OWASP Cork

Details, registration and communications for all chapter meetings are handled primarily on our meetup.com page: http://www.meetup.com/OWASP-Cork/

**Becoming a chapter sponsor means that you get your organization mentioned in meeting promotion (including on this page if desired), recognition at the beginning of the meeting and promotional material at the meeting. We currently have the following sponsorship options available: €250 for an individual meeting sponsorship €1500 for annual chapter sponsorship Contact any of the board members below for more information. **

OWASP Cork Leadership

Should you have a question about the local chapter, would like to get more involved contact any of the following people: Chapter Leads:

Chapter Meetings - 2019

Jan 2019 Meeting - Christiaan Beek: Threat Group Fingerprints, with VR Demo

Jan 2019 Meeting - Christiaan Beek

When

' 5th Jan 2019'
Doors: 6pm

SLIDES FOR THIS MONTH

Slides - Christiaan Beek: Threat Group Fingerprints

DESCRIPTION

Talk Details

The Lazarus, Silent Chollima, Group 123, Hidden Cobra, DarkSeoul, Blockbuster, Operation Troy and 10 Days of Rain attacks are all believed to originate from North Korea. But how can they be attributed with certainty? And what connection does a DDoS and disk-wiping attack from 4 July 2009 have with WannaCry, one of the largest cyber attacks in the history of the cyber sphere?

From the Mydoom variant Brambul, to the more recent FallChill, WannaCry, and targeting of cryptocurrency exchanges, there is a distinct timeline of attacks beginning from the moment North Korea entered the world stage as a significant threat actor. Bad actors have a tendency to unwittingly leave fingerprints on their attacks, allowing researchers to connect the dots between them. North Korean actors have left many of these clues in their wake and throughout the evolution of their malware arsenal. In this session, attendees will view code analysis illustrating key similarities between samples attributed to North Korea, a shared networking infrastructure, and other revealing data hidden within the binaries. All of these puzzle pieces will be put together and using a VR demo to illustrate the connections between the many attacks attributed to North Korea and to categorize different tools used by specific teams of their cyber army.

About Christiaan

Christiaan Beek, lead scientist & sr. principal engineer is part of Mcafee’s Office of the CTO leading strategic threat intelligence research within Mcafee. He coordinates and leads passionately the research in advanced attacks, plays a key-role in cyberattack take-down operations and participates in the NoMoreRansom project. In previous roles, Beek was Director of Threat Intelligence in McAfee Labs and Director of Incident Response and Forensics at Foundstone, McAfee’s forensic services arm. At Foundstone, he led a team of forensic specialists in Europe, the Middle East, and Africa during major breaches. Beek develops threat intelligence strategy, designs threat intelligence systems, performs malware and forensic analysis, pentesting and coaches security teams around the globe. He is a passionate cybercrime specialist who has developed training courses, workshops, and presentations. He speaks regularly at conferences, including BlackHat, RSA, BlueHat and Botconf. Besides conferences, he is also frequently teaching at universities, Police Academies and public schools to recruit, mentor and train the next generation of cyber-security specialists. Beek contributed to the best-selling security book "Hacking Exposed." and has two patents pending. Twitter: @ChristiaanBeek

Afterwards ...

As usual we will hang around for chats and maybe a beer.

Chapter Meetings - 2018

December 2018 Meeting - OWASP Cork New Leaders Meetup

December 2018 Meeting - OWASP Cork Leaders Meetup

When

' TBD'
Doors: TBD

SLIDES FOR THIS MONTH

N/A

DESCRIPTION

Whats this?

Meetup for new leadership team to get to know each other and discuss the chapter.

October 2018 Meeting - Exploring the Digital Underworld and Mitre Att\&ck Technique Automation

October 2018 Meeting - Exploring the Digital Underworld and Mitre Att&ck Technique Automation

When

16 Nov 2018
Doors: 7pm

SLIDES FOR THIS MONTH

TBD

DESCRIPTION

Gavin O'Gorman with "Exploring the Digital Underworld" and Eamonn Ryan with "Mitre Att&ck Technique Automation"

Talk 1: Gavin O’Gorman

Gavin has been working in Symantec for the past nine years, Gavin is an intelligence analyst on the attack investigations team. Before moving to the attack investigations team in 2013, he worked as a reverse engineer, and as an incident handler. Gavin's primary role is to gather together information from both Symantec data sources, and open sources, to build a comprehensive picture of an attack, or attackers. Another aspect of the job is to work with law enforcement to assist in the investigation of e-crime where possible. Prior to working in Symantec, Gavin spent several years researching network security in Dublin City University, and currently lectures part-time for the DCU Masters in Security & Forensics course

Talk Description - "Exploring the Digital Underworld"
Gavin will be talking about how over the past year, researchers in Symantec have been tracking a group they refer to as Hayworm. From what appeared to be a disparate set of unrelated victims, Symantec researchers have been able to identify the operators behind these attacks, and their motivation. Gavin will describe the investigation, including how the attackers work, and how researchers managed to identify them.

