- About Goa'15
- Schedule
- Venue
- Speakers
- Training
- CFP
- Recreation
- Blackshield Awards
- CTF
- Sponsors
- Exhibition
- Job Fair
- CXO Track
- Bugbash
- Goa'15
- Training
- Xtreme Web Hacking
Trainer Name: Akash Mahajan & Riyaz Walikar
Title: Xtreme Web Hacking
Duration: 2 Days
Date: 4th and 5th February 2015
Overview
Are you a pen tester who can test web applications? Are you good with web application scanners? Are you good at finding if a site is vulnerable to SQL injection and XSS? Do you know how to test for CSRF weaknesses? Have you heard about DOM XSS and Server Side Request Forgeries? Have you tested applications for HTML5 Security? Maybe you have tried to find such vulnerabilities in the past but weren't confident of your tools and approaches.
This 2 day fast paced and completely hands-on training will teach you to exploit security vulnerabilities like never before. You will be able to exploit the SOP and CORS, mutation XSS and bypass XSS filters and WAF rules. Learn Remote Code Execution (RCE), upload shells, do LFI/RFI and advanced ways of doing XXE (XML Injection). Practical web crypto attacks like hash extension attacks, ECB and padding oracle and other interesting attacks and vulnerabilities
All of the above and more in a realistic scenario based learning environment with the same tools attackers use to hack and compromise web applications and networks on the Internet.
Syllabus
Server Side attacks
- Advanced SQL Injection, SSRF/XSPA, XML Injection, File inclusion, web shells, serialization, WAF bypasses
Client Side Attacks
- Stored XSS, DOM XSS and mutation XSS
- HTML 5 attacks, Web Sockets, Local Storage, CORS
Web Infrastructure attacks using Heartbleed vulnerability
Web Cryptography
- Hash extension attacks, Electronic Code Book (ECB), Padding Oracle
Authentication and Authorization attacks
- Insecure Direct Object reference, password cracking, defeating CAPTCHA implementations
Web Service attacks
What to expect
- Intense, fast paced learning using a combination of scenarios, case studies, hacker tools.
- Attacking applications using specialized tools and custom scripts that you will be writing over the two days.
- Completely hands-on.
- Coverage of vulnerabilities across platforms like Java, PHP, .net, Cold Fusion
- A custom CTF to end the two days of training
Skill and knowledge required
- You should be a web application penetration tester as this not a beginner level course at all
- Ability and familiarity of command line on Windows and Linux
- Knowledge of JavaScript and at least 1 scripting language like Python, PHP or Ruby
What you will need to bring
- A laptop with administrator privileges.
- 30 GB of free Hard Disk Space.
- Ideally 8 GB of RAM but minimum 4 GB.
- Laptop should have a working wireless and wired/Ethernet connection.
- Latest Oracle Virtualbox(preferred) or VMWare Workstation or VMWare Fusion installed
- Other virtualization software might work but we will not be able to provide support for that.
What not to expect
- A lot of hand holding about basic concepts already mentioned in the things you should be familiar with.
- A lot of theory. This is meant to be a completely hands-on training!!
- To become an accomplished hacker in a day.
What you will get
- Tools and software provided for the training.
- Completely documented script and programs
- A simple to follow step by step walk through of the entire training in a PDF file
- Virtual machines with code used during the training so that you can even practice after the training is over.
Trainer Riyaz Walikar
For food and shelter, Riyaz is employed as a Senior Engineer at the world's largest auditing firm with the Core Security Group. He is a Certified Ethical Hacker (CEH) and has been active in the security community for the better part of the last 7 years. He has been actively involved with the Bangalore OWASP and null chapter for the last 4 years and is one of the OWASP Bangalore chapter leads.
He is actively involved with Vulnerability Research in popular Web Applications and Network aware services and has disclosed several security issues in popular software like Apache Archiva, Openfire, Joomla!, EJabberd, .NET Script Injection Bypass and has had luck with finding vulnerabilities with popular web applications like Facebook, Twitter, Google, Cisco, Symantec, Mozilla, PayPal, Ebay, Apigee, Yahoo, Adobe, Tumblr, Pinterest etc. for which he is on the Hall of Fame for most of these services. He has also been a speaker at several security conferences including OWASP AppsecUSA 2012, BlackHat Abu Dhabi 2012, nullcon Delhi 2012 and c0c0n 2011.
His technical interests lie with programming, bug bounty, malware analysis, breaking web applications, playing CTFs, researching devices that fall under the Internet of Things category and penetration testing networks exposed to the Internet. When he is not writing/breaking code, you can find him sleeping, playing football, reading or fishing.
Trainer Akash Mahajan
Akash has more than 10 years of experience in Application and Network Security. Before starting his own company he was a technical lead for one of the leading American commercial security software companies specialising in end point security. He started in security working on web infrastructure for the government of India.
Akash is the founder and community Manager at null - The Open Security Group where he has made major contributions in making the group a national phenomenon.
He is currently the Chapter Leader of Open Web Application Security Project Bangalore (OWASP Bangalore)
He founded and runs The AppSec Lab a company focussed on Application Security wherehe works with small and medium companies in securing their web server security, web security, mobile security and guiding them to stay secure while being competitive. Current areas of research for him include devops, secops, security in SDLC, Cloud Security, Security awareness through community building. He does a lot of trainings as well including the extremely popular Xtreme Web Hacking.
He used to be actively involved with the Bangalore Barcamp Planners group, has done events like AppJam and MobileCamps all over India where he evangelized security to Small and Medium Enterprises. He is also the co-founder of Headstart Network Foundation a Section 25 Non-Profit company.