Simon Loizides
Simon Loizides is a Pentester at RUNESEC, a Cypriot company specializing in offensive Information
Security Assessment services. He graduated with a BSc (Hons.) in Computer Science from King's
College London. He is interested in post-exploitation and lateral movement (in both the virtual and
physical worlds), and likes to climb trees when he can.
He is one of the 4 chapter leaders of OWASP Cyprus, a global non-profit dedicated to improving the
security of web and mobile applications.
Marios Nicolaides
Marios Nicolaides is currently working as a Penetration Tester at RUNESEC, a Cypriot company
specializing in offensive Information Security Assessment services. Marios holds a BSc Computer
Science degree from Northumbria University and an MSc degree in Cyber Security from the University
of York. He is passionate about web application security and likes to spend his free time mastering
his backgammon skills.
He is one of the 4 chapter leaders of OWASP Cyprus, a global non-profit dedicated to improving the
security of web and mobile applications.
Nicolas Markitanis
Nicolas Markitanis is a Penetration Tester professional at RUNESEC, a Cypriot company specializing
in offensive Information Security Assessment services. He graduated with honors from Northumbria
University at Newcastle with a degree in Computer Science and a masters degree in Cyber Security
from De Montfort University in Leicester. Nicolas has also started his PhD with his research area
being cybersecurity. He is interested in mobile application security and likes to dabble in a little
bit of everything, especially sciences and books.
He is one of the 4 chapter leaders of OWASP Cyprus, a global non-profit dedicated to improving the
security of web and mobile applications.
Workshop Summary:
Discuss and demonstrate the most common security pitfalls that web developers fall for.
# SQL Injection - not using parameterized queries / prepared statements
# Cross-Site Scripting - no output encoding / not taking into account the context
# Access controls - authentication vs authorization / exposing internal resources and not binding to
sessions
# Session Management - Insecure session termination / cookie scoping and attributes / session
fixation
# Cross-Site Request Forgery - not using anti-CSRF protection ---> impact
# Insecure Password storage -> not HASHING passwords but either encrypting them or storing them in
plaintext
# Directory Traversal - not limiting the root of the application
The workshop will be carried out in the following format:
- Explain the pitfall and the vulnerability it leads to.
- Explain how to exploit the vulnerability and discuss impact
- Demonstrate exploitation
- Give time to participants to exploit vulnerability.
All pitfalls will have demos. We will use an online 'training' environment which will be available
for a few days after the event in case participants