Introduction to Exploiting Web Applications workshop

From HOPE Wiki
Jump to: navigation, search
World Wide Wars: Introduction to Exploiting Web Applications
Presenters: User:Tech Learning Collective
Duration: 1 hour and 30 minutes
Participant limit: 20

World Wide Wars: Introduction to Exploiting Web Applications is a workshop slated to be included in the HOPE 2020 conference calendar that teaches Web exploitation techniques such as code injection and authentication bypasses. It was created by Tech Learning Collective cybersecurity trainers and features both demonstration and hands-on portions. Students are provided with a "practice lab" that they can run inside of a virtual machine, where several attack tools are pre-installed for them.


This workshop will introduce you to a free and professional-grade software program that is used to attack Web sites, called the OWASP Zed Attack Proxy. In a specially prepared lab environment, you will see how real-life attack techniques like code injection are discovered and used in order to gain unauthorized, administrative access to Web sites and steal information like user passwords. By seeing how and why the attacks work, you will be better prepared to defend your own accounts and any Web sites you might be building or be responsible for protecting.

Full Description

According to Douglas Crockford, former distinguished architect of Internet behemoths PayPal and Yahoo! before that, “The Web is the most hostile software engineering environment imaginable.” Given that it’s hard enough to make Web applications work in the first place, is it any surprise that so many of them can be broken, hacked, and exploited? Of course, it’s often not good enough merely to break some system. Our task is to break into (or, break out of) that system.

The “front door” to most targets is usually their Web site and so in this offensive security workshop you’ll learn exactly how attackers, internal Red Teams, and professional penetration testers go about targeting websites, identifying vulnerabilities, and exploiting them. By using the OWASP Zed Attack Proxy (ZAP), a free and open source Web application security scanner, you’ll get a hands-on introduction to Web application security basics, intercepting proxy configuration, target scoping, and more. We’ll be targeting the OWASP Juice Shop, an intentionally vulnerable practice target that has a slew of common Web vulnerabilities for us to learn about collectively known as the OWASP Top Ten. They include SQL injection, sensitive data exposure, cross-site scripting (XSS), broken authentication and access control, and many others.

Today’s World Wide Web has become a worldwide battleground, economically, militarily, and culturally. By knowing how the Web-based systems we all use—or even build!—can be made to fail in just the “right” way, we can better protect ourselves and our organizations from the constant barrage of attacks flying across the Internet. Come learn how to hack yourself before your opponents do, so you can find vulnerabilities and shore up defenses in your own Web projects before attackers get the chance to leak your sensitive data such as usernames and passwords, install malware on your systems, or penetrate your network.


Registration information TBD.

Pre-requisite knowledge

This workshop presumes no pre-existing knowledge on the subject. This is a beginner-friendly workshop. That being said, the following knowledge will be useful for students who want to take the workshop's training to the next level more quickly:

  • Basic command line experience in a POSIX environment (Bash on GNU/Linux, for instance), to work with the tools.
  • Familiarity with the use or, optionally, development of login systems such as Web-based authentication flows. This is very much not required but adds a lot of context to the workshop discussion.


Workshop attendees must have a laptop capable of participating in the Web video stream, but nothing more.

Preparation for optional hands-on lab

If attendees want to try out the hands-on exercises along with the instructor, they must have:

  • A laptop capable of running Oracle VirtualBox, which means they need physical hardware with support for the Intel VT-x instruction. This excludes many low-end tablet-style devices such as models of Microsoft Surface, netbooks, and so forth. To check your system for hardware virtualization support:
    • macOS: sysctl -a | grep -E --color 'machdep.cpu.features|VMX'
    • Linux: grep -E --color 'vmx|svm' /proc/cpuinfo
    • Windows: systeminfo, then ensure "Hyper-V Requirements" features are marked "Yes" in the output.
  • HashiCorp Vagrant version 2.2.9 or later.
  • A broadband Internet connection (for timely downloading of the Vagrant base box virtual machine lab environment).
  • No less than 10GB free hard disk space in which to install the lab environment and associated wordlist assets. (15GB recommended.)
  • At least 1GB free RAM (2GB recommended).

To prepare, attendees must perform the following steps:

  1. Install Oracle VirtualBox.
  2. Install HashiCorp Vagrant.
  3. Download the workshop lab materials (which can be provided on request).
  4. Navigate to the workshop lab materials folder (cd /path/to/lab/folder) in their terminal program of choice.
  5. Spin up the lab environment by invoking the vagrant up command.

Once Vagrant completes, they can use the vagrant ssh command to log in to the lab environment, which will provide them with numerous hash cracking utilities and some hashes to crack.