Web- & Browser-Security Roundhouse-Kick

Trainer Name: Dr.-Ing. Mario Heiderich
Title: Web- & Browser-Security Roundhouse-Kick
Duration: 3 Days
Dates: Sept. 6, 2022 To Sept. 8, 2022

TRAINING OBJECTIVES

This 3-day training session, derived from the mighty 7-day coursework at Ruhr-University in Bochum, aims to teach attendees about the most relevant parts of modern web security, from server-side layers all the way up to the browser and the DOM.

Starting at HTTP and the very basics, looking at HTTP Request Smuggling, understanding Cookies, simple and then more advanced injection techniques, and more, the trainer will guide the attendees through a journey covering all that is relevant in the realm of web penetration-testing, securing applications and spotting issues that others might just overlook.

Training level: Basic; Intermediate; Advanced

TRAINING PREVIEW:

Apex Threat Actors having advanced capabilities like leveraging in-memory implants, writing custom codes to evade AVs & EDR, moving laterally with custom made Tools, evading host and network-level security solutions for stealthiness, etc are constantly consolidating their attack techniques (and Tactics) against Defensive Teams. To strengthen enterprise-grade security, the training is designed for penetration testers, system administrators, and Blue Team members to understand different tactics, techniques, and attacks used by adversaries.

TRAINING OUTLINE:

Three days are not a long time for a complex and broad topic like this one, and it depends on many factors on how many topics can be covered.

We'll have the following items on our web security tasting menu and hope to look into as many as possible:

Chapter 1: His­to­ry & Ba­sics

• The His­to­ry of Web Se­cu­ri­ty and Web At­tacks
• The His­to­ry of Brow­sers
• HTML, Ja­va­Script, CSS

Chapter 2: HTTP, Ser­ver, SQLi

• At­tacks using HTTP and SSL/TLS
• SQL In­jec­tions
• Uploads
• SSRF, XXE & XEE

Chapter 3: Cook­ies, Ses­si­ons, XSS

• Cook­ies & Ses­si­ons
• Same Ori­gin Po­li­cy
• Au­then­ti­ca­ti­on & Autho­riza­t­i­on
• The Ba­sics of Cross-Si­te Script­ing

Chapter 4: Ad­van­ced XSS

• Ad­van­ced XSS
• mXSS and DOM Mu­ta­ti­ons

Chapter 5: Brow­sers & Bey­ond

• The DOM
• DOM Clob­be­ring & DOM XSS
• postM­es­sa­ge XSS

WHAT TO BRING?

A working laptop would really be helpful, ideally with software such as Burp or Fiddler preinstalled. The course can be enjoyed without, but it would be sad to miss out on the hands-on exercises.

TRAINING PREREQUISITES:

HTML, CSS, JavaScript as well as HTTP should ring a bell, no expertise is required but basic levels of understanding are helpful for sure.

WHO SHOULD ATTEND?

Penetration-Testers, Developers, SecDevOps, and everyone who aims to work hands-on in Web- and Browser-Security.

WHAT TO EXPECT?

A trainer who is certainly top-notch marriage material (his own words) but sadly no longer on the market. In addition, practical and useful knowledge from someone who has conducted and managed hundreds of pen tests in the past years.

WHAT ATTENDEES WILL GET?

All slides and helpful material. Access to those via GitHub, including a ticket-tracker for questions after the training. Hands-on exercises via PortSwigger's legendary Web Security Academy.

WHAT NOT TO EXPECT?

The course will be derived from a University lecture, so expect a ratio of 80% lectures and 20% hands-on. Don't expect knowledge about 0-days or secret intel, this course is about learning, understanding, and applying the gained knowledge reasonably.

About Trainer

Great looks, athletic posture, melodic voice, latest-trend fashion, and a tiny bit of knowledge about web security and penetration testing.