![Page 1: Presentation Title · Chirita Ionel Application Security Analyst @ EA Romania Chapter Board Member chirita.ionel@gmail.com . Romanian Chapter - Europe](https://reader033.vdocuments.site/reader033/viewer/2022041622/5e3ff312e99fb5625e2d7acc/html5/thumbnails/1.jpg)
The OWASP Foundation http://www.owasp.org
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
OWASP EU Tour Bucharest 2013
OWASP Romania Chapter
Chirita Ionel
Application Security Analyst @ EA
Romania Chapter Board Member [email protected]
![Page 2: Presentation Title · Chirita Ionel Application Security Analyst @ EA Romania Chapter Board Member chirita.ionel@gmail.com . Romanian Chapter - Europe](https://reader033.vdocuments.site/reader033/viewer/2022041622/5e3ff312e99fb5625e2d7acc/html5/thumbnails/2.jpg)
Romanian Chapter - Europe Tour 2013
- Agenda
Penetration Testing - a way for improving our cyber security
Android reverse engineering: understanding third-party applications
The Trouble with Passwords
Hacking the ViewState in ASP.NET
Do you "GRANT ALL PRIVILEGES ..." in MySQL/MariaDB/Percona Server?
2
![Page 3: Presentation Title · Chirita Ionel Application Security Analyst @ EA Romania Chapter Board Member chirita.ionel@gmail.com . Romanian Chapter - Europe](https://reader033.vdocuments.site/reader033/viewer/2022041622/5e3ff312e99fb5625e2d7acc/html5/thumbnails/3.jpg)
Who / What is OWASP?
3
The Open Web Application Security Project
![Page 4: Presentation Title · Chirita Ionel Application Security Analyst @ EA Romania Chapter Board Member chirita.ionel@gmail.com . Romanian Chapter - Europe](https://reader033.vdocuments.site/reader033/viewer/2022041622/5e3ff312e99fb5625e2d7acc/html5/thumbnails/4.jpg)
OWASP !n Numbers
12 & counting years of service
55+ paid Corporate Members
2000 individual members from 70 countries
53+ Academic Supporters
88+ Government & industry
citation
4 Global AppSec Conferences
per Year
4
190 + local chapters
Over 30K mailing list users
![Page 5: Presentation Title · Chirita Ionel Application Security Analyst @ EA Romania Chapter Board Member chirita.ionel@gmail.com . Romanian Chapter - Europe](https://reader033.vdocuments.site/reader033/viewer/2022041622/5e3ff312e99fb5625e2d7acc/html5/thumbnails/5.jpg)
5
More than …
…monthly unique visitors &
…page views.
OWASP !n Numbers
![Page 6: Presentation Title · Chirita Ionel Application Security Analyst @ EA Romania Chapter Board Member chirita.ionel@gmail.com . Romanian Chapter - Europe](https://reader033.vdocuments.site/reader033/viewer/2022041622/5e3ff312e99fb5625e2d7acc/html5/thumbnails/6.jpg)
6
OWASP !n Numbers
![Page 7: Presentation Title · Chirita Ionel Application Security Analyst @ EA Romania Chapter Board Member chirita.ionel@gmail.com . Romanian Chapter - Europe](https://reader033.vdocuments.site/reader033/viewer/2022041622/5e3ff312e99fb5625e2d7acc/html5/thumbnails/7.jpg)
OWASP !n Numbers
7
![Page 8: Presentation Title · Chirita Ionel Application Security Analyst @ EA Romania Chapter Board Member chirita.ionel@gmail.com . Romanian Chapter - Europe](https://reader033.vdocuments.site/reader033/viewer/2022041622/5e3ff312e99fb5625e2d7acc/html5/thumbnails/8.jpg)
OWASP’s Core Values:
8
We are …
![Page 9: Presentation Title · Chirita Ionel Application Security Analyst @ EA Romania Chapter Board Member chirita.ionel@gmail.com . Romanian Chapter - Europe](https://reader033.vdocuments.site/reader033/viewer/2022041622/5e3ff312e99fb5625e2d7acc/html5/thumbnails/9.jpg)
…is our thinking
9
OWASP’s Core Values:
![Page 10: Presentation Title · Chirita Ionel Application Security Analyst @ EA Romania Chapter Board Member chirita.ionel@gmail.com . Romanian Chapter - Europe](https://reader033.vdocuments.site/reader033/viewer/2022041622/5e3ff312e99fb5625e2d7acc/html5/thumbnails/10.jpg)
OWASP’s Core Values:
10
We support …
![Page 11: Presentation Title · Chirita Ionel Application Security Analyst @ EA Romania Chapter Board Member chirita.ionel@gmail.com . Romanian Chapter - Europe](https://reader033.vdocuments.site/reader033/viewer/2022041622/5e3ff312e99fb5625e2d7acc/html5/thumbnails/11.jpg)
OWASP’s Core Values:
11
…is our creed
![Page 12: Presentation Title · Chirita Ionel Application Security Analyst @ EA Romania Chapter Board Member chirita.ionel@gmail.com . Romanian Chapter - Europe](https://reader033.vdocuments.site/reader033/viewer/2022041622/5e3ff312e99fb5625e2d7acc/html5/thumbnails/12.jpg)
12
• Founded in 2011 by Claudiu Constantinescu
• 3 meeting organized yet, more to come
• OWASP Romania Chapter v2.0 – December 2012
• We are ~ 100 people on mailing list
• 40 member on linked in group, not yet a member Join Now !
