OWASP Belgium Chapter Meeting #4

by admin Email

This meeting was hosted on the first evening of the BruCon conference on 26th of September 2012 in cooperation with the ISSA organization. The silde shows for the presentation can be found here: https://www.owasp.org/index.php/Belgium

 

First talk: Introducing the Smartphone Penetration Testing Framework

A talk by Georgia Weidman about the framework she created for smartphone penetration testing. This framework works on both Android and iOS phones. It's menu structure is similar to the SET (Social Engineering Toolkit). The demo's included several ways to attack smart phones and then leverage the control of the smartphone to gain entry in an organization. 


Second talk: Why your security products suck...


A talk by Joe McCray on the working of web application firewalls and different ways of circumventing the WAF. The WAF blacklists are a bunch (actually a lot) of rules that stop certain parameters from being entered (e.g. "1 = 1"). These rules often work using regular expressions and can often be defeated using following techniques:

  • encode the parameter multiple times in different encodings
  • create a variant of the parameter that falls outside of the regular expression (e.g. "3 > 4")

Joe brought some security products to use in his demo and the audience had the chance to play with them also.

 

Discussion: Pentesting, legal aspects

A discussion session moderated by me in order to start a project where companies in Belgium could get templates of contracts for penetration tests. With these templates some explanation could be delivered so both parties are aware of their duties and rights.

The result of this discussion will hopefully be the start to get such documents, further info will follow.

 

Trackback address for this post

Trackback URL (right click and copy shortcut/link location)

Feedback awaiting moderation

This post has 598 feedbacks awaiting moderation...