On-Prem OWASP-Stammtisch/meeting in Hamburg

[Dirk W]

Hi all!

We're going back on-prem with our next Stammtisch meeting! Or to be more precise, for those which cannot attend in Hamburg we're going hybrid as we'll actually try out some new toys to stream this event in parallel!

Locally we'll start the meeting itself at 18:00 CEST and will begin the main talk and streaming at around 18:30 CEST!

In order to get an estimate who’s coming on-prem, a simple mail to Björn or myself like „I am coming“ would be appreciated.


In a nutshell
-------------
Location: Kuehne+Nagel, Großer Grasbrook 11-13, 20457 Hamburg
Start: 18th of April, 6pm CEST (start of stream ~6:30 CEST)
Title: OWASP Raider [hybrid]
Speaker: Daniel Neagaru
Networking: After-talk beer somewhere in the vicinity of the venue


Abstract
--------
Raider was created to fill a gap in current tooling for pentesting the authentication process. It abstracts the client-server information exchange as a finite state machine. Each step comprises one request with inputs, one response with outputs, arbitrary actions to do on the response, and conditional links to other stages. Thus, a graph-like structure is created. This architecture works not only for authentication purposes but can be used for any HTTP process that needs to keep track of states.
A few years ago, the author had the task of helping developers to build OAuth directly from RFCs, supporting them with security topics and questions. In the beginning, the project ran into some challenges. Early on, we faced the fact that authentication is a stateful process, while HTTP is a stateless protocol.
BurpSuite and ZAProxy were incepted when the web did not have states, so they inherited a stateless architecture. REST APIs became popular some years after those tools were created. They have workarounds like Burpsuite macros and ZAP Zest scripts to pass information between requests, but we found that functionality lacking and too complex to implement.
So the author wrote custom python scripts to pentest this. It worked fine, but doing this makes the scripts usable only on this system. Therefore, the author decided to create a tool that fills that gap.
Raider's configuration is inspired by Emacs. Hylang is used, which is LISP on top of Python. LISP is used because of its "Code is Data, Data is Code" property. It would also allow generating configuration automatically easily in the future. Flexibility is in its DNA, meaning it can be infinitely extended with actual code. Since all configuration is stored in cleartext, reproducing, sharing or modifying attacks becomes easy.

Project Links:
- Website: https://raiderauth.com/
- Source: https://github.com/OWASP/raider
- Documentation: https://docs.raiderauth.com/en/latest/
- Twitter: @raiderauth
- Mastodon: @raide...@infosec.exchange <mailto:raide...@infosec.exchange>


How to participate
------------------
A) Come to the venue! We'll meet afterwards for a beer.
B) If not possible: Join the talk online.

A) We’re happy to see you in person!
B) OWASP Hamburg Meetup members who cannot make it in person : https://lecture.senfcall.de/dir-o5v-cka-yx7 is your friend. Please wait until the bouncer lets you in. ;-) Make sure when the talk starts your video is off and you are muted. We´ll be guest of senfcall (a German membership corporation) which provides us with a privacy friendly video conference facility. Thank you!


Our OWASP "Stammtisch"
----------------------
Our meeting is about web applications and their (in)security and/or about IT security in general. People come together who care as a hobby or in their job about information security: developers, managers, pen testers and everybody else who's interested. The atmosphere is open and relaxed. Who's coming to sell products or services: Move on, this is not the right place. OWASP is about education and sharing (mostly) technical information.
Feel free to forward our meetup URL to your colleagues or friends. They are welcome, too. Participation is free and open -- as the O in OWASP.


Cheers, Dirk & Björn



--
OWASP Volunteer
Send me encrypted mails (Key ID 0x4D9CA7F2E2FA20B3)

[Dirk W]

Hi there,

this is the usual gentle reminder for tomorrow evening.

Cheers, Dirk & Björn