Free

OWASP Czech Chapter Meeting

Event Information

Share this event

Date and Time

Location

Location

Microsoft

1561/4a Vyskočilova

140 00 Prague

Czech Republic

View Map

Event description

Description

Dear OWASP fellows,

It’s our pleasure to inform you that the next local chapter meeting will be held on May 30th 2017 at Microsoft/Skype office, Vyskočilova 1561/ 4a, Building Delta, Praha 4. This time we prepared an amazing line-up of speakers and workshops. The admission is as usual free of charge.

Schedule

Workshops

9:00 - 11: 00 Mario Heidrich: AngularJS security

9:00 - 11: 00 Nicolas Grégoire: Application security testing with Burp Suite

Talks

11:15 - 11:30 Opening ceremony with OWASP chapter leaders - Jan Kopecký & Filip Šebesta + surprise

11:30 - 12:30 Mario Heidrich: My Sweet Innocence Exposed - Eleven Reasons why we will all miss you, "e"

12:30 - 13:00 PIZZA TIME!

13:00 - 14:00 Nicolas Grégoire: Nearly generic fuzzing of XML-based formats

14:00 - 14:15 break

14:15 - 15:15 Radek Vala & Milan Oulehla - Mobile application security

15:15 - 15:30 break

15:30 - 16:00 Ivo Machulda: 2 roky života s WordPress v korporátni svéře (the talk is in Czech)

16:00 - 16:15 break

16:15 - 16:45 Leigh Collett: Getting the most from Application Security in your SOC

16:45 - 17:00 break

17:00 - 18:00 Michal Špaček: BeEF demo and what's new in CSP 3

Information about the speakers, trainings and talks

Mario Heidrich

Dr.-Ing. Mario Heiderich, handsome heart-breaker, bon-vivant and (as he loves to call himself) "security researcher" is from Berlin, likes everything between lesser- and greater than and leads a small yet exquisite pen-test company called Cure53. He commonly pesters peaceful attendees on various niche-conferences with PowerPoint-slides and profanities. As a child, Mario had no friends whatsoever. His parents used to fill his pockets with "Good German Schnitzel" so at least the dogs would play with him. He actually never stopped doing that.

My Sweet Innocence Exposed - Eleven Reasons why we will all miss you, "e"

This talk will briefly cover eleven weird and often unexpected technologies and features that are embedded in MSIE. Technologies that are relevant for penetration testers, for security researchers or simply for people who enjoy crazy browser behaviors. This talk has no other mission than to be bizarrely entertaining. In Germany, we often call that "Schadenfreude". Lean back, buckle up and enjoy.

AngularJS security

AngularJS - the base for this workshop is Mario's talk about angularJS security, which was extended just for the OWASP Czech Chapter Meeting. You will see stuff which has not been seen yet. Just come and see.

Nicolas Grégoire

Nicolas Grégoire has more than 15 years of experience in penetration testing. Founder of Agarri, his research has been presented all around the world and has identified dozens of vulnerabilities. He also does bug bounties (on both sides) and is an official Burp Suite Pro trainer.

Nearly generic fuzzing of XML-based formats

Nowadays, most public tools for fuzzing XML-based file formats aren't very effective. So, let's build a modern and nearly generic XML fuzzer!

Keywords: code fragments, coverage-guided fuzzing, chained mutations.

Application security testing with Burp Suite

Burp Suite is the de-facto leading tool for Web application assessments. This 2-hour workshop will focus on macros and session handling rules, two very useful features of this tool. Attendees will practice on mock-up scenarios, easily mapped to real-life situations.

Among other scenarios, the workshop deals with automatic login (when a WAF kills the user session) and forms protected by anti-CSRF tokens. In fact, once macros and rules are mastered, it is trivial to create setups where automatic interaction (like active scanning) is possible in these situations.

Furthermore, chaining external tools (like sqlmap) with Burp Suite is covered too, allowing exploitation of SQL injections located in complex multi-step workflows.

