OWASP Czech Chapter Virtual Meeting

Dear OWASP fellows,

Thanks to COVID-19, we were forced to cancel all our 2020 events, but we bring you the online one now! So grab your tickets...you can try the CTF, enjoy the workshop and see very interesting talks.

Schedule

08:00 - CTF starts by Kamil Vavra

08:00 - 12:00 Practical Mobile App Attacks By Example Workshop by Abraham Aranguren

12:30 - 13:10 Naughty HttpClient by Fedotkin Zakhar

13:20 - 14:05 Automating Discovery of Security Issues in Binaries (for Lazy People) by Martin Petran

14:15 - 15:00 Introduction and example implementation of user authentication to the web application with new FIDO and W3C standard WebAuthn by Radoslav Bodó

15:10 - 16:00 Security testing Czech e-commerce platforms for online stores & Cookies stealing on Seznam.cz by Marek Tóth

16:30 - 17:00 So you have a blacklist: Optimizing the Protection of IoT devices by a Scored-Prioritized Aging BlackList by Thomas O’Hara

17:10 - 17:40 Icarus Project: Testing and Analyzing Internet Censorship Circumvention Solutions by Mohamed Tita

17:50 - 18:35 Deep dive into LoRa(WAN) RF and Hardware Security by Sébastien Dudek

18:45 - 19:30 Why letting me break into your organisation will help you protect it by Sarka Pekarova

19:30 - End of CTF!

Information about the speakers and talks

Abraham Aranguren

After 13 years in itsec and 20 in IT Abraham is now the CEO of 7ASecurity, a company specializing in penetration testing of web/mobile apps, infrastructure, code reviews and training. Security Trainer at Blackhat USA, HITB, OWASP Global AppSec and many other events. Former senior penetration tester / team lead at Cure53 and Version 1.

Creator of “Practical Web Defense” - a hands-on eLearnSecurity attack / defense course, OWASP OWTF project leader, an OWASP flagship project, Major degree and Diploma in Computer Science, some certs: CISSP, OSCP, GWEB, OSWP, CPTS, CEH, MCSE:Security, MCSA:Security, Security+. As a shell scripting fan trained by unix dinosaurs, Abraham wears a proud manly beard.

He writes on Twitter as @7asecurity @7a_ @owtfp or https://7asecurity.com/blog. Multiple presentations, pentest reports and recordings can be found here

Practical Mobile App Attacks By Example Workshop 

If you are the kind of person who enjoys workshops with practical information that you can immediately apply when you go back to work, this workshop is for you, all action, no fluff :)

Attendants will be provided with training portal access to practice some attack vectors, including multiple mobile app attack surface attacks, deeplinks and mobile app data exfiltration with XSS. This includes: Lifetime access to a training VM, vulnerable apps to practice, guided exercise PDFs and video recording explaining how to solve the exercises.

BY YOUR REGISTRATION FOR THE WORKSHOP YOU AGREE THAT YOUR EMAIL ADDRESS WILL BE PROVIDED TO THE TRAINER TO PROVIDE THE TRAINING PORTAL ACCESS.

This workshop is a comprehensive review of interesting security flaws that we have discovered over the years in many Android and iOS mobile apps: An entirely practical walkthrough that covers anonymized juicy findings from reports that we could not make public, interesting vulnerabilities in open source apps with strong security requirements such as password vaults and privacy browsers, security issues in government-mandated apps with considerable media coverage such as Smart Sheriff, apps that report human right abuse where a security flaw could get somebody killed in the real world, and more. The workshop offers a thorough review of interesting security anti-patterns and how they could be abused, this is very valuable information for those intending to defend or find vulnerabilities in mobile apps.

This workshop is for those who are intending to broaden their knowledge of mobile security with actionable information derived from real-world penetration testing of mobile apps. Please come caffeinated, the audience will be challenged to spot vulnerabilities at any moment :)

Fedotkin Zakhar

Fedotkin Zakhar (d4d) is a software security researcher with a 10-year experience. There are a number of vulnerabilities discovered by Zakhar in open-source libraries, HTTP clients or 3-rd party extensions primarily written using Java, C++, and PHP programming languages.

Naughty HttpClient

The inconsistency of URL parsers and URL requesters is root cause of the problem Server Side Request Forgery. First time it was presented on BlackHat 2017 by Orange Tsai at his talk A New era of SSRF. In this talk, I will demonstrate new ways to attack variants that works agains popular present-day Http client libraries and tools.

