- AMMO
- CFP
- CTF
- CXO Track
- Exhibition
- For You
- Hackathon
- HackerHelp
- Horror Stories from Hacker World
- Recreation
- Resume Clinic
- Schedule
- Speakers
- Sponsors
- StartVille
- Training
- Venue
- Volunteer
- Goa 2020
- Training
- Beyond the Web Application Hacker's Handbook - Advanced Web Hacking
Trainer Name: Marcus Pinto
Title: Beyond the Web Application Hacker's Handbook - Advanced Web Hacking
Duration: 3 Days
Dates: 3rd - 5th March 2020
Description
This training course is geared towards the more seasoned appsec professionals who have around 1-2 years of application testing experience under their belt and have already got knowledge of the following:
- Knowledge of Burp basics (proxy, intruder, repeater, defining scope etc)
- Basic coding ability (e.g. scripting such as JavaScript, some languages such as Python)
- Pre-existing knowledge exploiting bugs such as SQL Injection, XSS, XSRF, Traversal
This course takes the above concepts as a foundation and builds on them to help professionals develop their expertise further in the field, covering:
- writing burp macros and writing Burp extensions
- finding and exploiting subtle but common logic and access control flaws
- techniques for getting more out of Burp Suite
- avoiding common penetration testing pitfalls
- beating input validation and other application defences
- fuzzing techniques and methodologies for interacting with new technologies
Delegates also get FREE 1-month online access to the supporting lab environment for Day 1 after the course.
DAY 1 - BACKGROUND
Delegates will participate in collaborative discussions as we cover the theory of web application security, the hacker's mindset, and how to apply critical hacker-oriented thinking to a situation.
- Introduction to Web Application Security
- Threat Modelling and the Hacker Mindset
- Rules were made to be Abused
- High-Profile Hacks
- Using a Web Proxy
- Applying Burp Suite to exploit common web application flaws
- Basics of Passive and Active Scanning
- Automation approaches
- The Web Application Hacker's Handbook - lightning summary with lab examples!
- Bypassing Client-Side Controls
- Exploiting SQL Injection
- Exploiting Backend Components: Traversal, Command Injection, File Inclusion
- Finding and Exploiting XSS
- Other attacks against Users
DAY 2 - DESIGN FLAWS (workshop/practical)
- Setting up - Mapping an application, identifying and locating known and unknown application assets
- Tooling up - A deeper dive into automation techniques covering customising automation processes
- Authentication, Sessions, Tokens and Encryption
- Leveling up - Understanding and Exploiting Access Controls
DAY 3 - CODING FLAWS (workshop/practical)
- Understanding and Exploiting Common Server-Side Bugs: deserialisation, xxe
- Understanding and Exploiting Uncommon Server-Side Bugs
- Attacking and invalidating input validation
Trainer Bio:
Marcus Pinto is the author of the well-known Web Application Hacker's Handbook series, and has been working within Application Security for over 15 years, going back to its origin as a subject. After 5 years in technical security consulting, the past 10 years in application security training have also included everything from longer-term SDLC engagements to technical security assessment. Marcus is Director at MDSec, a company specialising in education and technical security assessment for finance, software, retail and government clients.