Beyond the Web Application Hacker's Handbook - Advanced Web Hacking

Trainer Name: Marcus Pinto
Title: Beyond the Web Application Hacker's Handbook - Advanced Web Hacking
Duration: 3 Days
Dates: 3^rd - 5^th March 2020

Description

This training course is geared towards the more seasoned appsec professionals who have around 1-2 years of application testing experience under their belt and have already got knowledge of the following:

• Knowledge of Burp basics (proxy, intruder, repeater, defining scope etc)
• Basic coding ability (e.g. scripting such as JavaScript, some languages such as Python)
• Pre-existing knowledge exploiting bugs such as SQL Injection, XSS, XSRF, Traversal

This course takes the above concepts as a foundation and builds on them to help professionals develop their expertise further in the field, covering:

• writing burp macros and writing Burp extensions
• finding and exploiting subtle but common logic and access control flaws
• techniques for getting more out of Burp Suite
• avoiding common penetration testing pitfalls
• beating input validation and other application defences
• fuzzing techniques and methodologies for interacting with new technologies

Delegates also get FREE 1-month online access to the supporting lab environment for Day 1 after the course.

DAY 1 - BACKGROUND

Delegates will participate in collaborative discussions as we cover the theory of web application security, the hacker's mindset, and how to apply critical hacker-oriented thinking to a situation. 

• Introduction to Web Application Security
• Threat Modelling and the Hacker Mindset
• Rules were made to be Abused
• High-Profile Hacks
• Using a Web Proxy
• Applying Burp Suite to exploit common web application flaws
• Basics of Passive and Active Scanning
• Automation approaches
• The Web Application Hacker's Handbook - lightning summary with lab examples!
  • Bypassing Client-Side Controls
  • Exploiting SQL Injection
  • Exploiting Backend Components: Traversal, Command Injection, File Inclusion
  • Finding and Exploiting XSS
  • Other attacks against Users

DAY 2 - DESIGN FLAWS (workshop/practical)

• Setting up - Mapping an application, identifying and locating known and unknown application assets
• Tooling up - A deeper dive into automation techniques covering customising automation processes
• Authentication, Sessions, Tokens and Encryption
• Leveling up - Understanding and Exploiting Access Controls

DAY 3 - CODING FLAWS (workshop/practical)

• Understanding and Exploiting Common Server-Side Bugs: deserialisation, xxe
• Understanding and Exploiting Uncommon Server-Side Bugs
• Attacking and invalidating input validation

Trainer Bio:

Marcus Pinto is the author of the well-known Web Application Hacker's Handbook series, and has been working within Application Security for over 15 years, going back to its origin as a subject. After 5 years in technical security consulting, the past 10 years in application security training have also included everything from longer-term SDLC engagements to technical security assessment. Marcus is Director at MDSec, a company specialising in education and technical security assessment for finance, software, retail and government clients.