Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP OWASP UniversityChallenge OWASP AppSec-USA September 2011

OWASP The OWASP University Challenge Attack Defence

OWASP The OWASP University Challenge 3 Teams: Dakota State University University of North Carolina at Charlotte St. Cloud State University

OWASP Final Score:

OWASP Final Score:

OWASP Winner of the Attack part: St. Cloud State University Joshua Platz Jake Soenneker

OWASP 7 Web and Encryption Vulnerabilities  XSS – Easy and Hard Ways (plain-text vs ascii char)  Blocks Of Suspicious Encoding  (ASCII, Unescape, Reverse, HTML Markup)  Browser Agents  Faking Browser Identity  Executing Remote Code (rouge php shell script)  Client Side Vs. Server Side Authentication  Fake Images / Pages  Reference Locations  Hidden Elements

OWASP 8 Encryption Vulnerabilities  SSH Vulnerability  Cipher Analysis

OWASP Winner of the Defence part: University of North Carolina at Charlotte Joshua Schroeder Joel Kerr Chris Burke

OWASP Object Binding Systematic problem with MVC frameworks Fields are improperly interacting with objects DataBinder Class can be used as mitigation setAllowedFields Property allows whitelisting of parameters UNC Charlotte

OWASP Web Application Firewall Mod_JK Linking Apache to Tomcat Mod Security Identifies and denies XSS and SQL injection attacks 11 UNC Charlotte

OWASP Input Validation Identified problems with ASIDE Static Analysis Tool Provides mitigation suggestions Defense against XSS 12 UNC Charlotte