2 days training 24th and 25th of October daily: 9:00 - 17:00
|
Advanced Web Hacking and Secure Coding
|
Vikram Salunke
|
Description: Web applications are becoming more complex and targets are become more hardened to penetrate. Nowadays Load Balancers, Web Application Firewalls (WAF) are very common in infrastructure. So, as a pentester, we should improve our skills to defeat modern access controls mechanisms.
This hands-on training covers both offensive and defensive approaches to web applications. You’ll learn how to identify vulnerabilities of web applications, how to execute exploit against that vulnerability, how the attacks works, and how to prevent them in the future. This training closes that gap between web application attack and defense. Because as they say - if you want to stop attacker from stealing you data then you must think like one.
This training starts with the basic web app hacking and then moves into more advanced stuff such as bypassing Filters, bypassing Web Application Firewalls(WAF), HTML5 attacks and recent vulnerabilities such as Shellshock, Heartbleed, POODLE, Serialization, SSL Strip etc. You’ll learn how to get shell on the box using web application vulnerabilities as well as how to write secure code so you can avoid that attack.
This training covers both offensive and defensive approach towards web applications. Firstly, the training would cover how to use certain attack on a web application and then how does this attack happened. So it covers where the developer went wrong and how to write secure code, so that the attack would not have happened. It covers various mistakes made by developers who wrote vulnerable code. This training covers how to write secure code in multiple languages such as PHP, Java, C# etc. Lab contains multiple CMS such as Wordpress, Drupal, Joomla and multiple databases such as MySql, SQL Server, MongoDB etc. Also, the training contains various client side attacks as well as server side attacks such as XSS, CSRF, SQL Injections etc.
Training will teach attendees how to gain shell on the box and how to chain multiple attacks to pwn the entire infrastructure. Training follows Capture The Flag (CTF) approach to attack web applications and compromise the machines.
After this training, attendees will be able to successfully identify and avoid insecure code and test their web applications for vulnerabilities. Attendees will get to know the difference between vulnerable code and secure code.
This training contains over 50 labs and 30+ challenges which are inspired by real world vulnerabilities and case studies.
Day 1:
- Introduction
- Spidering Web Applications and analyzing results
- Fuzzing
- Input Validation
- User Enumeration
- Bypassing Password Verification
- Information Leakage
- HTTP Verb Tampering
- Injection - HTML, iFrame, LDAP, CSS, JSON
- Advanced Cross Site Scripting (XSS) - XSS to system compromise
- Advanced client side exploitation with BeEF
- Extending Burp Proxy
- Clickjacking
- Insecure direct object reference (IDOR) and Open Redirects
- Server Side Request Forgery (SSRF)
- Server Side Includes Injection (SSI Injection)
- JavaScript Validation Bypass
- Advanced SQL Injection - SQL Injection to system compromise
- JSON Hijacking
- Session Management and Cookie Stealing
- HTML5
Day 2:
- Advanced XML Attacks
- JSON Web Token
- API Attacks
- Insecure System/Service configuration - FTP, NTP, VNC, SNMP, WebDav, Samba etc.
- Database Security - MySql, SQL Server, MongoDB etc.
- Remote Command Injection
- Local File Inclusion (LFI) and Remote File Inclusion (RFI)
- RCE via serialization/deserialization
- Serialization Attacks
- HTTP Response Splitting
- SSL Strip attack
- CMS Attacks and Defenses - Wordpress, Drupal, Joomla
- Recent Vulnerabilities Case Study - Shellshock, Heartbleed, POODLE, Struts, PHPMailer RCE, SSL Strip attack
- Logical Flaws
- Detection of Web Application Firewall and Load Balancers
- Filter Evasion and Bypassing Web Application Firewalls (WAF) - Tricks to Penetrate Firewall
- OWASP Top 10 Attacks
- OWASP Secure Coding Practices
- and more ...
Intended audience: software developers, security people with some programming experience
This course requires following pre-requisites:
- Basic knowledge on HTTP, HTML
- Basic Web Application Penetration Skills
- Reading and understanding of PHP
Seats available: 20 (first-come, first served)
Price: 650 Euro / person
Register here
|