1. Copyright © 2004 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License. The OWASP Foundation OWASP http://www.owasp.org OWASP DC Chapter Meeting March 22, 2005 Hosted by Ed Tracy & Aspect Security

2. OWASP AGENDA  Pizza  App Sec News  Ethics Discussion  Direction Discussion  Penetration Testing Lab

3. OWASP App Security News  SHA-1 Vulnerability  Shandong University, China  http://www.financialcryptography.com/mt/archives/0 00355.html http://www.financialcryptography.com/mt/archives/0 00355.html  Two random hashes will collide in 2^69, not 2^80  Other current events?

4. OWASP Ethics & Hacking  119 Harvard Applicants Rejected for Hacking Harvard Web App!  Who’s responsible?  Other current events?

5. OWASP Chapter Direction  What should the chapter be doing?  Teaching  Researching  Both?  Ideas for presentations?

6. OWASP Penetration Testing Lab  OWASP Web Application Penetration Checklist  Demonstrations

7. OWASP Tools  Application Proxies  WebScarab  Paros  SPIKE  Scanners  Nikto  WebInspect

8. OWASP Approach  Blackbox vs Whitebox  How far do you go  Breadth-First-Search  Depth-First-Search  Documenting Results  As-you-go  Notes & Write up

9. OWASP Access Control  Access to URLs  Spider with privileged and unprivileged accounts  Access to Objects  Manipulating object references

10. OWASP Authentication & Session Management  Using app server’s session ID?  Using HTTPS?  Session fixation?  Advanced scheme: dynamic session cookie?

11. OWASP Cross-site Scripting  Targets -Any input that is reflected in a response  Search field  URL  Form fields  alert(‘bang’)

12. OWASP SQL Injection  Targets -Fields that are likely to be put into database queries  Search fields  Form fields

13. OWASP Conclusion  Plenty of areas to test, refer to the checklist