Yon Labs Security Project Y-SEC aims at increasing awareness about web application security among developers, especially Java developers.
One learns from books and example only that certain things can be done. Actual learning requires that you do those things.Frank Herbert
As actual learning requires doing, our goal is to provide a set of working demos on security vulnerabilities, available as open-source code for self-hosting and education as well as hosted applications for actual testing and hacking.
At the moment, we have the following topics covered:
- none algorithm in a token
- brute-force token cracking
- packet sniffing to steal a token
- XSS to steal a token
Cross-Site Scripting (XSS)
Authentication and Session Management
- URL-rewriting to expose a cookie
- packet sniffing to steal a cookie
- XSS to steal a cookie
- CSRF to use a cookie
- the main GitHub repo: y-sec (still in development!)
- the old GitHub repo for XSS and NoSQL injection: hacker-guide-nosql-xss
The slides and videos from the actual demos and live hacking at conferences are available at Talks.