Testwarez 2016

Guess what? Looks like I will be having a workshop on Testwarez this year! Yay! This is good news and I am more than happy to by able to share some OWASP tools, ideas and knowledge with the participants.

What will we talk about? The idea is to show how to use a forward proxy like OWASP ZAP, go through a simple pentest scenario, and in the end let the participants hack their way through a specially crafted virtual machine image containing some vulnerable web applications we have created ourself.

For this workshop to be successful, we will need the participants to do some preparation work before. Believe me, the workshop is worth the effort. 🙂

So, if you are planing to attend:

  1. Remember to bring your own device! Anything with Windows, Linux will (most probably) do.
  2. Install OWASP ZAP.
  3. Install Oracle VirtualBox. We have tested the app with the 5.0 release the last time, but looks like the 5.1 release works fine too.
  4. Download and import the machine image we have created. The checksums are MD5: 3AE84EE66CA334D4001FFA966404639B and SHA1: 5F2F417995D8D52C4C58AD13C07C0B8EA9C8547E

There is absolutely no need to give the machine internet access, so you will do perfectly fine by running the machine in a host-only network. If you don’t know how to configure such thing in VirtualBox – don’t worry. It will be one of the first things we will show on the workshop. Still, you might want to install the tolls and the image before the workshop to simply save time.

The machine is lightweight. It will not eat to much resources. Oh, and you will not get any credentials to access the machine. 🙂 The idea was to get shell access by exploiting some application vulnerabilities in the first place.

But, if you are not planing to attend (and you know a bit about application security), you might still have a lot of fun by playing with the virtual machine we have created. Just treat it as a capture the flag exercise and get a local root shell access. 🙂

So, see you on Testwarez!

Pokemon Go (again)

One month ago no one knew Pokemon Go. Today, everyone knows it, many people play it. We live in exponential times.

I have used some of my time to dig through the internet and see what people write about this game in terms of security. What I have found out is, that there is a lot of exaggeration, disinformation and misrepresentation regarding the security impacts. The best things I have found (that made sense) are enclosed in the presentation below.  Enjoy.

#2 OWASP Meeting @ Wrocław

It was nice and interesting on one side, on the other – organizing a meeting just before a long weekend was probably a mistake. Those who were there could enjoy some interesting presentations though. I was there as well. Here what I came with:

See you on the next OWASP meeting!