Friday, November 18, 2011

Last night's OWASP Long Island Meeting

laptop.jpg

I  hosted the local Long Island chapter of OWASP last night at my place of work for a hands-on evening of playing around in a bring-your-own-laptop lab environment. I had set up an virtual infrastructure that was so vulnerable to attack that it almost looked like a real work place. 

For this session, the OWASP guys provided bootable BackTrack 5 RC1 DVDs, and I provided the virtual machines, a switch,  power, networking cables, etc. After a brief introduction, we got started right away. 

We went through a number of hands-on exercises, ranging from quick exercises with the Metasploit Framework and the w3af to arp poisining and dsniff. After having identified some credentials on the wire, we did some hands-on exploitation of a SQL injection flaw, and we mucked around a bit more with other "features" in this custom-developed web app. All in all, we managed to covered about 6 examples of the OWASP top-10. Around 10:30pm, we called it quits and wrapped up for the night, but not after having agreed to a to-be-continued sessions some time in January. 

As a firm believer in hands-on learning (in addition to studying texts), it was very satisfying to see how quickly participants who may have never even used a Linux distribution, took to getting into "breaking stuff". As everything was running on a virtual infrastructure, participants did not have to be afraid to cause accidental damage, and that showed ;)

All-in-all, I think we had a good time. Next time, I'll make a few more tweaks and bring a slightly more powerful server for the VM infrastructure, but that's about all that needs to happen to take this show on the road.



No comments:

Post a Comment

Please share your view and opinions on what I wrote. In order to maintain quality, all comments will be moderated for merit. Contributions that call me out on statements that appear unfounded, wrong, or simply with which you disagree are highly appreciated and are even encouraged. Spam and 'me too' answers will be ignored.