Version 1

Workshop (3h): Attacking and Defending Web Applications

The Best Defense is a Strong Offense

A lot has changed since the invention of the internet and the world wide web.
It has become essentially impossible to imagine a setting where no web applications — such as webshops, messaging applications or social media sites — exist.
With that omnipresence, it becomes increasingly important to consider security in an online world.
Web applications are no longer the static pages they once were, and this opens the doors to a plethora of attacks that could endanger a business or its users.

After an introduction with an overview of some common vulnerabilities in webapps, we intend to give participants some insight into practical attacks and vulnerabilities through a gamified experience.
Several small teams will attack each other, while trying to defend their own team website.
Don't panic, no real websites will be harmed in the process. This will just be a toy website provided by us, without any legal ramifications.

Prerequisites An interest in cyber security, some minor programming experience and a computer to work from.
We will take care of the necessary infrastructure and vulnerable web application.

Disclaimer:We only condone the use of this knowledge for ethical hacking within a legal framework.
Any malicious use of knowledge and experience obtained through this workshop is your own responsibility.

Part I: Introduction to Web Security (ca. 1h)

In the first part of the talk, attendees will be introduced to the world of web apps with an overwhelming focus on their security.
First, we will give an overview of the most common technologies used throughout modern web apps, such as Python + Flask, PHP, MySQL, etc.
Next, attendees will receive a brief but broad introduction into many different types of vulnerabilities and ways to exploit them.
Starting at one of the - if not the - most well known vulnerability, an SQL injection, and ending with some rather exotic - although still very relevant - ones, such as Server Side Request Forgery (SSRF) or broken JSON Web Tokens (JWT).

Part II: Attack and Defense (ca. 2h)

The second part focuses on putting the skills learned in the first part to practical use.
Initially, attendees will be divided into small team.
Every team will have a server assigned, with a small toy web app running.
The web app is the same for every team and has multiple vulnerabilities that can be exploited in various ways.
The goal is to first identify the vulnerabilities, then patch them on your server, while simultaneously exploiting all other servers.
To get points for exploiting, attendees will have to retrieve something (usually called a flag) stored on the other server, for example in the database.
Like in real web apps, the flag will continuously change and hence the exploit is not a one time set and forget affair, but rather a task of - at least somewhat - automation.

Teams have both physical as well as networked root access to their server.
The source code is available through a Git server running for every team, which will also automatically build and deploy any updates to the code.
Furthermore, we will provide helper software to ease the automation of exploits.
Additionally, every team will have an interface for viewing a complete dump of all traffic coming and going to their server, allowing them to quickly react to exploits and even attempt to steal them.
Lastly, a member of flagbot, the ETH students' CTF team and the organizer behind this event, will be assigned to every team, helping out in every way they can - without actively attacking or defending.

Following a short introduction explaining the above in a bit more detail, we will kickoff the event, running for 2 hours.
After it ended, we will briefly discuss intended solutions as well as any creative exploits or unintended bugs we saw.
Additionally, we will be answering any questions that might arise.
Lastly, the network dumps of the whole event will be published online to dissect and take a look at.

About Flagbot

„Flagbot“ is ETH's Capture The Flag team.
Every weekend we take part in online (and sometimes onsite) hacking competitions in the world, and we offer students the thrills of being part of one of the top ranking teams fighting tooth and nail against other passionate hackers to get the latest flag.
In 2019 we ranked first in Switzerland, and looking forward to become the best in the world.
Furthermore, every Monday we provide lectures on modern hacking topics and techniques to get new members up to speed.
Amongst other things, last year we organized our first big event (BjörnCTF), and organized many collaborations with EPFL's CTF team.


Day: 2020-10-09
Start time: 19:00
Duration: 03:30
Room: ETH (C)
Track: Hacktrack


Concurrent Events