This document summarizes an OWASP event held in Hong Kong in July 2013. It includes introductions of the chapter leaders and researchers, an agenda for presentations on the OWASP Top 10 2013 update, mobile browser XSS flaws, length extension attacks, and capturing the flag (CTF) games for security training. Sample CTF questions are provided to illustrate how these games can help develop skills in cryptography, forensics, and vulnerability exploitation. The event aims to provide practical security training and foster an community of researchers.

1. Copyright © The OWASP Foundation
Permission is granted to copy, distribute and/or modify this document
under the terms of the OWASP License.
The OWASP Foundation
OWASP
http://www.owasp.org
OWASP Half-Day Event
(Hong Kong Chapter)
Anthony LAI
Chapter Leader
{Alan HO, Zetta KE}
Chapter Researcher
OWASP (Hong Kong Chapter)
July 2013

2. 2OWASP
OWASP Standard
Web application security and awareness
Top 10, coding guidelines and tools
Well-known industry standard set up for nearly
10 years.
Good reference for web application developer,
security officer, penetration tester, IT security
management, compliance officer and auditor.

3. 3OWASP
OWASP Membership and Our Approach
Membership launched
APAC Chapters 20 USD per year for individual
member ( 抵到爛 !)
Corporate member is welcomed (5000 USD per
year)
We commit to give 3-4 half-day events per year
From next seminar, only paid member could join
the event.
No bullshit, no sales talk, no starch, practical
work and research. :-)

4. 4OWASP
RIP. He passed away in SF before Blackhat
(disclosing hack against heart pacemaker)

5. 5OWASP
Speaker Profiles

6. 6OWASP
Speaker Biography and Introduction
Alan HO
Worked as Application Security specialist
Experienced developer
Passionate over Android and Web hacking
VXRL security researcher and CTF crew member
 SANS GWAPT (Gold paper) holder

7. 7OWASP
Speaker Biography and Introduction
Zetta KE
PhD Student in Information System in HKUST
VXRL Researcher and CTF MVP (Most Valuable Player)
Passionate over Web hack, Crypto and PHP
Leading web hack and penetration workshops in
Polytechnic university and HKPC with Anthony Lai.

8. 8OWASP
Speaker Biography and Introduction
Anthony LAI
Chapter Leader, OWASP HK Chapter
Founder and Researcher, VXRL
Focus on penetration test, reverse engineering,
malware analysis and incident response.
Passionate over CTF wargame
Speaking at DEFCON 18-20, Blackhat USA 2010,
AVTokyo 2011-2012, HITCON 2010-2011, Codegate
2012 and HTCIA APAC Conference 2012
SANS GWAPT, GREM and GCFA mentor

9. 9OWASP
Agenda
Introduction
(10 minutes)
OWASP Top 10 2013 Update (Anthony)
(15-20 minutes)
XSS flaws in mobile phone browser (Alan)
(30-40 minutes)
15 minutes break
Length Extension Attack (Zetta)
30-40 minutes
CTF for fun and profit (Anthony)
15 - 20 minutes

10. Copyright © The OWASP Foundation
Permission is granted to copy, distribute and/or modify this document
under the terms of the OWASP License.
The OWASP Foundation
OWASP
http://www.owasp.org
OWASP Top 10 2013 Update
Anthony LAI
Chapter Leader
OWASP (Hong Kong Chapter)
anthonylai@owasp.org
<phone>
July 2013

11. 11OWASP
We have got an update this year

12. 12OWASP
OWASP Top 10: 2010 Vs 2013

13. 13OWASP
OWASP Top 10: 2010 Vs 2013

14. 14OWASP
How to interpret each Top 10 item?
Threat, vulnerability and risk

15. 15OWASP
How to interpret each Top 10 item?
Threat, vulnerability and risk

16. 16OWASP
How to interpret each Top 10 item?
Exposure, vulnerable scenario, fix and references

17. 17OWASP
OWASP Top 10 Details and follow up
Left to you to read over
It is a process you must walk through
Identify the top items on your managed or
owned web applications.
Implement guidelines and policy with reference
to OWASP standard.

18. 18OWASP
Alan's show time:
Mobile Phone's Browser XSS
(SANS gold paper published)

19. 19OWASP
Break Time: 15 minutes
Relax a bit … :)

20. 20OWASP
Zetta's show time: Length
Extension Attack (LEA)

21. 21OWASP
CTF (Capture The Flag for
Fun and Profit)

22. 22OWASP
What is CTF game?
You need to get the key for points
Challenges include crypto, network, forensics,
binary/reverse engineering/exploitation, web
hack and miscellaneous.
Top teams could enter final round of contest
DEFCON, Plaid CTF, Codegate, Secuinside are
famous CTFs in the planet and we join every
year.

23. 23OWASP
Why do we enjoy to play?
Challenges are practical
Need your knowledge
Need your skills
Understanding vulnerabilities
Thinking like an attacker
Train you up to manipulate proper tools

24. 24OWASP
Our rank? Any rewards?
Www.ctftime.org
4th
prize in HITCON CTF 2013 (19-20 July,
Taipei)

25. 25OWASP
Our world ranking

26. 26OWASP
Sample Question (1)
Please read the following code, how can you
solve it?

27. 27OWASP
Sample Question (1)
Please read the following code, how can you
solve it?

28. 28OWASP
Question 1
There are a couple of things to note:
We must do the operations in reverse order since
this is the inverse function.
The hex2bin function is only available in PHP >=
5.4.0. Had to resort to the documentation to find
the alternative: pack ("H*", $str)

29. 29OWASP
Sample Question (2)
How about this? Let us do it together:
http://natas14.natas.labs.overthewire.org/

30. 30OWASP
Sample Question (2)
Remember the basic :)

31. 31OWASP
Question (3) – Django RCE Vulnerability
HITCON 2013 Pwn500 question
Django Remote Code Execution (RCE) vulnerability
In Django, there is a library called Pickle to serialize the
Django object into a string and put cookie is signed with
key. The reverse action is called “Unpickle”.
However, “Pickle” library has always trusted the data which
is passed in without validation
Discovered in Y2011.

32. 32OWASP
A Vulnerable Django
https://github.com/OrangeTW/Vulnerable-Django/

33. 33OWASP
If the key leaks
We could generate our own cookie and sign it over.

34. 34OWASP
We even could include command execution
1. Generate and sign the new cookie
with command execution
2. Replace the original cookie with our
generated one.

35. 35OWASP
Pwned :)
(Simply input Guest, type in some text in
box and submit)

36. 36OWASP
More than that, we could get the key from
the server to change our command to read
file instead ...

37. 37OWASP
CTF fun and profit
The fun is to practice our security and “kungfu”
The profit is to earning knowledge, building trust
and friendship.
Sometimes, we could get reward :)

38. 38OWASP
Thank you for your listening
anthonylai@owasp.org
alanh0@vxrl.org
Ozetta@vxrl.org
P.S: Non-members cannot get the slide for sure, it depends on the willingness of speakers to share the
slide or not