Tonight Barry Archer will be doing a couple of quick
demonstrations of three web application attacks (publicly disclosed and
fixed) that he learned about at BlackHat.

1. Using XSS (cross site scripting) in an email field to steal a
privileged PHP SessionID that then is used to log in as an admin.

2. Blind SQL injection on an application using MySQL on the back end.
This demonstrates how timing was used to enumerate an MD5 hash from a
vulnerable
application.

3. A nifty example of how LFI (Local File Inclusion) in a PHP application
can result in a remote shell.

Barry will talk about how these vulnerabilities get exploited and,
most importantly,
how to spot and prevent similar issues in your applications.

As usual there will be ample opportunities to meet and chat with Kansas
City's finest and friendliest information security folks.

Location is in Westport at McCoy's Foundry (in the meeting room between the
Foundry and the Patio side of the restaurant so we can use the big screen
for presentation purposes.)

Meeting formally begins at 6:30 and the formal reservation is from 6PM to
8PM
. We do not have a corporate sponsor yet for food or drink, if your
company would like this opportunity, please contact the chapter lead (info
below)




Mat Caughron
KC OWASP volunteer chapter lead

0 Response to "January 9th: Tonight: OWASP - Barry Archer shows "Using XSS", "SQL Injection" and "LFI" attacks"

Post a Comment

Blog Archive

Followers