This document summarizes an OWASP event held in Hong Kong in July 2013. It includes introductions of the chapter leaders and researchers, an agenda for presentations on the OWASP Top 10 2013 update, mobile browser XSS flaws, length extension attacks, and capturing the flag (CTF) games for security training. Sample CTF questions are provided to illustrate how these games can help develop skills in cryptography, forensics, and vulnerability exploitation. The event aims to provide practical security training and foster an community of researchers.
2. 2OWASP
OWASP Standard
Web application security and awareness
Top 10, coding guidelines and tools
Well-known industry standard set up for nearly
10 years.
Good reference for web application developer,
security officer, penetration tester, IT security
management, compliance officer and auditor.
3. 3OWASP
OWASP Membership and Our Approach
Membership launched
APAC Chapters 20 USD per year for individual
member ( 抵到爛 !)
Corporate member is welcomed (5000 USD per
year)
We commit to give 3-4 half-day events per year
From next seminar, only paid member could join
the event.
No bullshit, no sales talk, no starch, practical
work and research. :-)
4. 4OWASP
RIP. He passed away in SF before Blackhat
(disclosing hack against heart pacemaker)
6. 6OWASP
Speaker Biography and Introduction
Alan HO
Worked as Application Security specialist
Experienced developer
Passionate over Android and Web hacking
VXRL security researcher and CTF crew member
SANS GWAPT (Gold paper) holder
7. 7OWASP
Speaker Biography and Introduction
Zetta KE
PhD Student in Information System in HKUST
VXRL Researcher and CTF MVP (Most Valuable Player)
Passionate over Web hack, Crypto and PHP
Leading web hack and penetration workshops in
Polytechnic university and HKPC with Anthony Lai.
8. 8OWASP
Speaker Biography and Introduction
Anthony LAI
Chapter Leader, OWASP HK Chapter
Founder and Researcher, VXRL
Focus on penetration test, reverse engineering,
malware analysis and incident response.
Passionate over CTF wargame
Speaking at DEFCON 18-20, Blackhat USA 2010,
AVTokyo 2011-2012, HITCON 2010-2011, Codegate
2012 and HTCIA APAC Conference 2012
SANS GWAPT, GREM and GCFA mentor
9. 9OWASP
Agenda
Introduction
(10 minutes)
OWASP Top 10 2013 Update (Anthony)
(15-20 minutes)
XSS flaws in mobile phone browser (Alan)
(30-40 minutes)
15 minutes break
Length Extension Attack (Zetta)
30-40 minutes
CTF for fun and profit (Anthony)
15 - 20 minutes
17. 17OWASP
OWASP Top 10 Details and follow up
Left to you to read over
It is a process you must walk through
Identify the top items on your managed or
owned web applications.
Implement guidelines and policy with reference
to OWASP standard.
22. 22OWASP
What is CTF game?
You need to get the key for points
Challenges include crypto, network, forensics,
binary/reverse engineering/exploitation, web
hack and miscellaneous.
Top teams could enter final round of contest
DEFCON, Plaid CTF, Codegate, Secuinside are
famous CTFs in the planet and we join every
year.
23. 23OWASP
Why do we enjoy to play?
Challenges are practical
Need your knowledge
Need your skills
Understanding vulnerabilities
Thinking like an attacker
Train you up to manipulate proper tools
24. 24OWASP
Our rank? Any rewards?
Www.ctftime.org
4th
prize in HITCON CTF 2013 (19-20 July,
Taipei)
28. 28OWASP
Question 1
There are a couple of things to note:
We must do the operations in reverse order since
this is the inverse function.
The hex2bin function is only available in PHP >=
5.4.0. Had to resort to the documentation to find
the alternative: pack ("H*", $str)
31. 31OWASP
Question (3) – Django RCE Vulnerability
HITCON 2013 Pwn500 question
Django Remote Code Execution (RCE) vulnerability
In Django, there is a library called Pickle to serialize the
Django object into a string and put cookie is signed with
key. The reverse action is called “Unpickle”.
However, “Pickle” library has always trusted the data which
is passed in without validation
Discovered in Y2011.
33. 33OWASP
If the key leaks
We could generate our own cookie and sign it over.
34. 34OWASP
We even could include command execution
1. Generate and sign the new cookie
with command execution
2. Replace the original cookie with our
generated one.
36. 36OWASP
More than that, we could get the key from
the server to change our command to read
file instead ...
37. 37OWASP
CTF fun and profit
The fun is to practice our security and “kungfu”
The profit is to earning knowledge, building trust
and friendship.
Sometimes, we could get reward :)
38. 38OWASP
Thank you for your listening
anthonylai@owasp.org
alanh0@vxrl.org
Ozetta@vxrl.org
P.S: Non-members cannot get the slide for sure, it depends on the willingness of speakers to share the
slide or not