Security: Difference between revisions

From ICO wiki
Jump to navigationJump to search
Line 37: Line 37:
   A3 Cross-Site Scripting (XSS) (was formerly A2) - <b> Kestutis </b>
   A3 Cross-Site Scripting (XSS) (was formerly A2) - <b> Kestutis </b>


A4 Insecure Direct Object References - <b> Markus </b>
  A4 Insecure Direct Object References - <b> Markus </b>


  A5 Security Misconfiguration (was formerly A6)- <b> Tomas </b>  
  A5 Security Misconfiguration (was formerly A6)- <b> Tomas </b>  


   A6 Sensitive Data Exposure (merged from former A7 Insecure Cryptographic Storage and former A9 Insufficient Transport Layer Protection) - <b> Mika </b>
   A6 Sensitive Data Exposure (merged from former A7 Insecure Cryptographic Storage and former A9 Insufficient Transport Layer Protection) - <b> Mika </b>
Line 45: Line 45:
   A7 Missing Function Level Access Control (renamed/broadened from former A8 Failure to Restrict URL Access) - <b> Sten </b>
   A7 Missing Function Level Access Control (renamed/broadened from former A8 Failure to Restrict URL Access) - <b> Sten </b>


    A8 Cross-Site Request Forgery (CSRF) (was formerly A5) - <b> Matis </b>
  A8 Cross-Site Request Forgery (CSRF) (was formerly A5) - <b> Matis </b>


   A9 Using Known Vulnerable Components (new but was part of former A6 – Security Misconfiguration)
   A9 Using Known Vulnerable Components (new but was part of former A6 – Security Misconfiguration)
- <b> Jurij </b>
- <b> Jurij </b>


   A10 Unvalidated Redirects and Forwards - <b> Sten </b>
   A10 Unvalidated Redirects and Forwards - <b> Sten </b>

Revision as of 16:21, 26 March 2013

Team page for Deploying IT Infrastructure Solutions.

Team Members

  • Sten Aus Estonian Information Technology College
  • Matis Palm Estonian Information Technology College
  • Sandra Suviste Estonian Information Technology College
  • Markus Rintamäki Vaasa University of Applied Sciences
  • Tomas Lepistö Vaasa University of Applied Sciences
  • Mika Salmela Vaasa University of Applied Sciences
  • Kęstutis Tautvydas Vilnius University of Applied Sciences
  • Jurij Lukjančikov Vilnius University of Applied Sciences

Goal

  • OWASP top 10
  • HACK DVWA
  • BackTrack, SamuraiCD (Last year experience)
  • Scanning and testing tools - Qualys SSL Labs
  • Acunetix Web Vulnerability Scanner v.8
  • SubGraph Vega
  • BEAST attack
  • RC4

Activity

Monday - 25.03.13

Things what we did that day

  • Lectures
  • Sumorobot programming
  • Dinner @ St Patricks

Tuesday - 26.03.13

Things what we did that day

  • Documentation!
 A1 Injection -  Sandra 
 A2 Broken Authentication and Session Management (was formerly A3) -  Kestutis 
 A3 Cross-Site Scripting (XSS) (was formerly A2) -  Kestutis 
 A4 Insecure Direct Object References -  Markus 
 A5 Security Misconfiguration (was formerly A6)-  Tomas  
 A6 Sensitive Data Exposure (merged from former A7 Insecure Cryptographic Storage and former A9 Insufficient Transport Layer Protection) -  Mika 
 A7 Missing Function Level Access Control (renamed/broadened from former A8 Failure to Restrict URL Access) -  Sten 
 A8 Cross-Site Request Forgery (CSRF) (was formerly A5) -  Matis 
 A9 Using Known Vulnerable Components (new but was part of former A6 – Security Misconfiguration)

- Jurij

 A10 Unvalidated Redirects and Forwards -  Sten 


Problems what we faced:

  • Still need to get everyone a VM with DVWA running
  • Second problem

Things what we plan to do:

  • Copy Paste
  • Divide OWASP tasks

Wednesday - 27.03.13

Things what we did that day

  • First thing
  • Second thing

Problems what we faced:

  • First problem
  • Second problem

Questions and answers from client:

  • First Question

Answer to question

  • Second Question

Answer to question

Things what we plan to do:

  • First thing
  • Second thing


Results

Summary of what we did and solution what we developed

Final documentation

Analysis

Solution

IP Feed-back

Member 1 feedback

I liked this and that.

Member 2 feedback

I liked this and that. Didn't like.