We did our Workshop on testing Web Applications at Scottish Ruby Conf today. This took place at Crieff Hydro and was targeted at Ruby developers and other people who are keen on the language. It is the fifth year of the conference this year and Rory has taken part in all of them.
The workshop was a bit like the one we did at BSides London last year – only where that one dealt with a sample infrastructure, this one covered how we go about testing a Web App – including an introduction to Burp and some sample exercises from OWASP ‘RailsGoat’ (a deliberately vulnerable Web App based on Ruby on Rails). We spent all day yesterday setting it up and cloning and testing 40 VMS. The VMS went on our new mini-server ‘Rhododendron’ and two laptops – we also had three WI-FI routers and sundry cables – so not as much stuff as last year but still a fair amount (the nice thing this year being that we could stick it all in the car boot).
We had done a fair bit of work to make sure that the whole Workshop would work offline because we have been to enough conference hotels to know that the wireless connection to the internet would really suck. This proved a challenge because late on yesterday afternoon we noticed that the app uses the Google chart API and it doesn’t work offline. Lucky Rory managed to hack that part of it out and we were good to go. We got up at six to arrive at Crieff nice and early – had a good breakfast and got set up in plenty of time. We had been warned plenty of people would turn up – and sure enough – we had nearly 40.
We were bang on the money about the hotel Wi-Fi and very glad we didn’t rely on it because it was very slow and caused issues in the other workshops we attended. Then our audience arrived (95% male and 95% MAC users – not necessarily the same people though!). Everything seemed to go very well and the majority of our demos worked. One thing I would take away from it is that if we do it again we need to go over the tool setup part more slowly and allow more time for showing people stuff – we tend to forget how complex these things are as we do them every day.
But we got about 3/4 of the examples done and we were able to show SQLi, XSS and command injection actually working – I think the real and immediate impact that they have surprised some of the audience. Our presentation is attached to this post and includes some more general notes on Web Application testing. Some of the things we mentioned today… The Web Application Hacker’s Handbook we recommended and is available here :- http://www.amazon.co.uk/Web-Application-Hackers-Handbook-Exploiting-ebook/dp/B005LVQA9S/ref=sr_1_1?s=books&ie=UTF8&qid=1399909420&sr=1-1&keywords=web+application+hackers+handbook OWASP top 10 here – https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project RailsGoat (sample app used) – https://github.com/OWASP/railsgoat Sample XSS vectors – http://html5sec.org/
We are happy to answer any questions from attendees at the workshop – our addresses are on this site. Great conference, nice venue (shame about the wi-fi). Hope to be back next year.