OWASP Czech Chapter Meeting

Dear OWASP fellows,

It’s our pleasure to inform you that the next local chapter meeting will be held on November 25th 2021 at NN IT HUB, Karla Engliše 6/3201, Praha 5-Smíchov.

This time we prepared for you  a full day event. You can enjoy workshop during the morning and interesting talks during the afternoon together with the CTF. The admission is as usual free of charge.

Schedule

Morning workshop

9:00 - 12:00 Jan Kopecký: Fuzzing workshop

9:00 - 12:00 CTF led by TunaSec.cz

Talks

12:00 - 12:15 Opening ceremony with OWASP chapter leaders and announcing winners of the CTF

12:15 - 13:00 LUNCH TIME!

13:00 - 13:45 Václav Chlad: I'm you: Caller ID spoofing

14:00 - 14:45 Filip Holec: Hacking 101

15:00 - 15:45 Ondřej Bouček: Should I Trust? Exploring New Approaches to Detecting Computational Propaganda

16:00 - 16:45 Kamil Vávra: WordPress Supply Chain Attack

17:00 - 17:45 Marek Jílek: Hey Google, give me tons of public calendars! (how I become #1 on H1 in CZ)

17:45 - .......... Closing ceremony and networking

Information about the trainer, workshop and CTF

Fuzzing workshop

Jan Kopecký - Jan started his IT security career more than 15 years ago. He is currently working as a Red Teamer for NN and he is leading his own small yet exclusive consulting company. During his journey Jan has mostly focused on webapp, infrastructure and mobile applications pentesting. He also loves to write customs tools (especially malware), do some reverse engineering and of course fuzzing (because cold core is a wasted core). Jan is also one of OWASP Czech Republic chapter leaders (the most handsome one of course).

Workshop outline:

During this workshop we will get our hands dirty with fuzzing, fuzzing and … you guessed it! Fuzzing. When you know what tools to use and how to use them properly you can find a lot of bugs with relatively low effort (well, sometimes). And this is exactly what this workshop is going to be about. Unfortunately I cannot make you a fuzzing guru in 3 hours, however I can tell you fuzzing state-of-art and tools-of-trade. We will touch following subjects:

○ Dumb fuzzing with Radamsa

○ AFL++ on Linux

○ WinAFL on Windows

○ BooFuzz for network fuzzing

○ Firefox fuzzing on Windows (bonus content if we have enough time)

Please do not forget that this is a workshop so bringing your own laptop is seriously recommended. Ideally you should have either VirtualBox or VMWare with Kali Linux and Windows. You don’t need to install anything in advance as we will do installation and initial setup during the class. BTW by signing up for this workshop you accept a rule to buy me a beer for each bug you find with fuzzing ;)

Looking forward to see you in the class!

CTF led by TunaSec.cz team

• Filip Holec - Leader of educational Ethical Hacking, Linux or Python workshops and Co-Founder of https://engeto.cz

• Martin Zember - 13 years of experience in pentesting, Founder of https://zembered.com

• Petr Skyva - Cyber-Security @ FI MUNI, Cloud Architect @ Cleverlance

• Kamil Vavra - Hacker, Bug Bounty hunter (https://vavkamil.cz), AppSec Lead @ Kiwi.com

Workshop outline

We’ve prepared a short, beginner friendly CTF with some real-life challenges. We will try to help with hints and tools to finish it in time, learn something and yet still compete. For the lucky winner, we prepared a bottle of the only true rum - Bozkov!

Information about the speakers and talks

Václav Chlad

I'm junior penetration tester for Trusted Network Solutions a.s. and ad-hoc penetration tester for MUNI CSIRT. My original specialization was social engineering but Iam learning all the areas of "hacking", lately focusing on internal networks and Active Directory.

I'm you: Caller ID spoofing

Calls through PSTN are still widely used and many people dont even know how easy it is to fake your caller ID and impersonate someone else. In my talk, I will show you the best way I know of calling from any number you like.

Filip Holec

Filip is leader of educational Ethical Hacking, Linux or Python workshops and Co-Founder of https://engeto.cz.

Hacking 101

Do you want to get into ethical hacking and/or penetration testing? This talk will give you clear information where to start, what are the best websites to try your hacking skills and what resources to follow.

Ondřej Bouček

Ondřej Bouček is 24 years old last-year AI student at Faculty of Electrical Engeneering at the Czech Technical University in Prague. His work started in the area of Image retrieval until he got mad at how easy it is to manipulate people so he switched his focus to detecting computational propaganda. He is currently researcher in Computational Propaganda project at Stratosphere Laboratory under the AI Centre as a part of his Master’s Thesis.

Should I Trust? Exploring New Approaches to Detecting Computational Propaganda

The history of propaganda is as old as civilized society. In the modern era, especially with the rise of the Internet, techniques changed. Computational propaganda exploits the ease of spreading information and aims to overwhelm the victim with the amount of information. What makes detecting computational propaganda hard is that the information might be completely true, however, people are witnessing only part of the truth, the part that fits the narrative.

In this talk, we will present our current research efforts to track information on the internet and explain if it is being forced by someone, or whether the spread is natural. We will show why tracking information is hard and the difficulties with the absence of a dataset.

Kamil Vavra

Kamil is application Security Engineer @ Kiwi.com, Burp Suite Certified Practitioner, Offensive Web Application Security

WordPress Supply Chain Attack

Novel attack vector affecting WordPress websites. This talk will focus on the research from the beginning, explaining the motivation and exploration phase. A new scanner tool will be released, along with the Docker container for local testing. Lastly, you will get a chance to see the redacted results from the bug bounty hunting, recon process, and struggle with triage of the reports. TBU, currently still a 0day :)

Marek Jílek

Marek is currently working as a Red Team Engineer at NN. In the past he also worked for Deloitte as a penetration tester and for Alza.cz as a web developer. His interests include popularizing the field of computer security, bounty hunting (#1 on HackerOne in the Czech Republic), social engineering and cooking.

Hey Google, give me tons of public calendars! (how I become #1 on H1 in CZ)

This presentation describes my journey from being lousy at bug bounting, to still being lousy except for one bug. That bug is called "Google Calendar Misconfiguration" and I will tell you how this vulnerability changed my point of view on bug bounty hunting. And also balance of my bank account. :)

Additional information

• If using public transportation you can go to the metro station Anděl and walk 5 minutes. For cars there are paid parking lots in the street Kováků or you can park in the OC Nový Smíchov.
• NN IT HUB is in the Anděl Park office building, there will be someone to guide you at the main entry. There will be signs showing you way to the conference hall and the lecture room for workshop.
• For the workshop, please come at least 10 minutes ahead of time, otherwise it can happen that your seat is taken by somebody on the waiting list.
• We have to follow current COVID rules - please check your email a few days before the event, we will inform you about current conditions.
• There will be some snacks and soft drinks prepared for you during the event and of course the lunch! :)
• Unless stated otherwise, talks will be in English and the recordings will be available online ( with speakers' permission) after the convention