All the workshop sessions of #Hacktivity2021 can be found on this page. We reserve the right to change the program. Online registration for the workshop sessions will start 1 day before the conference. The registration URL will be published on this page and also sent out via newsletter. PLEASE NOTE: only ticket holders can enter the workshop sessions, so please make sure to get a ticket in case you would like to join.
This workshop is aimed at security-conscious software developers. Modern-day engineers must cultivate a security-aware mindset instead of memorizing an encyclopedia of vulnerabilities and countermeasures. Having a healthy dose of creativity and curiosity will get your farther than knowing acronyms. The workshop is designed to enhance your mindset and help you think “out-of-the-box.” You will be split into teams to solve challenges cooperatively in a virtual environment. Our scope is two well-known OWASP categories: “A03:2021-Injection” and “A05:2021-Security Misconfiguration”. After a brief introduction and real-world case studies, we will jump straight into hacking. By the end, you will look at vulnerabilities and countermeasures in a different light.
Doing host forensics is like solving an exciting mystery. We know something is wrong, we might get some alert from the host but we don’t know what happened (if anything). How the story started, it is an automated breach or hands-on keyboard attack, have they moved laterally, how they secured the persistence? Have they exfiltrated anything?
The forensics examiner should tell you a story when finishing his/her job.
During the first part of the presentation, I will introduce you the free FireEye Redline tool and we will walk through an incident together. Right after as a junior forensics investigator you will get your first assignment and you will have 60-90 minutes to solve the case. I will provide you hints every 10-15 minutes. Bring your own laptop (with VM if you wish) and install FireEye’s Redline 2.0 from here – https://fireeye.market/ before the workshop.
A workshop about subdomain takeover: nowadays, in the age of the cloud environment there are new surfaces to attack these systems. The cloud providers try to give us easier deployment scenarios. This is the breeding ground for the attack, which also affects larger organizations. In the first part of the workshop, we will review the theory and techniques, and then in the second part, we will take a sharp look at the attack in the wild. During the demo, we will go through the entire attack chain, create the Proof Of Concept, and discuss the steps of how to report a vulnerability ethically.
During the workshop we will learn, how does the type confusion attacks are working against browsers. We will start from a type confusion vulnerability (CVE-2017-8601), and write an exploit based on it. We will learn, how to get the Vtable pointer by creating fake integer object. Then based on the VTable pointer how can we create create a fake array object, to implement a read/write primitive. By the help of the read/write primitive we find the address of the stack. Then overwrite the Return Address, to run code.
More and more companies are moving their applications to the cloud to reduce their costs or simplify their operations. However, these applications can be just as vulnerable as the traditional ones, costing massive sums for their owner if exploited by malicious actors.
In this workshop, you can learn the basics of cloud platforms and the fundamental differences between traditional and cloud-hosted applications, vulnerabilities and exploitation techniques. We will be using AWS, the most popular cloud platform, to analyze and exploit some of the most frequent vulnerabilities together.
Requirements for the hands-on parts:
– AWS Free Tier account and AWS CLI (optional)
– Burp Proxy (recommended) or any similar tool capable of submitting HTTP requests (e.g. curl)
A shallow dive into deep water, the topic of web application security stretches wide so this workshop is laser focused. During white box application testing we use the source code to our advantage, uncovering issues that might otherwise remain hidden from standard grey box testing.
In this workshop we go through common examples and techniques to enumerate and find issues in a variety of languages. We will look at real-world applications and recreate exploits to understand how they were discovered. Experience is expected in web application testing as well as understanding code at a superficial level. For requirements: A laptop with your choice of text editor (we will use VSCode), Burp proxy and a python interpreter to run scripts.
Bob recently joined a big and very famous company, Appsec404, which conducts security assessments. Bob has always dreamed of working in this area, and now he has a chance, and he does not want to miss it. At the same time, he was not the only one hired and got the coveted position of an application security specialist, and Bob must prove himself as good as possible. Bob will have to solve many problems related to finding and fixing vulnerabilities to move up the career ladder. At least, the main thing is to do the job and not follow any sorts of rabbits, right?
During our workshop, you will help Bob and face many tasks related to finding vulnerabilities in various web applications and fixing them. To not go into details, we will study the vulnerabilities and reports published on HackerOne and Bugcrowd, and solve a few real problems. In addition, you will learn what needs attention when testing and implementing various functions in web applications and what can happen if certain functions are not used promptly.
If you are the kind of person who enjoys workshops with practical information that you can immediately apply when you go back to work, this workshop is for you, all action, no fluff 🙂
Attendants will be provided with training portal access to practice some attack vectors, including multiple mobile app attack surface attacks, deeplinks and mobile app data exfiltration with XSS.
Lifetime access to a training portal
Vulnerable apps to practice
Guided exercise PDFs
Video recording explaining how to solve the exercises
This workshop is a comprehensive review of interesting security flaws that we have discovered over the years in many Android and iOS mobile apps: An entirely practical walkthrough that covers anonymized juicy findings from reports that we could not make public, interesting vulnerabilities in open source apps with strong security requirements such as password vaults and privacy browsers, security issues in government-mandated apps with considerable media coverage such as Smart Sheriff, apps that report human right abuse where a security flaw could get somebody killed in the real world, and more.
The workshop offers a thorough review of interesting security anti-patterns and how they could be abused, this is very valuable information for those intending to defend or find vulnerabilities in mobile apps.
This workshop is for those who are intending to broaden their knowledge of mobile security with actionable information derived from real-world penetration testing of mobile apps.
This is a hands-on workshop, FREE access to the slides, vulnerable apps to practice and recording: https://7asecurity.com/free-workshop-mobile-practical