Talk 2: Eamonn Ryan

Eamonn has been working with McAfee for 2.5 years and has been working within the security realm for 5 years. He has worked in a blue team environment and also in a more red team focused role so can see both sides of the equation!

Talk Description - "Mitre Att&ck Technique Automation"

If you are following security news recently, you may have heard about the Mitre Att&ck Framework. Mitre describe it as follows: "MITRE ATT&CK™ is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.". Eamonn has been utilizing this framework and automating the respective techniques. This talk will describe and demonstrate these automations, with a focus on some of the hacking techniques mentioned during Gavin's talk.

... Afterwards ...

We will hang around for chats and maybe a beer.

Chapter Meetings - 2017

December 2017 Meeting - OWASP Ireland Secure Coding Tournament

December 2017 Meeting - OWASP Ireland Secure Coding Tournament

When

' Monday
5 Dec 2017
'
Doors: 18:30
Tournament starts: 19:00

SLIDES FOR THIS MONTH

n/a

DESCRIPTION

OWASP Ireland Secure Coding Tournament

Have you got what it takes to be one of Ireland’s most secure coders?

Join the first ever OWASP Ireland Secure Coding Tournament. Whether you are eager to prove your web application AppSec knowledge of the OWASP Top 10 … and watch as you climb to the top of the leaderboard or simply want to learn more at your ease about how to code more securely.

EVERYONE is welcome.

In each challenge, participants will be presented with a series of vulnerable code snippets and will be required to identify the problem, locate the insecure code, and fix the vulnerability. Select from various software languages to complete the tournament, including: Java EE, Java Spring, C# MVC, C# WebForms, Ruby on Rails, Python Django & Node.Js.

Watch as you climb to the top of the leaderboard and be crowned a 'Secure Code Warrior.'

A top prize (at each location) of a €250 All4one voucher is up for grabs. Other prizes include a drone and a €150 Amazon voucher.

Please ensure you come with your laptop fully charged, there will be some charging facilities but it would be better for you to arrive prepared.

To learn more about what to expect during the Tournament and sharpen your skills beforehand, register your account and work through challenges on our Training Mode, simply use the link and token key below (this is not a registration for the meetup, just for the platform, so don't forget to RSVP here on meetup.com too!):

Link:

https://portal.securecodewarrior.com/#/register

Token Key:027 549 455 533

ARE YOU IRELAND'S SECURE CODE WARRIOR?

Afterwards ...

As usual we will hang around for some chats.

Chapter Meetings - 2016

October 2016 Chapter Meeting - Anatomy of an Attack

October 2016 Chapter Meeting - Anatomy of an Attack

When

' Monday
10 Oct 2016
'
Doors: 20:00
Talks start: 20:10

SLIDES FOR THIS MONTH

Anatomy of an Attack by Owen Pendlebury

Since we had sound problems for one of the videos, they can be found here: Cyber Security. Evolved. and Companies Like Yours

DESCRIPTION

The Anatomy of an Attack

Stories of organisations getting hacked are becoming so frequent that it would be easy to believe that there’s no real way to avoid being the next target. I will outline what we know, what incident data tells us and what the typical motive is behind these hacks. Furthermore, I will walk you through the three stages of an attack (footprinting, scanning and exploitation) and discuss some recent hacks and what we can learn from them.

Speaker Bio: Owen Pendlebury

Owen has been involved in the OWASP Foundation since 2009. He has been an active and dedicated chapter leader, who has organised regular activities for the OWASP Dublin chapter that benefit the local information security community greatly over the past 7 years. Some of the projects that Owen has been involved in include, AppSec EU 2016/ 2017 Committee/ Training Committee chair, AppSec EU 2017 successful bid, DaggerCon, Cyber Startup Summit, Source Dublin, Advanced Threat Intelligence Seminars and numerous security workshops.

Owen is currently a manager in Deloitte Ireland and has over 7 years’ penetration testing experience, working as part of a global attack & penetration team for a number organisations including a “Big 4” professional services company. With in-depth experience of application and network penetration testing Owen has worked with many local and global institutions to improve their security posture.

Owen has also been involved in local education bodies, architecting a masters in cyber security and helping a number of students and experienced individuals find their way into the security community by making himself available to them through all media.

Afterwards ...

We will bring in some pizza and grab some beers from downstairs in the Roundy.

