Hands-on sessions

Mobile App Reverse Engineering and Code Modification – Cracking 101 – Jonathan Carter
ZAP Hackshop – Zakaria Rachid
OWASP Security Shepherd – Fiona Collins
Attacking Browsers with BeEF – Bart Leppens


Mobile App Reverse Engineering and Code Modification – Cracking 101
Jonathan Carter – @bogomip2k

Thursday 21 May, 2015 – 9:50 – 12:40

Over the last year, we’ve seen a profound rise in new attack vectors (Wirelurker and Masque) against mobile apps that involve reverse engineering mobile code followed by unauthorized runtime behavior modification. How are hackers reverse engineering mobile apps and injecting their own malicious code into them? It’s disturbingly easy and there are plenty of freely available and easy-to-use tools on the market to help the hacker along the way. In this hands on session, you will use laptops and iOS devices we provide to reverse engineer and modify code in an iOS app. We will guide you through each step.
Attendees are asked to bring their own laptop and a jailbroken device. A very limited number of jailbroken devices will be available.

Here’s a description of how to prepare for the workshop:

Click here to discover feedback from last year’s AppSecUSA 2014 workshop.

About Jonathan Carter

Jonathan Carter is an application security professional with over 15 years of security expertise within Canada, United States, Australia, and England. As a Software Engineer, Jonathan produced software for online gaming systems, payment gateways, SMS messaging gateways, and other solutions requiring a high degree of application security.

↑ Back to top


ZAP Hackshop
Zakaria Rachid – @zackhimself

Thursday 21 May, 2015 – 14:30 – 16:30

The Zed Attack Proxy (ZAP) is currently the most active open source web application security tool and competes effectively with commercial tools. We will play with some of the new features of the latest Zap version.

About Zakaria Rachid

Zakaria Rachid is a security consultant at Davidson with more than 13 years of intense computing and security experience in critical environments (Telcos, mil…). He specializes in penetration testing, web applications security, risk management and incidents handling, but
delights in having intimate knowledge of systems and networks at reach.

↑ Back to top


OWASP Security Shepherd
Fiona Collins – @fipeewee

Friday 22 May, 2015 – 09:50 – 11:50

This will be a hands on workshop to demonstrate to women what a career in App Sec can involve (most likely using the OWASP Security Shepherd project). It will be a fairly informal session as we want to give women an introduction in an environment where they won’t feel intimidated. There will be a brief introduction to application security and some of the top issues out there today. I will be there to help with solutions and give direction where needed. OWASP Security Shepherd is a web application with vulnerabilities built in. laptop will be required.

About Fiona Collins

Fiona Collins is the chapter leader for Cork in Ireland. She has been a member of OWASP since 2007 and prior to starting the Cork chapter she ran the Dublin chapter. She has been in the security industry for almost 10 years in a variety of roles including penetration testing, security audits, vulnerability management and security event management.

↑ Back to top


Attacking Browsers with BeEF
Bart Leppens – @bmantra

Friday 22 May, 2015 – 14:30 – 16:30

BeEF allows the professional penetration tester to assess the actual security posture of a target environment by using client-side attack vectors. Unlike other security frameworks,  BeEF looks past the hardened network perimeter and client system, and examines exploitability within the context of the one open door: the web browser. Not only the architecture of BeEF will be on the menu, but be prepared to witness some advanced attacks.

About Bart Leppens

Bart is an IT professional with over 10 years of experience with a strong focus on security. During his free time he spends a fair amount of time to (application) security. He likes contributing to the BeEF project and attending security conferences. Bart is not afraid of looking into assembly code.

↑ Back to top