Hacking OWASP Top 10

Audun Dragland

Nicholas Paulik

Short workshop - in English

Many developers have heard about the OWASP Top 10 web application security flaws, but few have exploited them in real life. It is time to get your hands dirty. Have you ever wondered if you can steal sensitive information or credentials from an insecure web application? Using WebGoat and our own custom blog, two deliberately insecure web applications, you will be doing just that.

The session will begin by presenting tools of the trade, some which are generally useful and some that you will be using for the workshop. We will present the theory and a few eye-openers for each of the entries in the OWASP Top 10 list. After that, we will dig deeper into three of them, by performing live demonstrations of vulnerabilities, before we let the attendees loose on the insecure web applications to try out the attacks themselves.


  • Injection (+ demo and practical tasks)
  • Broken authentication and session management
  • Cross-Site Scripting (+ demo and practical tasks)
  • Insecure direct object references
  • Security misconfiguration
  • Sensitive data exposure
  • Missing function level access control
  • Cross site request forgery (+ demo and practical tasks)
  • Using components with known vulnerabilities
  • Unvalidated redirects and forwards

Primarily for: Developers, Tester/test leads, Security professionals

Participant requirements: Laptop with OWASP ZAP installed (and preferably configured as proxy).