March 2016 Chapter Meeting - Deserialization is bad, and you should feel bad

March 2016 Chapter Meeting - Deserialization is bad, and you should feel bad

When

' Monday
11 March 2016
'
Doors: 19:00
Talks start: 19:10

SLIDES FOR THIS MONTH

Meeting Intro

Deserialization is bad, and you should feel bad! By Gabriel Lawrence

DESCRIPTION

Deserialization is bad, and you should feel bad

This chapter meeting will be delivered by Gabriel Lawrence who will be speaking about object deserialization bugs within some of the most popular programming languages, web servers and sites. This is a major application security vulnerability which he and Chris Frohoff advanced the research and released generalized exploit tools at AppSec Cali 2015. It was almost a year later, when specific working exploits were released across many major Java services, that the world realized how much of a big deal the findings from their research into deserialization were. Sites including PayPal and a number of Java based systems including WebLogic, Websphere, JBoss and Jenkins were found to be remotely exploitable to provide the attacker with full remote access to the associated server. To this day, and without a doubt well into the future, desearialization vulnerabilities will continue to be discovered as a result of this work.

Speaker Bio: Gabriel Lawrence

Gabriel Lawrence leads the Application Security team at Qualcomm, San Diego, doing Application Security Assessments, Penetration Tests, Incident Response, Reverse Engineering, and anything else that comes his way. Gabe is an active member of the very successful San Diego OWASP Chapter and has been involved with OWASP as an organization from the time of its inception.

Afterwards ...

We will bring in some pizza and grab some beers from downstairs in the Roundy.

Chapter Meetings - 2015

November Chapter Meeting - PCI DSS Pen Testing / IAM (Identity & Access Mgmt)

November Chapter Meeting - PCI DSS Pen Testing / IAM (Identity & Access Mgmt)

When

' Thursday 12th Nov 2015

' Doors: 19:00
Talks start: 19:10

SLIDES FOR THIS MONTH

TBD - After event

DESCRIPTION

On Thursday November 12th we have two great speakers lined up for our next chapter meeting. Both posses great experience in their respective areas, so can get across the information and answer your questions that might not be so easy to find in the books. Stephen O'Boyle will talk about PCI DSS (Payment Card Industry - Data Security Standard), the set of compliance guidelines that you must adhere to if you store, transmit or process credit card information. This will be followed up with Barry Mulcahy's valuable information on management of identity and access to data across systems.

Also, thanks to the kind sponsorship from Espion on the night there will be some food and drinks provided too. No doubt, this should be a great night :)

Talk #1 - PCI DSS v3.1 Scanning and Penetration Testing

Stephen will discuss the key changes in PCI DSS Version 3.1, examine penetration testing methodology from the auditor’s point of view, and how you can maintain compliance.

Key Takeaways will include

∙ PCI DSS Pentest / Scanning overview

∙ Migrating from V2 to V3.1

∙ Changes to penetration testing requirement 11.3

∙ Scanning vs pen testing

∙ What the auditor expects from pen testing

∙ Example methodology

Speaker Bio: Stephen O'Boyle

Stephen heads up Espion’s Professional Services team and has been a PCI Qualified Security Assessor since 2008. He is an experienced information security, risk and compliance consultant with has over ten years’ experience in information security in both domestic and international markets. Stephen has extensive experience in performing PCI audits / consultancy, information security & risk management assessments, network / architecture security reviews, application security reviews, penetration testing and assisting organisations in aligning their information security posture to their business objectives. Stephen has worked across a wide range of industry verticals, including government, financial, education and technology.

Talk #2 - Identity and Access Management (IAM)

This talk will focus on Identity and Access Management (IAM), what it is and how it fits into the security landscape. It will outline the lifecycle of an identity (Hello new hire Alice!). How we move from having an identity to having access. Some of the common pitfalls encountered during IAM integration projects. Analytics techniques for IAM that smooth the integration path, validate controls and provide valuable Business Intelligence (BI) that are useful for process improvement and security auditing. The talk will conclude by looking at some of the recent trends in IAM and some pointers for the future.

Speaker Bio: Barry P. Mulcahy

Barry received a B.Sc. in computer science from UCC in 2001 and a Ph.D. in distributed security systems from UCC in 2008. His academic experience involves R&D in distributed security systems with an emphasis on data aggregation, analytics and workflows. While working in Waterford IT as a security researcher he was involved in several large European FP7 projects including CoMiFin, EternalS and Aniketos. His commercial roles include Identity and Access Management (IAM) Project Manager at Onaware-Mycroft. This boutique IAM integration house catered primarily for financial institutions. Barry is currently part of the Qualcomm Web Authentication team, helping design and implement security controls for authentication and authorization in Qualcomm’s global IT infrastructure.

https://ie.linkedin.com/in/barrymulcahy

Afterwards ...

We might have a few sneaky pints afterwards, and you are all welcome to join us.

We are having the talks in Cashman's Bar on Academy Street so we will stay on there.

