All the workshop sessions of #Hacktivity2021 can be found on this page. We reserve the right to change the program.
Bob recently joined a big and very famous company, Appsec404, which conducts security assessments. Bob has always dreamed of working in this area, and now he has a chance, and he does not want to miss it. At the same time, he was not the only one hired and got the coveted position of an application security specialist, and Bob must prove himself as good as possible. Bob will have to solve many problems related to finding and fixing vulnerabilities to move up the career ladder. At least, the main thing is to do the job and not follow any sorts of rabbits, right?
During our workshop, you will help Bob and face many tasks related to finding vulnerabilities in various web applications and fixing them. To not go into details, we will study the vulnerabilities and reports published on HackerOne and Bugcrowd, and solve a few real problems. In addition, you will learn what needs attention when testing and implementing various functions in web applications and what can happen if certain functions are not used promptly.
A workshop about subdomain takeover. Nowadays, in the age of cloud environment there are new surfaces to attack these systems. The cloud providers try to give us more and more easier deployment scenarios. This is the breeding ground for the attack, which also affect larger organizations. In the first part of the workshop, we review the theory and techniques, and then in the second part, we take a sharp look at the attack in wild. During the demo, we go through the entire chain of attacks, create the Proof Of Concept, and discuss the steps of ethical reporting.
More and more companies are moving their applications to the cloud to reduce their costs or simplify their operations. However, these applications can be just as vulnerable as the traditional ones, costing massive sums for their owner if exploited by malicious actors.
In this workshop, you can learn the basics of cloud platforms and the fundamental differences between traditional and cloud-hosted applications, vulnerabilities and exploitation techniques. We will be using AWS, the most popular cloud platform, to analyze and exploit some of the most frequent vulnerabilities together.
Requirements for the hands-on parts:
– AWS Free Tier account and AWS CLI (optional)
– Burp Proxy (recommended) or any similar tool capable of submitting HTTP requests (e.g. curl)
A shallow dive into deep water, the topic of web application security stretches wide so this workshop is laser focused. During white box application testing we use the source code to our advantage, uncovering issues that might otherwise remain hidden from standard grey box testing.
In this workshop we go through common examples and techniques to enumerate and find issues in a variety of languages. We will look at real-world applications and recreate exploits to understand how they were discovered. Experience is expected in web application testing as well as understanding code at a superficial level. For requirements: A laptop with your choice of text editor (we will use VSCode), Burp proxy and a python interpreter to run scripts.