![Page 13: Presentation Title · Chirita Ionel Application Security Analyst @ EA Romania Chapter Board Member chirita.ionel@gmail.com . Romanian Chapter - Europe](https://reader033.vdocuments.site/reader033/viewer/2022041622/5e3ff312e99fb5625e2d7acc/html5/thumbnails/13.jpg)
OWASP Projects
… are distributed in 3 categories
• Protect
Documents & Tools used to prevent design and implementation flaws.
• Detect
Documents & tools created to identify design and implementation flaws.
• Lifecycle
tools and documents that can be used to add security-related activities
into the Software Development Life Cycle (SDLC).
13
http://www.owasp.org/index.php/Category:OWASP_Project
![Page 14: Presentation Title · Chirita Ionel Application Security Analyst @ EA Romania Chapter Board Member chirita.ionel@gmail.com . Romanian Chapter - Europe](https://reader033.vdocuments.site/reader033/viewer/2022041622/5e3ff312e99fb5625e2d7acc/html5/thumbnails/14.jpg)
OWASP Projects
14
Protect:
• ESAPI
• ModSecurity
• Security guides
• Appsec Tutorials
• Secure Coding Practices
Detect:
• Webscarab
• Zed Attack Proxy
• JBroFuzz
• Code review guide
• Cheat Sheet Series
• Live CD
Life Cycle:
• SAMM
• WebGoat
• Legal Project
![Page 16: Presentation Title · Chirita Ionel Application Security Analyst @ EA Romania Chapter Board Member chirita.ionel@gmail.com . Romanian Chapter - Europe](https://reader033.vdocuments.site/reader033/viewer/2022041622/5e3ff312e99fb5625e2d7acc/html5/thumbnails/16.jpg)
OWASP Top 10 Risk Rating
Methodology
To determine the risk to your organization, you can evaluate the likelihood associated with each threat agent, attack vector, and security weakness, when they rich boiling point add technical and business impact flavor taking in consideration your organization.
16
![Page 17: Presentation Title · Chirita Ionel Application Security Analyst @ EA Romania Chapter Board Member chirita.ionel@gmail.com . Romanian Chapter - Europe](https://reader033.vdocuments.site/reader033/viewer/2022041622/5e3ff312e99fb5625e2d7acc/html5/thumbnails/17.jpg)
OWASP Code Review Guide
• Most effective technique
for identifying security flaws.
• Focuses on the mechanics of
reviewing code for certain
vulnerabilities.
• A key enabler for the OWASP
fight against software insecurity.
• v2 – January 2014
17
https://www.owasp.org/index.php/Category:OWASP_Code_Review_Project
![Page 18: Presentation Title · Chirita Ionel Application Security Analyst @ EA Romania Chapter Board Member chirita.ionel@gmail.com . Romanian Chapter - Europe](https://reader033.vdocuments.site/reader033/viewer/2022041622/5e3ff312e99fb5625e2d7acc/html5/thumbnails/18.jpg)
OWASP Testing Guide
• Web application penetration test
framework.
• what, why, when, where, and
how of test an web application
• More than a checklist
• v4 in progress.