Top 10 Workshop #5 (Broken Auth & Session Mgmt, Security Misconfiguration and Sensitive Data Exposure) - 15 Oct 2015

OWASP Top 10 Workshop #5 (Broken Auth & Session Mgmt, Security Misconfiguration and Sensitive Data Exposure)

When

' THursday 15th Oct 2015

' Doors: 19:00
Talks start: 19:10

SLIDES FOR THIS MONTH

Slides - A2, A5 and A6

DESCRIPTION

'''Topics:

'''- A5 Security Misconfiguration

'''- A2 Broken Authentication and Session Management

'''- A6 Sensitive Data Exposure

Hi all,

On Thursday, October 15th, we are holding the last of our free series of workshops based on OWASP's most well known flagship project, the OWASP Top 10 (2013) https://www.owasp.org/index.php/Top10. The goal of these workshops is to learn by doing, which is usually the best approach to learning anything. In that light, we will speak a little about each of the areas from the Top 10, then take that learning to the next level by attacking vulnerable sites and investigating vulnerable code and configurations.

Note: During the previous workshops we set up our machines to be ready for web penetration testing. Anyone who has done this can continue as such, but if you have not, no problem, we can help you set up the one or two main tools that we will need for that night. That should only take a couple of minutes. If you would like some assistance in getting set-up then we will be there from 18:45 to help. Alternatively, you can contact one of the organisers (Fiona or Darren) in advance and we will let you know what you need.

If you would like to have ZAP installed on your machine you can get it here: ZAP Install. Having a machine isn't a requirement for attending, there will be talks and demos as well as the practical elements.

This month's workshop will be divided into three phases:

1. Top 10 2013 - A5 - Security Misconfiguration

Delivered by: Fiona Collins

Security misconfiguration can happen at any level of an application stack, including the platform, web server, application server, database, framework, and custom code. Developers and system administrators need to work together to ensure that the entire stack is configured properly. Automated scanners are useful for detecting missing patches, misconfigurations, use of default accounts, unnecessary services, etc., however these should not be relied upon.

https://www.owasp.org/index.php/Top_10_2013-A5-Security_Misconfiguration

2. Top 10 2013 - A2 - Broken Authentication and Session Management

Delivered by: Darren Fitzpatrick

Developers frequently build custom authentication and session management schemes, but building these correctly is hard. As a result, these custom schemes frequently have flaws in areas such as logout, password management, timeouts, remember me, secret question, account update, etc. Finding such flaws can sometimes be difficult, as each implementation is unique.

https://www.owasp.org/index.php/Top_10_2013-A2-Broken_Authentication_and_Session_Management

3. Top 10 2013 - A6 - Sensitive Data Exposure

Delivered by: Fiona Collins

The most common flaw is simply not encrypting sensitive data. When crypto is employed, weak key generation and management, and weak algorithm usage is common, particularly weak password hashing techniques. Browser weaknesses are very common and easy to detect, but hard to exploit on a large scale. External attackers have difficulty detecting server side flaws due to limited access and they are also usually hard to exploit.

https://www.owasp.org/index.php/Top_10_2013-A6-Sensitive_Data_Exposure

4. Practical Hands On Workshop

This section of the night will invoke our learning from the first phase and put it to practical use. We take our testing environment and use it to exploit some of both types of vulnerabilities on a safe, intentionally vulnerable website.

After giving some time for individually attempting to carry out the exploitation, a walk-through of the exploit technique will be given for each of the examples outlined. The OWASP team will be at hand to help with any issues that might arise through this phase.

The practical elements will allow you attack a vulnerable site from a malicious attacker or software tester's perspective. You will leave with not only an understanding of the issues but also having had hands on practice.

Chapter meetings are provided free of charge although OWASP membership is encouraged and besides supporting the organisation, will provide the holder with benefits in other areas such as free/discounted entry to conferences, etc.

Hope to see you there!

Darren & Fiona (OWASP Cork Team)

Top 10 Workshop #4 (XSS & Unvalidated Redirects and Forwards) - 10 Sept 2015

OWASP Top 10 Workshop #4 (XSS & Unvalidated Redirects and Forwards)

When

' Thursday 10th Sept 2015

' Doors: 19:00
Talks start: 19:10

SLIDES FOR THIS MONTH

A3 - Cross Site Scripting (XSS) & A10 - Unvalidated Redirects and Forwards

DESCRIPTION

Detecting and Preventing XSS, the Most Common Web App Security Flaw.

On Thursday, September 10th, we are having the fourth of our free series of workshops based on OWASP's most well known flagship project, the OWASP Top 10 (2013) https://www.owasp.org/index.php/Top10. The goal of these workshops is to learn by doing, which is usually the best approach to learning anything. In that light, we will speak a little about each of the areas from the Top 10, then take that learning to the next level by attacking vulnerable sites and investigating vulnerable code and configurations.

This month our guest speaker, Damilare Fagbemi, will mainly be investigating Cross Site Scripting (XSS) which claims the third highest spot (A3) in the top 10 and will also touch on A10 - Unvalidated Redirects and Forwards.

