

- Secure Testing

- External VA

- External pentesting

- EXPLOTATION



_Conclusion

We´ve a long road to ride in other to protect agains all the OWASP Top 10 risks but attackers knows the OWASP TOP 10 and they know the companies who are working on protection because of the information disclosed in job post, RFPs, etc so we could predict the use of different types of attacks across those kind of companies across the globe. So we need to define OWASP Top 10 as the minimal baseline that we need to implement but always remembering that it is not the only thing that we should be aware of. Let´s protect our software agains well-known and also new vulnerabilities or new technology breaches.

Speakers
avatar for Mateo

Mateo

More than 10 years of experience in IT & Security strategy, Business Continuity Management,ISO 27001, CobIT and ITIL. | Projects based in Dubai, Chicago, Montevideo and Buenos Aires. | Project Manager in many IT Projects and business development in ITO and Software development. | | I´m CISSP, ITIL & MCP certified. | | Specialties:E-governance, CobIT, ITIL, ISO 27001, Software Security, PHP, Information Security... Read More →


Friday October 4, 2013 9:50am - 11:25am
Conference Auditorium Escuela de Postgrado UTP Salaverry 2443, Lima, Peru

11:00am

Seguridad en la Nube - OWASP Cloud Top 10
Cada vez más empresas están poniendo sus infraestructuras en la nube. Esta alternativa brinda grandes beneficios a nivel de los costos y la gestión, pero introduce riesgos de seguridad diferentes a los que presentan las infraestructuras tradicionales. Esta charla esta orientada a conocer los principales riesgos de seguridad identificados en el OWASP Cloud Top 10 y acciones que pueden tomarse para mitigarlos y mejorar la seguridad en la nube.

Speakers
avatar for Mauro Flores

Mauro Flores

Gerente, Deloitte
Mauro Flores tiene más de 15 años de experiencia en Seguridad de la Información. Ha participado en proyectos de diseño, especificación y desarrollo de aplicaciones de seguridad para diferentes empresas de Uruguay y el exterior, incluyendo trabajos de Reserarch & Develop en seguridad para empresas de UK y USA. Ha realizado más de 50 hackeos éticos, diversos trabajos de análisis forense... Read More →


Friday October 4, 2013 11:00am - 11:50am
Conference Auditorium Escuela de Postgrado UTP Salaverry 2443, Lima, Peru

2:00pm

Dom Based Xss
En esta charla se hablará de los diferentes tipos de ataque del lado cliente que se pueden dar debido a un mal filtro de inputs y outputs.

El dom de un navegador es un lugar cada vez mas interesante para explorar, debido a que muchos sites no validan el javascript y quedan vulnerables, casi ningun scanner incluye busqueda de dom xss.

Se hablará de como encontrarlos, como explotarlos y como mitigarlos.

Speakers
avatar for Camilo Galdos AkA Dedalo

Camilo Galdos AkA Dedalo

Pentester, Open-Sec
Has been working as developer since 16 years old, after two years started working as a Pentester and Security Researcher and haven't stop hacking since that day. Actually he has been Acknowledged By Adobe, MicroSoft, Paypal, Apple and others because he has find Security holes in their systems. | | He works full time as a Pentester, in his free times he writes in his personal InfoSec blog SeguridadBlanca.in and win bug bounty programs for... Read More →


Friday October 4, 2013 2:00pm - 2:50pm
Conference Auditorium Escuela de Postgrado UTP Salaverry 2443, Lima, Peru