18
https://www.owasp.org/index.php/OWASP_Testing_Project
![Page 19: Presentation Title · Chirita Ionel Application Security Analyst @ EA Romania Chapter Board Member chirita.ionel@gmail.com . Romanian Chapter - Europe](https://reader033.vdocuments.site/reader033/viewer/2022041622/5e3ff312e99fb5625e2d7acc/html5/thumbnails/19.jpg)
OWASP Cheat Sheet Series
19
https://www.owasp.org/index.php/Cheat_Sheets
![Page 20: Presentation Title · Chirita Ionel Application Security Analyst @ EA Romania Chapter Board Member chirita.ionel@gmail.com . Romanian Chapter - Europe](https://reader033.vdocuments.site/reader033/viewer/2022041622/5e3ff312e99fb5625e2d7acc/html5/thumbnails/20.jpg)
OWASP – Zed Attack Proxy (ZAP)
ZAP Proxy is an easy to use integrated
penetration testing tool for finding
vulnerabilities in web applications.
• Flagship OWASP Project
• Cross platform tool
• Features:
Intercepting proxy
Port scanner
Brute force tool
Spider
Fuzzer
Automatic & passive scanner
20
![Page 21: Presentation Title · Chirita Ionel Application Security Analyst @ EA Romania Chapter Board Member chirita.ionel@gmail.com . Romanian Chapter - Europe](https://reader033.vdocuments.site/reader033/viewer/2022041622/5e3ff312e99fb5625e2d7acc/html5/thumbnails/21.jpg)
OWASP WebGoat Java Project
• Deliberately vulnerable J2EE web
application
• Guide for secure programming
• Realistic teaching environment
• More than 30 hands on lessons
including:
XSS
Access control
SQLi
Hidden form manipulation
Weak session cookies
… + many more.
21
![Page 22: Presentation Title · Chirita Ionel Application Security Analyst @ EA Romania Chapter Board Member chirita.ionel@gmail.com . Romanian Chapter - Europe](https://reader033.vdocuments.site/reader033/viewer/2022041622/5e3ff312e99fb5625e2d7acc/html5/thumbnails/22.jpg)
Webscarab
Java based framework used for analyzing web applications and web services that communicate over http & httpS
22
https://www.owasp.org/index.php/Category:OWASP_WebScarab_Project
![Page 23: Presentation Title · Chirita Ionel Application Security Analyst @ EA Romania Chapter Board Member chirita.ionel@gmail.com . Romanian Chapter - Europe](https://reader033.vdocuments.site/reader033/viewer/2022041622/5e3ff312e99fb5625e2d7acc/html5/thumbnails/23.jpg)
This is a part of what OWASP offers
23
![Page 24: Presentation Title · Chirita Ionel Application Security Analyst @ EA Romania Chapter Board Member chirita.ionel@gmail.com . Romanian Chapter - Europe](https://reader033.vdocuments.site/reader033/viewer/2022041622/5e3ff312e99fb5625e2d7acc/html5/thumbnails/24.jpg)
What about you?
• OPEN our door, join as a member
• Innovate and participate in an OWASP project
• Attend GLOBAL OWASP AppSec series conference
• Act with INTEGRITY
24
![Page 25: Presentation Title · Chirita Ionel Application Security Analyst @ EA Romania Chapter Board Member chirita.ionel@gmail.com . Romanian Chapter - Europe](https://reader033.vdocuments.site/reader033/viewer/2022041622/5e3ff312e99fb5625e2d7acc/html5/thumbnails/25.jpg)
What next? Consider…
• Donating
• Attending local chapter regular meeting
• Contributing to an OWASP project
• Developers, beta testers, etc.
• Attend on Europe OWASP AppSec series Conference
25
![Page 26: Presentation Title · Chirita Ionel Application Security Analyst @ EA Romania Chapter Board Member chirita.ionel@gmail.com . Romanian Chapter - Europe](https://reader033.vdocuments.site/reader033/viewer/2022041622/5e3ff312e99fb5625e2d7acc/html5/thumbnails/26.jpg)
Affiliation and Membership
Categories of Membership and Supporters:
• Individual Supporters
• Single Meeting Supporter
• Event Sponsorship
• Organization Supporters
• Accredited University Supporters
26
![Page 27: Presentation Title · Chirita Ionel Application Security Analyst @ EA Romania Chapter Board Member chirita.ionel@gmail.com . Romanian Chapter - Europe](https://reader033.vdocuments.site/reader033/viewer/2022041622/5e3ff312e99fb5625e2d7acc/html5/thumbnails/27.jpg)
Benefits…?
Ethics and principals of OWASP Foundation
• Underscore your awareness of web application software security
• Attend OWASP conferences at a discount
• Expand your personal network of contacts
• Support a local chapter of your choice
• Get your @owasp.org email address
• Have individual vote in elections
27
https://owasp.org/index.php/Membership