Damilare is a software engineer and information security professional with expertise in Software Security and Data Analytics. He is a software security engineer in the Partner team at Intel Security Group where is responsible for developing strategies to improve security in the software development process while ensuring that software products built and shipped for Intel Security's partners are secure.

damilarefagbeni.com

@damilarefagbemi

Note: During the previous workshops we set up our machines to be ready for web penetration testing. Anyone who has done this can continue as such, but if you have not, no problem, we can help you set up the one or two main tools that we will need for that night. That should only take a couple of minutes. If you would like some assistance in getting set-up then we will be there from 18:45 to help. Alternatively, you can contact one of the organisers (Fiona or Darren) in advance and we will let you know what you need.

If you would like to have ZAP installed on your machine you can get it here: ZAP Install. Having a machine isn't a requirement for attending, there will be talks and demos as well as the practical elements.

This month's workshop will be divided into three phases:

1. Top 10 2013 - A3 - Cross Site Scripting (XSS)

This important vulnerability can result in your application allowing arbitrary code to be run in the unsuspecting browsers of your users, putting those users at risk.

We will discuss how to identify XSS vulnerabilities in your application, highlight the risks associated with injection flaws, provide some mitigation techniques and demonstrate how this all works.

https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_(XSS)

2. Top 10 2013 - A10 - Unvalidated Redirects and Forwards

An open redirect is a parameter which is accepted and used by the application to redirect a user to a URL of their choosing without any validation. This vulnerability is often used to facilitate phishing attacks.

We will discuss how to identify these vulnerabilities in your application, highlight the associated risks , provide some mitigation techniques and demonstrate how this all works.

https://www.owasp.org/index.php/Top_10_2013-A10-Unvalidated_Redirects_and_Forwards

3. Practical Hands On Workshop

This section of the night will invoke our learning from the first phase and put it to practical use. We take our testing environment and use it to exploit some of both types of vulnerabilities on a safe, intentionally vulnerable website.

After giving some time for individually attempting to carry out the exploitation, a walk-through of the exploit technique will be given for each of the examples outlined. The OWASP team will be at hand to help with any issues that might arise through this phase.

The practical elements will allow you attack a vulnerable site from a malicious attacker or software tester's perspective. You will leave with not only an understanding of the issues but also having had hands on practice.

Chapter meetings are provided free of charge although OWASP membership is encouraged and besides supporting the organisation, will provide the holder with benefits in other areas such as free/discounted entry to conferences, etc.

Top 10 Workshop #3 (Injection) - 28 July 2015

OWASP Top 10 Workshop #3 (Injection)

When

' Tuesday 28 July 2015

' Doors: 19:00
Talks start: 19:10

SLIDES FOR THIS MONTH

A1 - SQL Injection (SQLi)

DESCRIPTION

Tuesday July 28 will see the third of our free series of workshops based on OWASP's most well known flagship project, the OWASP Top 10 (2013) https://www.owasp.org/index.php/Top10. The goal of these workshops is to learn by doing, which is usually the best approach to learning anything. In that light, we will speak a little about each of the areas from the Top 10, then take that learning to the next level by attacking vulnerable sites and investigating vulnerable code and configurations.

We will also be having our summer social event, with some free food and beer, after the talks - see below for more details.

This month we will be looking at Injection flaws which are #1 in the top 10. This is the top item as successful exploitation can lead to complete control of your systems by a malicious user.

Note: During the previous workshops we set up our machines.

Anyone who has set up their machines during the last workshop can continue to use that and will have all tools in place, but if you have not, no problem, we can just set up the one or two main tools that we will need for that night. If you would like some assistance in getting set-up then we will be there from 18:45 to help. Alternatively, you can contact one of the organisers (Fiona or Darren) in advance and we will let you know what you need.

If you would like to have ZAP installed on your machine you can get it here: ZAP Install. Having a machine isn't a requirement for attending, there will be talks and demos as well as the practical elements.

This month's workshop will be divided into two phases with a networking event after the talks:

1. Top 10 2013 - A1 - Injection

Fiona Collins

Injection flaws, such as SQL, OS, and LDAP injection occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization. The result of this being that an attacker can by-pass any application level controls in place and gain full remote control of the application or database server which can in turn be used to access other systems on your network.

We will discuss how to identify injection vulnerabilities in your application, highlight the risks associated with injection flaws, provide some mitigation techniques and demonstrate how this all works.

https://www.owasp.org/index.php/Top_10_2013-A1-Injection

2. Practical Hands On Workshop

This section of the night will invoke our learning from the first phase and put it to practical use. We take our testing environment and use it to exploit some injection vulnerabilities on a safe, intentionally vulnerable website.

After giving some time for individually attempting to carry out the exploitation, a walk-through of the exploit technique will be given for each of the examples outlined. The OWASP team will be at hand to help with any issues that might arise through this phase.

The practical elements will allow you attack a vulnerable site from a malicious attacker or software tester's perspective. You will leave with not only an understanding of the issues but also having had hands on practice.

3. Summer Networking Event

After the workshop we will go along to the Woolshed bar where we would like to treat you to some food, drinks and chats: (http://www.woolshedbaa.com/cork/)

Chapter meetings are provided free of charge although OWASP membership is encouraged and besides supporting the organisation, will provide the holder with benefits in other areas such as free/discounted entry to conferences, etc.

