The Open Web Application Security Project (OWASP) Los Angeles Chapter is teaming up with the Orange County, San Diego, SF Bay Area, and the Inland Empire chapters to bring you the FIFTH Annual AppSec California. The event is a one of a kind experience for information security professionals, developers, and QA and testing professionals, as they gather at the beach from around the world to learn and share knowledge and experiences about secure systems and secure development methodologies.

One and Two-day training sessions on various subjects by expert trainers kick off the conference on January 28th. World renown speakers follow on days three and four.

There will be four concurrent tracks throughout the day on both January 30 and 31, addressing a variety of topics to enhance knowledge.

Back To Schedule
Sunday, January 28 • 9:00am - 5:00pm
Advanced Web Hacking and Secure Coding

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
Please note: Training Sessions are not included in the Conference price.  Sign up now! Check for availability and pricing on Eventbrite.

Tired of alert(‘xss’)? You want to learn advanced web hacking techniques, if you want to go beyond automated scanners and perform manual testing to bypass Filters and Web Application Firewalls (WAF) or you want to defend web applications, then this training is for you. This training covers and goes beyond OWASP TOP 10 and also covers secure coding practices recommended by OWASP.
This hands-on training covers both offensive and defensive approaches to web applications. You’ll learn how to identify vulnerabilities of web applications, how to execute exploit against that vulnerability, how the attacks works, and how to prevent them in the future. This training closes that gap between web application attack and defense. Because as they say - if you want to stop attacker from stealing you data then you must think like one. 
This training starts with the basic web app hacking and then move into more advanced stuff such as bypassing Filters, bypassing Web Application Firewalls(WAF), HTML5 attacks and recent vulnerabilities such as Shellshock, Heartbleed, POODLE, Serialization, SSL Strip etc. You’ll learn how to get shell on the box using web application vulnerabilities as well as how to write secure code so you can avoid that attack. 
This training covers both offensive and defensive approach towards web applications. Firstly training would cover how to use certain attack on web application and then how does this attack happened. So it covers where the developer went wrong and how to write secure code so that the attack would not have happened. It covers various mistakes made by developers and wrote vulnerable code. This training covers how to write secure code in multiple languages such as PHP, Java, C# etc. Lab contains multiple CMS such as Wordpress, Drupal, Joomla and multiple databases such as MySql, SQL Server, MongoDB etc. . Also training contains various client side attacks as well as server side attacks such as XSS, CSRF, SQL Injections etc. 
After this training, attendees will be able to successfully identify and avoid insecure code and test their web applications for vulnerabilities. Attendees will get to know the difference between vulnerable code and secure code. 
This training contains over 50 labs and 30+ challenges which are inspired by real world vulnerabilities and case studies.
Training Outline: 
  • Introduction
  • User Enumeration
  • Bypassing Password Verification 
  • Information Leakage 
  • HTTP Verb Tampering  
  • Injection - iFrame Injection, LDAP Injection, CSS Injection, JSON Injection
  • Cross Site Scripting (XSS) 
  • Cross Site Request Forgery (CSRF)
  • Clickjacking
  • Insecure direct object reference (IDOR) 
  • Open Redirects
  • Server Side Request Forgery (SSRF)
  • Server Side Includes Injection (SSI Injection)
  • JavaScript Validation Bypass
  • SQL Injection
  • JSON Hijacking 
  • Session Management and Cookie Stealing 
  • HTML5 
  • XML 
  • Insecure System Configuration
  • Database Security - MySql, SQL Server etc.
  • Remote Command or OS Command Injection
  • Path traversal 
  • Local File Inclusion (LFI) 
  • Remote File Inclusion (RFI) 
  • Serialization Attacks 
  • HTTP Response Splitting 
  • MongoDB 
  • CMS Attacks and Defenses - Wordpress, Drupal, Joomla
  • Recent Vulnerabilities Case Study - Shellshock, Heartbleed, POODLE, Struts, PHPMailer RCE, SSL Strip attack
  • Logical Flaws
  • Filter Evasion and Bypassing Web Application Firewalls (WAF)
  • OWASP Top 10 Attacks
  • OWASP Secure Coding Practices
  • and more ...
Upon the completion of this training, attendees will:
  • This training brings attendees into a world of web hacking and secure coding
  • Attendees will learn how to identify vulnerabilities of web applications, how to execute exploit against that vulnerability, how the attacks works, and how to prevent them in the future
  • They can test different CMS such as Wordpress, Drupal, Joomla as well as recent vulnerabilities 
  • They can do secure code review as well as write secure code in multiple languages such as PHP, Java, C# etc.
  • Attendees will get to know the common but dangerous coding mistakes done by the developers 
  • They can think like developer as well as penetration tester
Attendees will be provided with:
  • Multiple vulnerable applications
  • Hosted VMs for testing and training labs.
  • Over 50 labs and 30+ challenges to solve
  • Training materials – presentation materials and lab examples
  • Custom tools and scripts 
  • Additional reading materials
Attendee requirements for this training:
  • Modern laptop with wireless networking capabilities and have admin/root access on it. (64-bit Machine)
  • Minimum 4 GB RAM installed
  • At least 60 GB HD Free
  • VMware Workstation / Fusion installed
This course requires following pre-requisites:
  • Web application development skills 
  • Basic knowledge on HTTP, HTML and Scripting
  • Reading and understanding of PHP, Java, C# Server-side Code (Optional)
Who should attend this training?
  • Penetration Testers
  • Security Consultants 
  • Web Developers
  • QA testers
  • Web Application Tester
  • System administrators
  • IT Security professionals with a technical background
  • IT managers
  • System architects 
  • Bug Bounty Hunters

avatar for Vikram Salunke

Vikram Salunke

Information Security Researcher, Consultant and Founder, Vmaskers
Vikram is the Information Security Researcher, Consultant and Founder at Vmaskers. Vmaskers provide network, wireless, web, Android and iOS applications penetration testing services and training for corporates. His main responsibilities are to look after application security, lead... Read More →

Sunday January 28, 2018 9:00am - 5:00pm PST
Garden Terrace Room