Note: the Pro edition of Burp Suite isn't needed for this workshop. The Free edition can be downloaded from https://portswigger.net/


Radek Vala

Radek is a senior lecturer at Faculty of Applied Informatics at Tomas Bata University in Zlin. He is also a member of mobile security section at the same faculty and web/mobile application software developer and architect. In his research he focuses on mobile/web application security and IoT.

Milan Oulehla

Milan is security researcher and Ph.D. student at the Faculty of Applied Informatics at Tomas Bata University in Zlin. He is also an independent consultant in the mobile security field and founder member of PT Lab mobile security section (http://ptlab.fai.utb.cz/mobile-security). In his research he focuses on various security topics such as malware detection, mobile botnets and cryptography.

Mobile application security

The talk will be composed of three parts. We will start with security on the Android platform and then slowly dive into attacks focused on hybrid iOS applications. The final part of the presentation will focus on a penetration testing methodology we have developed.

Ivo Machulda

Ivo je IT profesionál věnující se provozu korporátních a komunitních webových aplikací. S bezpečností webových aplikací a služeb pracuje aktivně od roku 2005. Aktuálně je zaměstnán u největšího alternativního dodavatele energií. V minulosti postavil u hostingové společnosti hosting/privátní cloud na platformě produktů Microsoft. Aktivně pracuje na OSS WAF.

2 roky života s WordPress v korporatni svéře

Základní anatomie WordPress z pohledu bezpečnosti webových aplikací. Jak nam mohou pomoci projekty OWASP v zabezpečení WordPress, nejen OWASP Wordpress Security Implementation Guideline. Praktická ukázka práce s bezpečnostními nástroji WPScan, OWASP Zed Attack Proxy (ZAP). Popis praktické zkušenosti s WordPress o kterém jsme si mysleli že je dobře zabezpečen. Ukázka rizika volby nevhodných pluginů a neaktualizace jádra.

Leigh Collett

A specialist in application & network performance and enterprise management products for IT performance, availability and security, with significant experience in the deployment and integration of SIEM solutions into government and enterprise SOC environments.

Getting the most from Application Security in your SOC

We all understand the need to get application security right, but how do you tell if someone is attempting to break or abuse your application? This session will discuss how your security operations team might look at this, and the challenges presented when your CISO asks those questions.

Michal Špaček

Michal is a software developer and an application security engineer who's on a mission to show developers how & why to write secure code. He started building web sites and apps during the "First browser war" when "Best viewed in Netscape" logos were still a thing. Michal has worked for Skype and others, and is currently freelancing.


BeEF demo and what's new in CSP 3

They say "there's an app for that". But there's also a framework for that! Let's say you have a JavaScript and you want to run it in unsuspecting user's browser (read Cross-Site Scripting). BeEF, The Browser Exploitation Framework, can make it a piece of cake. Content Security Policy, the archenemy of Cross-Site Scripting, leveled up, so let's go through what's new in CSP 3.


Additional information

  • If using public transportation you can either go to the metro station Budějovická and walk 5 minutes. There is also a bus stop Vyskočilova nearby, one stop away from the metro. For cars there are plenty of paid parking lots in the surrouding area.

  • Unless stated otherwise, talks will be in English and the recordings will be available online ( with speakers' permission) after the convention

  • For the workshops, please come at least 15 minutes ahead of time, otherwise it can happen that your seat is taken by somebody on the waiting list.

  • There will be some snacks and soft drinks prepared for you during the event. Also, there is a small cafe next to the conference hall where you can purchase hot drinks.

  • The venue is on the ground floor of the office building. There will be signs showing you way to the conference hall and the lecture room for workshops.


Looking forward to see you there!

Your OWASP local chapter team

Share with friends

Date and Time

Location

Microsoft

1561/4a Vyskočilova

140 00 Prague

Czech Republic

View Map

Save This Event

Event Saved