Hacking Java microservices

Session type: 120 min tutorial

Session level: Intermediate

Current world is full of attackers, from script kiddies and malicious employees to hackers from Advanced Persistent Threat groups backed by organized crime and governments.

Many companies went bankrupt because of stolen intellectual property, exfiltrated data or entire IT infrastructure crash because of ransomware. As we expose many services to the internet our API's require security testing. In the workshop, you will learn how to perform Server Side Request Forgery attack to infiltrate your infrastructure, how to execute code in your application using only JSON or how to test for (No)SQL Injection or test proper authentication and authorization of your API, including proper implementation of OAuth or JWT. You will learn how to include security scanning into your DevSecOps process and how to perform and interpret results of static analysis of source code.

Participants should bring their laptops running VM machines and Docker images which will be published before the workshop.

Key take-aways:

• ability to perform security tests of Java microservices including REST and SOAP API's
• ability to perform basic code review using static source code analysis tools