Top 10 Workshop #2 (CSRF & Insecure Components) - 25 June 2015

OWASP Top 10 Workshop #2 (CSRF & Insecure Components)

When

' Thursday 25 June 2015

' Doors: 19:00
Talks start: 19:10

SLIDES FOR THIS MONTH

Cross Site Request Forgery (CSRF)
Using Insecure Components

DESCRIPTION

Thursday 25 June will see the second of our free series of workshops based on OWASP's most well known flagship project, the OWASP Top 10 (2013) https://www.owasp.org/index.php/Top10. The goal of these workshops is to learn by doing, which is usually the best approach to learning anything. In that light, we will speak a little about each of the areas from the Top 10, then take that learning to the next level by attacking vulnerable sites and investigating vulnerable code and configurations.

Note: During the previous workshop we set up our machines.

Anyone who has set up their machines during the last workshop can continue to use that and will have all tools in place, but if you have not, no problem, we can just set up the one or two main tools that we will need for that night. If would like some assistance in getting set-up then we will be there from 18:45 to help. Alternatively, you can contact one of the organisers (Fiona or Darren) in advance and we will let you know what you need.

Having a machine isn't a requirement for attending, there will be talks and demos as well as the practical elements.

This month's workshop will be divided into two phases:

'''1. Top 10 2013 - A8 - Cross-Site Request Forgery (CSRF) '''

Vincent Ryan

A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request, including the victim’s session cookie and any other automatically included authentication information, to a vulnerable web application. This allows the attacker to force the victim’s browser to generate requests the vulnerable application thinks are legitimate requests from the victim.

We will discuss what this issue is, a number of varieties of this issue along with methods for avoiding it in your application code and a demo of how you would examine a defence using burp.

https://www.owasp.org/index.php/Top_10_2013-A8-Cross-Site_Request_Forgery_(CSRF)

'''2. Top 10 2013 - A9 - Using Components with Known Vulnerabilities '''

Darren Fitzpatrick

Components, such as libraries, frameworks, and other software modules, almost always run with full privileges. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications using components with known vulnerabilities may undermine application defenses and enable a range of possible attacks and impacts.

We will discuss how know vulnerabilities can be identified in a system and used to get access to other systems and data in your network. Mitigation techniques will also be discussed.

https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities

3. Practical Hands On Workshop

This section of the night will invoke our learning from the first phase and put it to practical use. We take our testing environment and use it to exploit some CSRF & component vulnerabilities on a safe, intentionally vulnerable website.

After giving some time for individually attempting to carry out the exploitation, a walk-through of the exploit technique will be given for each of the examples outlined. The OWASP team will be at hand to help with any issues that might arise through this phase.

Top 10 Workshop #1 (Test Environment Setup & Direct Object Reference) - 28 May 2015

OWASP Top 10 Workshop #1 (Test Environment Setup & Direct Object Reference)

When

' Thursday 28 May 2015

' Doors: 19:00
Talks start: 19:10

SLIDES FOR THIS MONTH

[https://drive.google.com/file/d/0B8BFOgbEfp-iNk1ab2R4Uy1lalU/view?usp=sharing, Setting Up a Hacking Environment]
[https://drive.google.com/file/d/0B8BFOgbEfp-iYlRucmVRSG5pWTQ/view?usp=sharing, Direct Object Reference & Broken Functional Access Control]

DESCRIPTION

Thursday 28 May will see the first of our free series of workshops based on OWASP's most well known flagship project, the OWASP Top 10 (2013) https://www.owasp.org/index.php/Top10. The goal of these workshops is to learn by doing, which is usually the best approach to learning anything. In that light, we will speak a little about each of the areas from the Top 10, then take that learning to the next level by attacking vulnerable sites and investigating vulnerable code and configurations.

Note: To get the most out of these workshops, it would be best to bring your own laptop. This should have >1 GB of RAM, >5 GB of free storage and a reasonably fast processor. Failing these laptop requirements we could probably work around it, but this would be best for following the standard approach that will be taken by most.

This month's workshop will be divided into three phases:

1. Setting Up Your Test Environment

To start the night we will define test environments at a high level and then help you to configure VirtualBox with a hacking / penetration testing specific virtual machine, namely Kali Linux. Kali will provide a tailored, pre-configured environment for testing and comes pre-populated with a vast array of tools for all your hacking needs! If you just bring your laptop, we will have the files ready for you to install, or if you are a paranoid security person ;) you can download in advance from here:

https://www.virtualbox.org/wiki/Downloads

https://www.kali.org/downloads/ (32 bit iso)

2. Top 10 2013 - A4 - Insecure Direct Object References

Insecure direct object reference occurs when a web application allows the user to choose the target data for their transaction without correctly restricting to the data to which they should be privy. In a secure configuration, the target data for retrieval would be based on the particular user session, however often the data retrieval decisions are based on parameters which the user can access. E.g. you access your on-line bank account details, but manipulate the incorrectly implemented request to have the application think that you are another user, and return that other user's details.