Finally, I describe some anomalies I found in various bugbounty programs, and share my tool that can be used to automate exploitation process.

Martin Petran

Martin Petran has 6 years of experience in penetration testing and reverse engineering and currently works as Embedded Systems Security Engineer. In his free time he pretends to be a developer and often participates on various CTFs.

Automating Discovery of Security Issues in Binaries (for Lazy People)

Security professionals that focus on exploit development have to, from time to time; work with compiled binaries that are perhaps extracted from a firmware image of the embedded system. In some cases these binaries are several megabytes monstrosities that contain thousands of cross references to functions that could lead to a potential memory corruption issues.

With a fast phased delivery focused model of majority of the consultant companies nowadays, it is very important to be able to prioritize certain tasks to achieve the best coverage in a given amount of time. While it is in theory possible to go through every single reference to functions like "strcpy" or "memcpy", it can also be a very time consuming task that is a good candidate for automation.

Luckily, modern disassemblers/decompilers provide feature rich APIs that allow for relatively simple tracing of the data sources for given function calls. Moreover, the quality of the pseudo-code those decompilers can produce in 2020 gives us the opportunity to feel like we are reviewing the original source code. Both of these killer features of modern reverse engineering tools are slowly moving us towards a time where an extracted binary would be enough to perform an equivalent of security source code review and thus discovering vulnerabilities in closed source software via static analysis is one step closer to the effectiveness of dynamic fuzzing.

As automating vulnerability discovery may sound like buzz words, the real goal here is not to provide a zero-effort way on discovering vulnerabilities, but rather provide an assistance to the manual work that will save some time and effort and allow us, consultants/researchers to apply our skills in a more meaningful way. So, is it a rocket science to do such automation?

Takeaways:

1. Introduction into possibilities of modern reverse engineering tools and powerful APIs that are available for task automation.

2. In-depth look on one of the tools; Binary Ninja; and a detailed walk-through of how use of its API could allow automating tasks well beyond just vulnerability discovery.

3. The information about the VulnFanatic plugin and an encouraged feeling to dive into the world of automating reverse engineering tasks.

4. Bonus takeaway: Removed feeling that vulnerability research, reverse engineering and automation are rocket-science-level tasks. Instead, the goal is to show that enthusiasm and passion for the topic are the key elements of success. ☺

Radoslav Bodó

TBA...

Introduction and example implementation of user authentication to the web application with new FIDO and W3C standard WebAuthn

TBA...

Marek Tóth

Marek Tóth is a Penetration Tester at Avast. His specialization is in web application security. In his free time, he's finding and reporting vulnerabilities to companies, directly or through bug bounty programs. During this year his focus has been on well-known Czech web applications.

Security testing Czech e-commerce platforms for online stores

The Czech Republic has the highest number of e-shops per population in Europe. To date exist more than 42 000 online stores in the Czech Republic. I chose four Czech e-commerce platforms that managed over 34 000 online stores and I did a basic security test. I focused on vulnerability XSS that could affect the administration of the e-shop. In this talk, I will show the vulnerabilities that I found.

Cookies stealing on Seznam.cz

For a long time was Seznam the number one search engine in the Czech Republic. Similarly, as Google has Gmail, Seznam has its own free mailing service too. Many Czechs still have and use email on Seznam. In this talk, I will show how was possible to steal cookies on Seznam.cz and get access to the victim's email address.

Thomas O’Hara

Thomas O’Hara is a student and researcher at the Czech Technical University of Prague (CVUT). Originally from the United States, he moved to Prague to study electrical engineering and computer science in 2018 and is currently a member of the Aposemat project of Stratosphere Research Laboratory. The Aposemat project is dedicated to the capture and analysis of malicious traffic targeting IoT devices, as well as the development of analysis tools and intrusion prevention systems. Thomas works as a lab technician, monitoring the infected devices and installing new ones, and well as a researcher and developer

So you have a blacklist: Optimizing the Protection of IoT devices by a Scored-Prioritized Aging BlackList

IP address blacklists are an integral part of firewall and security systems for any kind of Internet-connected device. Even modern Threat Intelligence feeds are based on IP addresses, domains and URLs. Therefore, the majority of our protection systems, such as in DNS and Browsers depend on blacklists. However, there has not been yet a good evaluation about how effective these blacklists are, or how they can be optimized for different environments.

