OWASP Albuquerque

Welcome

OWASP Albuquerque is for anyone here in town to discuss software security topics. We have a couple discussion ideas in mind, but we are also eager to hear what you would like to talk about too!

Next Event: Cross-Site Request Forgery Basics

Tuesday, April 30, 2024, at 5:30 pm

Cesar Chavez Community Center, Meeting Room

Franklin and Althea will discuss the basics of Cross-Site Request Forgery (CSRF), assuming as little knowledge of web development as possible. This will include a review of how web browsers load and render web pages by making HTTP requests to a web server, how cookies are used to authenticate requests, and how authenticated requests are spoofed in a CSRF attack. They will also discuss browser security mechanisms that facilitate CSRF prevention, and what a website designer can do to prevent these attacks. The talk will be followed by a lab exercise from Portswigger.

Please RSVP to [email protected]. If you want to participate in the lab exercise, please bring a personal computer and make an account on the Portswigger website before the event. It is also recommended (but not required) to install either Burp Suite Community Edition, or another web proxy of your choice.

Agenda:

  • Meet and greet
  • Featured presentation “Cross-Site Request Forgery Basics”
  • Elect 2 co-leaders for next year
  • Pitch ideas and recruit volunteers for future presentations

Centennial Science and Engineering Library

Centennial Library is located on the University of New Mexico campus, near the corner of University Blvd. and Central Ave.

Public parking is across the stree on University Blvd. Street parking is available south of Central Ave.

map

The entrance is a small building that leads you underground.

A valid government-issued or student picture ID is required to enter the Centennial Science and Engineering Library. Have your photo ID ready to show at the downstairs turnstile.

entrance

Example

Put whatever you like here: news, screenshots, features, supporters, or remove this file and don’t use tabs at all.

Wednesday, March 27, 2024, at 4 pm

Code Eyeballing

UNM Centennial Library, DEN2

Rose will guide us through a code review of a simple web application. Participants will be invited to eyeball code in the context of their favorite risk from OWASP Top 10; list issues; discuss remediation strategies; and prioritize remediations.

All activities can be completed by looking at code. But you can also test on your machine with Docker: deploy https://github.com/pzzd/docker-lamp and send a request to [email protected] for access to the web application repo.

Our space is limited to 16 people, so please RSVP to [email protected].

Agenda:

  • Greetings and salutations
  • Featured presentation “Code Eyeballing”
  • Pitch ideas and recruit volunteers for future presentations

Monday, November 27, 2023, at 4 pm

Basics of SQL injection

UNM Centennial Library, DEN2

UNM student Franklin Pezzuti Dyer will discuss the basics of how databases might be used for web applications, how a web app can manipulate a database using SQL, and how this can leave an app open for attack if SQL commands are handled unsafely. The meeting will consist of a short introductory talk, followed by a lab session consisting of SQL injection exercises on deliberately vulnerable websites hosted by Portswigger.

If you would like to participate in the lab session, please come prepared with a Portswigger account, and a proxy of your choice installed. You will need this to capture, examine and modify HTTP packets. You could use Burp Suite (software by Portswigger, recommended) or an open-source alternative like mitmproxy.

Our space is limited to 16 people, so please RSVP to [email protected].

Agenda:

  • Say Howdy
  • Featured presentation “Basics of SQL injection”
  • Pitch ideas and recruit volunteers for future presentations

Thursday, October 26, 2023, at 4 pm

Breaking into websites using misconfigurations

UNM Centennial Library, DEN2

Security research student Alex Adams will give a presentation about exploiting misconfigurations of the Google Authentication Toolkit in the wild. Learn about the Google Identity Toolkit API and common ways you might find it misconfigured. This talk will discuss some methods to spot issues with websites in general, common tools used by hackers for web penetration, and then go into a specific example of gaining unauthorized access to a website.

Agenda:

  • Meet and greet
  • Featured presentation “Breaking into websites using misconfigurations”
  • Pitch ideas and recruit volunteers for future presentations

Wednesday, August 30, 2023, 3 pm - 6 pm

UNM Centennial Library, DEN2

Agenda:

  • Get to know each other
  • Pitch ideas for future meetings
    • We may have a future talk about network security.
    • Meeting time should be later, starting around 5 or 5:30.
  • Informal presentation and discussion about code injection attacks at 4 pm. If you have thoughts or experience in this area, please come and share!
Watch Star