We will discuss a number of varieties of this issue along with methods for avoiding it in your application code.

https://www.owasp.org/index.php/Top_10_2013-A4-Insecure_Direct_Object_References

3. Practical Hands On Workshop

This section of the night will invoke our learning from the first two phases and put it to practical use. We take our new testing environment and use it to exploit some direct object reference vulnerabilities on a safe, intentionally vulnerable website.

After giving some time for individually attempting to carry out the exploitation, a walk-through of the exploit technique will be given for each of the examples outlined. The OWASP team will be at hand to help with any issues that might arise through this phase.

Practical elements will cover the following two perspectives so that you leave with not only an understanding of the issues but also having had hands on practice in these areas:

1. Defensive - Seeing vulnerable code / configurations and investigating how the issues could be rectified.

2. Offensive - Attacking vulnerable sites from a malicious attacker or software tester's perspective.

Cork Security Event - Mach 24

Amalgamating IT Security Best Practices Within an Organisation

On March 24th we held a joing security event with CorkSec, ISACA, and (ISC)2. Slides from the talks are available here:
[https://drive.google.com/file/d/0B2v5SuBDC0ejWHUyUkJtLThpSUE/view?usp=sharing, Securing Innovation]
[https://drive.google.com/file/d/0B2v5SuBDC0ejYXhRUEhtOEdTWVU/view?usp=sharing, The Weakest Link]

Chapter meetings are provided free of charge although OWASP membership is encouraged and besides supporting the organisation, will provide the holder with benefits in other areas such as free/discounted entry to conferences, etc.

Chapter Meetings - 2014

Details and registration for all chapter meetingsis available on our Meet-Up page: http://www.meetup.com/OWASP-Cork/

OWASP December Event

Chapter Meeting - December 11 2014

When

' Thursday 11 December 2014

' Doors: 19:00
Talks start: 19:15

DESCRIPTION

The next OWASP Cork Chapter meeting is taking place on Thursday December 11th in UCC (Western Gateway Building, WGB G04) at 7PM.

Hope to see you there. There are two talks lined up:

Talk 1: Eoin Carroll - Android Webview Exploitation

Bio:

Eoin Carroll is an IT Security Engineer and member of OWASP since 2009. Based in Cork and works on all things security with keen interests in the Android Stack, Threat Modeling, HTML5, Cryptanalysis, Reversing and Exploitation.

Eoin has 13 years’ experience spanning across the IT, Semi-Conductor and Medical Device industries, working as an Electronic Engineer for 10 yrs and in Security for the last 3 years.

Android Webview Exploitation

This talk will focus on the AddJavascriptInterface which is remotely exploitable leading to Shell and Cross Application Scripting (XAS). Eoin will discuss the importance of Threat Modeling with cross platform development frameworks such as Phonegap/Cordova as well as security tools such as Drozer and AFE (Android Exploitation Framework).

The session will finish with a MITM demo exploiting the AddJavascriptInterface.

Slides are available here: [https://drive.google.com/file/d/0B2v5SuBDC0ejVFN5WlZaSTJyYU0/view?usp=sharing, OWASP Android Webview Explotiation]

Talk 2: Eoin Keary & Rahim Jina - 2014 EdgeScan Vulnerability Stats Report

Eoin Keary - BCC Risk Advisory / OWASP

Eoin is international board member and vice chair of OWASP, The Open Web Application Security Project (owasp.org), and during his time in OWASP he has lead the OWASP Testing and Security Code Review Guides and also contributed to OWASP SAMM, and the OWASP Cheat Sheet Series. Eoin is a well-known technical leader in industry in the area of software security and penetration testing, and has led global security engagements for some of the world's largest financial services and consumer products companies. He was a senior manager, responsible for penetration testing in EMEA for a “big 4” professional services firm for 4.5 years. He is the CTO and founder of BCC Risk Advisory Ltd (bccriskadvisory.com) an Irish company who specialise in secure application development, advisory, penetration testing, Mobile & Cloud security and training. Eoin has delivered security training and talks for OWASP to over 600 developers in the past year including events such as RSA (2013), RSA Europe, OWASP EU (2013), OWASP Dublin 2013.

Rahim Jina - BCC Risk Advisory / OWASP

Rahim is a member of OWASP and has contributed to many open source security projects over the past 8 years such as the OWASP Testing and Security Code Review Guides and also OWASP SAMM. Previously Rahim was a senior consultant at a “big 4” professional services for and the head of security for a large VoIP/IPT company in Los Angeles, USA and now works as the Director of information security for BCC Risk Advisory (bccriskadvisory.com). His is also responsible for the security architecture of the edgescan.com vulnerability management solution.

