Hands-On Track
Assessing and Exploiting Mobile Applications with OWASP MobiSec
Kevin Johnson, CEO, Secure Ideas, LLC
James Jardine, Principal Security Consultant, Secure Ideas, LLC
Monday, March 23 & Tuesday, March 24
Technical Level: High
How much of your corporate data is leaking out through users’ mobile devices and applications?
Mobile devices and applications are here to stay, and the industry is long past trying to keep personal—or even company-supported—devices off the network. But without access to the device itself and limited control over applications installed on the devices, security teams are at the mercy of users…or are they?
In this hands-on, lab-driven track, students will be taught the tools, techniques, and methodology to perform penetration testing of mobile devices and applications, from the inside out. This track, created by the project leads for the OWASP MobiSec project, will walk participants through how to perform an effective mobile pen test, mapping, forensic discovery, and even exploitation—so you can learn how to stop data leakage before it happens.
Monday, March 23
Mobile Applications
•
Penetration testing
•
Methodology
o
Mapping
o
Discovery
o
Exploitation
•
OWASP MobiSec
•
Exercise: Set up and use MobiSec
Testing Lab
•
Systems
o
Windows
o
Linux
o
Mac
•
Device OSs
o
Android
o
iOS
o
Windows Phone
•
Exercise: Lab Setup
Mapping
•
Obtaining applications
o
Source
o
Compiled and in an app store
•
Installing apps onto test devices
o
Retrieving applications and supporting files from the device
•
Exercise: Manipulating devices and emulators
o
Android
o
Windows Phone
o
iOS
•
Intercepting traffic
o
Emulator methods
o
Device methods
•
Tools
o
Fiddler
o
Burp
o
Mallory
o
Exercise Interception
Discovery
•
Analyzing Application files
o
SQLlite databases
o
Backup files
o
Application binaries
o
Exercise: Analyzing application files
• Fuzzing
o
Burp Intruder
o
Burp Repeater
o
Fiddler
o
Exercise: Burp Intruder and Repeater
o
SQLMap
o
Python scripts
o
WSFuzzer
o
SOAPUI
o
Exercise: WSFuzzer and SOAPUI
Tuesday, March 24
Exploitation
•
SQL Injection
o
Absinthe
o
SQLMap
o
Exercise: SQL Injection
•
Cross-Site Scripting
o
BeEF
o
Exercise: BeEF
•
Other Client-Side attacks
o
Client-Side SQL injection
•
Session and Wireless attacks
o
Wireless MiTM
o
Wireless Probe Spoofing
o
Session Hijacking
o
Logic Attacks
o
Exercise: Session Hijacking and Logic Attacks
Capture the Flag
•
Flag-based challenges
•
Android
•
Windows phone
•
Back end infrastructure
Requirements:
The tutorial requires that students bring a laptop with at least 8GB of RAM and VMWare Player or Fusion.
Who should attend:
IT staff looking to understand and learn how to assess and exploit mobile applications and their infrastructure should attend.
Schedule
Monday, March 23
8:30 AM – 9:30 AM Conference Keynote
9:30 AM – 12:15 PM Hands-On Tutorial
12:15 PM – 1:30 PM Luncheon and Keynote
1:30 PM – 5:15 PM Hands-On Tutorial
Tuesday, March 24
8:30 AM – 11:00 AM Hands-On Tutorial
11:15 AM –12:15 PM Conference Keynote
12:15 PM - 2:00 PM Lunch and Expo
2:00 PM – 5:15 PM Hands-On Tutorial