Blacklists are implemented either in devices themselves, or in the firewalls and systems that protect those devices. The core of any security framework for most end users, whether that be home users, businesses or IT admins, is provided by IoCs (Indicators of Compromise), and IoCs are based in the sharing of threat intelligence feeds in the community, that creates them from real attacks. The most basic and fundamental threat intelligence feeds are IP blacklists, which can be designed to focus on numerous and different types of attacks, such as APTs, spammers, etc. Blacklists are also often the first line of protection provided by different IPSs (Intrusion Prevention System) and IDSs (Intrusion Detection System).

Considering that blacklists are so fundamental for the protection of our systems, they should be better evaluated, curated and tested for efficacy.

Mohamed Tita

Mohamed Tita is a 2019 Open Technology Fund Information Controls Fellow. He worked with the Stratosphere Research Laboratory at the Czech Technical University in Prague (CVUT) on testing and documenting Internet censorship circumvention solutions and methods, the result being the Icarus Project.

Icarus Project: Testing and Analyzing Internet Censorship Circumvention Solutions

In the last few years the Middle East and North Africa (MENA) region has witnessed unprecedented rise of internet censorship. Countries like Egypt, Turkey, Iran and Saudia Arabia have been blocking and restricting access to websites of their adversaries and also independent media outlets and human rights organizations. In this talk we present the Icarus Project, an online repository for documented Internet censorship circumvention techniques and methods.

Sébastien Dudek

Sébastien Dudek is a security researcher at Trend Micro and is also the founder of the PentHertz consulting company specialized in wireless and hardware security. He has been particularly passionate about flaws in radio-communication systems, and published researches on mobile security (baseband fuzzing, interception, mapping, etc.), and on data transmission systems using the power-line (Power-Line Communication, HomePlug AV) like domestic PLC plugs, as well as electric cars and charging stations. He also focuses on practical attacks with various technologies such as Wi-Fi, RFID, and other systems that involve wireless communications.

Deep dive into LoRa(WAN) RF and Hardware Security

IoT has been adopted by many application areas including manufacturing, "smart" cities, tracking, and other use cases, and is being in the scope of the attackers some time. Chosen for their far-reaching, LPWAN technologies such as NB-IoT, Zigbee, Sigox, but also LoRa play a big role in connecting these IoT devices.

In this presentation, we will present attacks on LoRa as well as the LoRaWAN protocol. First, we will see how LoRa and LoRaWAN work, and then we will summarize the previous security research. In order to continue the previous research, and overcome some limitations encountered in the past by attacking these technologies, we will also talk about further solutions and present our tools. Finally, we will talk about hardware attacks and security mechanisms that we can use to protect LoRaWAN end-devices

Sarka Pekarova

Experience for over 10 years career in IT, working in various roles from defensive to offensive side of the cyber security spectrum. Sarka loves to share her knowledge and passion for social engineering, physical intrusions and deception at various events and trainings for customers and events. She enjoys versatility that shows in areas she’s involved from medical devices ,industrial control systems (ICS) and supervisory control and data acquisition (SCADA) systems to social engineering, always with a focus on humans.

She has been speaking and providing workshops at events and for clients like United Nations Office on Drugs and Crime (UNODC) , Transport for London(UK), Layer8(US), Infosec In the City (Singapore), SheHacks KE(Kenya) BSides Athens (Greece) and BSides Cairo (Egypt).

Her focus is on building information security communities, she has been in past board member of OWASP Manchester and currently co-creator of DC11331, Parisian DEFCON group as well as ambassador for BSides Athens and co-organizer for BSides Cairo as well as part of the team behind DEFCON biohacking Village CTF.

Why letting me break into your organisation will help you protect it

Why do we always say that humans are the weakest link and why we should start saying the opposite? During these difficult times, it is more than ever, evident how humans are important to protect our networks. Understanding human side of cyber security, gives an invaluable insight into understanding not only threat actors but our own colleagues and employees and how to build better strategies with human assets in mind to combat anything from insider threats to external malicious actors.

I will walk you through some approaches to my physical engagements (how I break into places where I should not be and exfiltrate valuable information and assets), as well as goes into an engagement that is not always so glorious or movie-like and how this knowledge can help you protect yourself, your loved ones as well as how useful it is for your organization.

Additional information

• The link for the each part (CTF, workshop and talks) will be send by email based on the "ticket purchase".

• All talks will be in English and the recordings will be available online ( with speakers' permission) after the convention.