Hands-On Track
Assessing and Exploiting Mobile Applications with OWASP MobiSec
Kevin Johnson, CEO, Secure Ideas, LLC
James Jardine, Principal Security Consultant, Secure Ideas, LLC
Monday, March 23 & Tuesday, March 24
Technical Level: High
How much of your corporate data is leaking out through users’ mobile devices and applications?
Mobile devices and applications are here to stay, and the industry is long past trying to keep personal—or even company-supported—devices off the network. But without access to the device itself and limited control over applications installed on the devices, security teams are at the mercy of users…or are they?
In this hands-on, lab-driven track, students will be taught the tools, techniques, and methodology to perform penetration testing of mobile devices and applications, from the inside out. This track, created by the project leads for the OWASP MobiSec project, will walk participants through how to perform an effective mobile pen test, mapping, forensic discovery, and even exploitation—so you can learn how to stop data leakage before it happens.
Monday, March 23
Mobile Applications
•
Penetration testing
Penetration testing•Methodology
Methodology oMapping
Mapping oDiscovery
Discovery oExploitation
Exploitation•OWASP MobiSec
OWASP MobiSec•Exercise: Set up and use MobiSec
Exercise: Set up and use MobiSecTesting Lab
•Systems
Systems oWindows
Windows oLinux
Linux oMac
Mac•Device OSs
Device OSs oAndroid
Android oiOS
iOS oWindows Phone
Windows Phone•Exercise: Lab Setup
Exercise: Lab SetupMapping
•Obtaining applications
Obtaining applications oSource
Source oCompiled and in an app store
Compiled and in an app store•Installing apps onto test devices
Installing apps onto test devices oRetrieving applications and supporting files from the device
Retrieving applications and supporting files from the device•Exercise: Manipulating devices and emulators
Exercise: Manipulating devices and emulators oAndroid
Android oWindows Phone
Windows Phone oiOS
iOS•Intercepting traffic
Intercepting traffic oEmulator methods
Emulator methods oDevice methods
Device methods•Tools
Tools oFiddler
Fiddler oBurp
Burp oMallory
Mallory oExercise Interception
Exercise InterceptionDiscovery
•Analyzing Application files
Analyzing Application files oSQLlite databases
SQLlite databases oBackup files
Backup files oApplication binaries
Application binaries oExercise: Analyzing application files
Exercise: Analyzing application files• Fuzzing
oBurp Intruder
Burp Intruder oBurp Repeater
Burp Repeater oFiddler
Fiddler oExercise: Burp Intruder and Repeater
Exercise: Burp Intruder and Repeater oSQLMap
SQLMap oPython scripts
Python scripts oWSFuzzer
WSFuzzer oSOAPUI
SOAPUI oExercise: WSFuzzer and SOAPUI
Exercise: WSFuzzer and SOAPUITuesday, March 24
Exploitation
•SQL Injection
SQL Injection oAbsinthe
Absinthe oSQLMap
SQLMap oExercise: SQL Injection
Exercise: SQL Injection•Cross-Site Scripting
Cross-Site Scripting oBeEF
BeEF oExercise: BeEF
Exercise: BeEF•Other Client-Side attacks
Other Client-Side attacks oClient-Side SQL injection
Client-Side SQL injection•Session and Wireless attacks
Session and Wireless attacks oWireless MiTM
Wireless MiTM oWireless Probe Spoofing
Wireless Probe Spoofing oSession Hijacking
Session Hijacking oLogic Attacks
Logic Attacks oExercise: Session Hijacking and Logic Attacks
Exercise: Session Hijacking and Logic AttacksCapture the Flag
•Flag-based challenges
Flag-based challenges•Android
Android•Windows phone
Windows phone•Back end infrastructure
Back end infrastructureRequirements:
The tutorial requires that students bring a laptop with at least 8GB of RAM and VMWare Player or Fusion.
Who should attend:
IT staff looking to understand and learn how to assess and exploit mobile applications and their infrastructure should attend.
Schedule
Monday, March 23
8:30 AM – 9:30 AM Conference Keynote
9:30 AM – 12:15 PM Hands-On Tutorial
12:15 PM – 1:30 PM Luncheon and Keynote
1:30 PM – 5:15 PM Hands-On Tutorial
Tuesday, March 24
8:30 AM – 11:00 AM Hands-On Tutorial
11:15 AM –12:15 PM Conference Keynote
12:15 PM - 2:00 PM Lunch and Expo
2:00 PM – 5:15 PM Hands-On Tutorial
Top-notch training. Compelling speakers. Meaningful interactions.
Join the conversation using #InfoSecWorld
Contact Us
Registration/General Inquiries:
Customer Service
(508) 879-7999 ext. 501
Speaking Opportunities:
Katherine Teitler
Director of Content Development
[email protected] or (508) 532-3624
Exhibit Sales:
Vendors A-L
CJ Oliveri
Director of Sales, Conference Division
[email protected] or (508) 532-3609
Vendors M-Z
Howard Weinman
Director of Sales, Conference Division
[email protected] or (508) 532-3652
