Web Application Penetration Testing Workshop

#software #science #programming #testing #security #workshop
Share

This event is co-sponsored by IEEE Sothern Alberta - Computer Chapter and IEEE R7 Educational Activities. 

Join us for a beginner-friendly workshop tailored specifically for individuals venturing into cybersecurity and web application security. Dive into the fundamental concepts, largely derived from the OWASP Top Ten, and immerse yourself in hands-on exercises coupled with real-time demonstrations. This workshop lays the foundation for those aiming to dive into the world of cybersecurity. No prior experience is necessary; just bring your enthusiasm and a readiness to learn!

The event will start at 11:00 AM MST with an opening talk from Dr. Khosro Salmani.

Session 1 (Time: 11:15 AM - 12:45 PM MST)

The session will emphasize key aspects of the OWASP Top Ten:

  1. Introduction to HTTP Proxy
  2. Identity and Authentication Failure
  3. Broken Access Control

Session 2 (Time: 1:30 PM - 3:00 PM  MST)

  1. SQL Injection
  2. Cross-Site Scripting (XSS)

Session 3 (Time: 3:30 PM - 5:30 PM  MST)

  1. Background 
  2. Introduction to stack buffer overflow
  3. Developing stack buffer overflow exploit

The event will end with a networking session.

 


  Date and Time

  Location

  Hosts

  Registration


  • Date: 23 Sep 2023
  • Time: 05:00 PM UTC to 12:00 AM UTC
  • Add_To_Calendar_icon Add Event to Calendar
  • 74 Mt Royal Cir SW
  • Calgary, Alberta
  • Canada T3E 7N5
  • Building: Mount Royal Library
  • Room Number: Ideas Lounge (EL1270)
  • Contact Event Host

  • Chair of Computer Chapter, IEEE Southern Alberta: Dr. Yasaman Amannejad (yamannejad@ieee.org) 

    Chair of IEEE R7 Educational Activities: Asad Norouzi (asadollah.norouzi@ieee.org)

  • Co-sponsored by Computer Chapter of IEEE Southern Alberta & IEEE R7 Educational Activities.
  • Starts 31 August 2023 07:00 AM UTC
  • Ends 23 September 2023 05:55 AM UTC
  • 0 in-person spaces left!
  • No Admission Charge

  Speakers

Ms. Somayeh Modaberi

Topic:

Facilitator for Session 1 and 2 - Somayeh Modaberi

Biography:

Somayeh Modaberi is currently pursuing her PhD in Software Engineering at the University of Calgary. With over a decade of experience in testing, she specializes in the penetration testing of web applications, APIs, and mobile applications.

Dr. Siamak Azadiabad

Topic:

Facilitator for Session 3 - Siamak Azadiabad

Biography:

Siamak Azadiabad (PhD) is an information security professional with more than 15 years of work experience. Siamak has implemented/conducted different information security programs in his career, such as penetration testing, security operations center, secure network design, security audits and evaluating, and hardening. Siamak is currently working as a senior cybersecurity analyst and solution engineer at GlassHouse Systems providing security advice/services to different enterprises.


Dr. Khosro Salmani

Topic:

Opening Talk - Dr. Khorso Salmani

Biography:

Dr. Khosro Salmani is an Assistant Professor in the Department of Mathematics and Computing at Mount Royal University. He received his Ph.D. degree in Computer Science from the University of Calgary in 2020 and his MSc from the Iran University of Science and Technology in 2011. Before starting his Ph.D. in 2016, he was a university lecturer for more than five years. Since 2011, Khosro has taught several courses in computer science and computer engineering, including basic and advanced programming languages, databases, data structures and algorithms, operating systems, computer security, and data privacy.
 
His current research interests involve several areas in data privacy, including preserving the privacy of the outsourced personal data in cloud servers, big data privacy, data privacy and security in the Internet of Things (IoT), data privacy in health care systems, and useable privacy. Hence, his expertise involves designing and implementing tools and technologies that enhance data privacy and security. He also examines the impact of human factors on privacy and security and introduces new techniques to improve it.




Agenda

First Session

Facilitator: Somayeh Modaberi (11:15 AM - 12:45 PM  MST)

Prerequisites: For the best learning experience, participants should be familiar with:

  • Web applications

  • HTTP protocols

  • Basic scripting with JavaScript

  • HTML

Required Tools: Attendees are advised to pre-install:

  • Burp Suite (Community Edition): A prime tool for web application security testing. Download here.

  • WebGoat: An intentionally vulnerable web application platform for security training. More details here.

Agenda: The session will emphasize key aspects of the OWASP Top Ten:

  1. Introduction to HTTP Proxy

  2. Identity and Authentication Failure

  3. Broken Access Control

Second Session

Facilitator: Somayeh Modaberi (1:30 PM - 3:00 PM  MST)

Prerequisites: For an effective learning experience, participants should understand:

  • Web applications

  • HTTP protocols

  • Basic scripting in JavaScript

  • HTML

  • Databases

Required Tools: Attendees are recommended to pre-install:

  • Burp Suite (Community Edition): A distinguished tool for web application security testing. Download here.

  • WebGoat: Created for the sole purpose of security training, presenting vulnerabilities in its structure. Learn more here.

Agenda: The session will discuss significant components from the OWASP Top Ten:

  1. SQL Injection

  2. Cross-Site Scripting (XSS)

Third Session

Facilitator: Siamak Azadiabad (3:30 PM - 5:30 PM MST)

Prerequisites

  • Intermediate knowledge of Linux

  • Familiar with one programming language, preferably C or C ++

Required Tools: (if interested in getting hands on experience during the session)

  • Ubuntu desktop (can be installed in VirtualBox environment) with the following packages installed

    • python 2.7

    • nc

    • nmap

  • Ubuntu server 22 (can be installed in VirtualBox environment) with the following packages installed

    • gcc

    • gdb

    • socat

  • Note: the IP address of the Ubuntu server should be visible to the Ubuntu desktop. If using VirtualBox, “host only” setting for the network adapter assigns different IP addresses to these Linux machines which can ping each other.

Agenda: Stack buffer overflow will be discussed and a remote exploit for a vulnerable program will be developed

  1. Background 

  2. Introduction to stack buffer overflow

  1. Developing stack buffer overflow exploit