We will go along to the Woolshed bar for some drinks and chats after the talk: (http://www.woolshedbaa.com/cork/)

Chapter meetings are provided free of charge although OWASP membership is encouraged and besides supporting the organisation, will provide the holder with benefits in other areas such as free/discounted entry to conferences, etc.

OWASP September 22nd Event

Chapter Meeting - September 22 2014

When

' Monday 22nd September

' Doors: 19:00
Talks start: 19:15

DESCRIPTION

The next OWASP Cork Chapter meeting is taking place on Monday September 22nd in UCC (WGB G.14) at 7PM.

We would like to treat all attendees to some beer and pizza after the talks in the Woolshed bar (Mardyke - http://www.woolshedbaa.com/cork/)

Hope to see you there.

There are two talks lined up:

Talk 1: Introduction to OWASP ZAP

Overview of the OWASP ZAP tool.

The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications.

It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing.

ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.

Talk 2: Mark Denihan - OWASP Security Shepherd

The OWASP Security Shepherd project has been designed and implemented with the aim of fostering and improving security awareness among a varied skill set demographic. Shepherd covers the OWASP Top Ten web app risks and has recently been injected with totally new content to cover the OWASP Top Ten Mobile risks as well. Many of these levels include insufficient mitigations and protections to these risks, such as blacklist filters, atrocious encoding schemes, barbaric security mechanisms and poor security configuration. The modules have been crafted to provide not only a challenge for a security novice, but security professionals as well. In this presentation we're going to look at the Shepherd platform itself from both a learning and teaching perspective. Some of Shepherd's lessons and challenges will be demonstrated and we'll also walkthrough how easy it is to stand up a Security Shepherd instance and how it can be tailored to suit any web/mobile app sec teaching environments.

Chapter meetings are provided free of charge although OWASP membership is encouraged and besides supporting the organisation, will provide the holder with benefits in other areas such as free/discounted entry to conferences, etc.

OWASP September 2nd Event - Joint Event with CorkSec

Chapter Meeting - Joint event with CorkSec

When

' Tuesday 2nd September

' Doors: 19:00
Talks start: 19:15

DESCRIPTION

The first OWASP Cork Chapter meeting is taking place on Tuesday September 1st upstairs in SoHo bar on Grand Parade. This meeting is a joint event with the CorkSec group (http://www.meetup.com/CorkSec/). We would love if you could stay around after for a chat and some networking.

There are two talks lined up:

Talk 1: Web to Shell by Darren Fitzpatrick

Darren will introduce the concept of getting a shell through a website. This basically means remotely taking over the server on which a web application is installed. After a little theory, he will go about delivering demonstrations of this in action. Demos will include common attack vectors of this type and one recent and quite common ruby on rails specific remote exploit.

Talk 2: How I got into Security by Jack Baylor

In this short talk I'll be covering:

  • my education and previous work experience
  • what courses I wish I'd covered but didn't
  • how I got interested initially
  • how I started researching and networking
  • how I came about working in Qualcomm
  • how some others broke into security (through polling others here and through talking to people on LinkedIn etc...),
  • what courses I intend to take in the next 1, 2 and 5 years

Everyone is welcome to join us at our chapter meetings.

Other OWASP Chapters in Ireland

OWASP Dublin

https://www.owasp.org/index.php/Ireland-Dublin

OWASP Limerick

https://www.owasp.org/index.php/Limerick

Category:OWASP Chapter Category:Europe


Past Events here:

Thursday, 28th November 2019

Location: Dell Technologies, City Gate, Mahon, Cork.

Time: Doors Open at 6pm for registration, pizza, drinks and networking, the talks start at 6:30pm (we start on time).

Talk:

  • Multi Factor Authentication the false narrative
    • Darragh Duffy & John O’Riordan
    • Darragh is a Senior Principal Security Engineer, Dell Technologies
    • John is a Staff Cyber Security Engineer, Qualcomm
  • An Insider’s Guide to Hacking Your Network
    • Mark O’Sullivan
    • Penetration Testing, Cyber Risk, Deloitte

Multi Factor Authentication the false narrative

John and Darragh will talk about some of the miss conceptions with 2FA/2SV/MFA as the perfect mechanism to protect our identities. They will discuss some of these additional authentication factor mechanisms (SMS tokens, One Time Passcodes etc.) and if they are really a second factor. They will highlight the major weakness with how we perceive and use 2FA/MFA mechanisms. They will demonstrate how you can exploit this weakness, bypassing the protection we believe 2FA/MFA offers us. They will finish up by introducing the current solution to this MFA weakness, FIDO2, which is a true MFA mechanism but not yet widely adopted.

Demo Videos

An Insider’s Guide to Hacking Your Network

Mark has significant experience in cyber security and holds industry leading security testing certificates including the OSCP. He has a keen interest in all areas of cyber security, and has specialised in penetration testing and vulnerability management. Mark has managed and conducted a wide range of penetration tests against a diverse range of platforms including web, mobile, network and IoT.