Please note: Training Sessions are not included in the Conference price.
Sign up now! Check for availability and pricing on Eventbrite.Abstract:Tired of alert(‘xss’)? You want to learn advanced web hacking techniques, if you want to go beyond automated scanners and perform manual testing to bypass Filters and Web Application Firewalls (WAF) or you want to defend web applications, then this training is for you. This training covers and goes beyond OWASP TOP 10 and also covers secure coding practices recommended by OWASP.
This hands-on training covers both offensive and defensive approaches to web applications. You’ll learn how to identify vulnerabilities of web applications, how to execute exploit against that vulnerability, how the attacks works, and how to prevent them in the future. This training closes that gap between web application attack and defense. Because as they say - if you want to stop attacker from stealing you data then you must think like one.
This training starts with the basic web app hacking and then move into more advanced stuff such as bypassing Filters, bypassing Web Application Firewalls(WAF), HTML5 attacks and recent vulnerabilities such as Shellshock, Heartbleed, POODLE, Serialization, SSL Strip etc. You’ll learn how to get shell on the box using web application vulnerabilities as well as how to write secure code so you can avoid that attack.
This training covers both offensive and defensive approach towards web applications. Firstly training would cover how to use certain attack on web application and then how does this attack happened. So it covers where the developer went wrong and how to write secure code so that the attack would not have happened. It covers various mistakes made by developers and wrote vulnerable code. This training covers how to write secure code in multiple languages such as PHP, Java, C# etc. Lab contains multiple CMS such as Wordpress, Drupal, Joomla and multiple databases such as MySql, SQL Server, MongoDB etc. . Also training contains various client side attacks as well as server side attacks such as XSS, CSRF, SQL Injections etc.
After this training, attendees will be able to successfully identify and avoid insecure code and test their web applications for vulnerabilities. Attendees will get to know the difference between vulnerable code and secure code.
This training contains over 50 labs and 30+ challenges which are inspired by real world vulnerabilities and case studies.
Training Outline: - Introduction
- User Enumeration
- Bypassing Password Verification
- Information Leakage
- HTTP Verb Tampering
- Injection - iFrame Injection, LDAP Injection, CSS Injection, JSON Injection
- Cross Site Scripting (XSS)
- Cross Site Request Forgery (CSRF)
- Clickjacking
- Insecure direct object reference (IDOR)
- Open Redirects
- Server Side Request Forgery (SSRF)
- Server Side Includes Injection (SSI Injection)
- JavaScript Validation Bypass
- SQL Injection
- JSON Hijacking
- Session Management and Cookie Stealing
- HTML5
- XML
- Insecure System Configuration
- Database Security - MySql, SQL Server etc.
- Remote Command or OS Command Injection
- Path traversal
- Local File Inclusion (LFI)
- Remote File Inclusion (RFI)
- Serialization Attacks
- HTTP Response Splitting
- MongoDB
- CMS Attacks and Defenses - Wordpress, Drupal, Joomla
- Recent Vulnerabilities Case Study - Shellshock, Heartbleed, POODLE, Struts, PHPMailer RCE, SSL Strip attack
- Logical Flaws
- Filter Evasion and Bypassing Web Application Firewalls (WAF)
- OWASP Top 10 Attacks
- OWASP Secure Coding Practices
- and more ...
Upon the completion of this training, attendees will:- This training brings attendees into a world of web hacking and secure coding
- Attendees will learn how to identify vulnerabilities of web applications, how to execute exploit against that vulnerability, how the attacks works, and how to prevent them in the future
- They can test different CMS such as Wordpress, Drupal, Joomla as well as recent vulnerabilities
- They can do secure code review as well as write secure code in multiple languages such as PHP, Java, C# etc.
- Attendees will get to know the common but dangerous coding mistakes done by the developers
- They can think like developer as well as penetration tester
Attendees will be provided with:- Multiple vulnerable applications
- Hosted VMs for testing and training labs.
- Over 50 labs and 30+ challenges to solve
- Training materials – presentation materials and lab examples
- Custom tools and scripts
- Additional reading materials
Attendee requirements for this training:- Modern laptop with wireless networking capabilities and have admin/root access on it. (64-bit Machine)
- Minimum 4 GB RAM installed
- At least 60 GB HD Free
- VMware Workstation / Fusion installed
Pre-requisites:This course requires following pre-requisites:
- Web application development skills
- Basic knowledge on HTTP, HTML and Scripting
- Reading and understanding of PHP, Java, C# Server-side Code (Optional)
Who should attend this training?- Penetration Testers
- Security Consultants
- Web Developers
- QA testers
- Web Application Tester
- System administrators
- IT Security professionals with a technical background
- IT managers
- System architects
- Bug Bounty Hunters