Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License. The OWASP Foundation OWASP OWASP DC Chapter Meeting March 22, 2005 Hosted by Ed Tracy & Aspect Security

OWASP AGENDA  Pizza  App Sec News  Ethics Discussion  Direction Discussion  Penetration Testing Lab

OWASP App Security News  SHA-1 Vulnerability  Shandong University, China  html html  Two random hashes will collide in 2^69, not 2^80  Other current events?

OWASP Ethics & Hacking  119 Harvard Applicants Rejected for Hacking Harvard Web App!  Who’s responsible?  Other current events?

OWASP Chapter Direction  What should the chapter be doing?  Teaching  Researching  Both?  Ideas for presentations?

OWASP Penetration Testing Lab  OWASP Web Application Penetration Checklist  Demonstrations

OWASP Tools  Application Proxies  WebScarab  Paros  SPIKE  Scanners  Nikto  WebInspect

OWASP Approach  Blackbox vs Whitebox  How far do you go  Breadth-First-Search  Depth-First-Search  Documenting Results  As-you-go  Notes & Write up

OWASP Access Control  Access to URLs  Spider with privileged and unprivileged accounts  Access to Objects  Manipulating object references

OWASP Authentication & Session Management  Using app server’s session ID?  Using HTTPS?  Session fixation?  Advanced scheme: dynamic session cookie?

OWASP Cross-site Scripting  Targets -Any input that is reflected in a response  Search field  URL  Form fields  alert(‘bang’)

OWASP SQL Injection  Targets -Fields that are likely to be put into database queries  Search fields  Form fields

OWASP Conclusion  Plenty of areas to test, refer to the checklist