Participants need a laptop and a credit card or bank account to register for free Google Cloud servers.
Workshop 1: Go the Wrong WayLevel: Beginner
Good developers study documentation carefully and thoroughly understand their language. However, some people just want to code fast, break into things, and skip over the details. This CTF is for them.
Even if you've never programmed before, you can make simple attack tools in Go.
Workshop 2: Introduction to Attack TechniquesLevel: Beginner
Learn how to take over Windows, Linux, and Android systems, and how to defend them. We begin with common tools: Nmap, Metasploit, and Armitage, and then go into buffer overflows, packet crafting, command injection, and SQL injection. We will also exploit Android and iOS apps, including WhatsApp, Bank of America, and Progressive Insurance.
No previous experience with programming or attacking is required.
Workshop 3: Securing Web AppsLevel: Intermediate
Participants will attack Web applications with: command injection; SQL injection; Cross-Site Request Forgery; Cross-Site Scripting; cookie manipulation; and Server-Side Template Injection. We will also exploit Drupal and SAML. We will then implement network defenses and monitoring agents. We will use Burp, Splunk, and Suricata. Prerequisites: participants should know basic security and networking. Experience with Web development is helpful but not necessary.
Workshop 4: Security Auditing Android and iOS AppsLevel: Intermediate
Practice finding flaws in real Android and iOS apps in this workshop, and you will be ready to avoid making similar security errors in your own apps.
Android apps are very easy to unpack, analyze, modify, and repack; partly because of the open nature of the system, and partly because most companies neglect basic security measures. In this workshop, participants will hack apps from the Bank of America, IBM, Harvard, Home Depot, the Indian government, and other large organizations. We will find insecure network transmissions, broken cryptography, improper logging, and pervasive lack of binary protections. We will also analyze the way iOS apps use network transmissions, and observe serious vulnerabilities in iOS apps from major companies.
Participants need a laptop that can run VirtualBox to run Android emulators. To audit iOS apps, particpants will need a Mac laptop. We will bring some loaner iPhones to use.