XWH Beginner to Advanced

Trainer Name: Akash Mahajan & Riyaz Walikar
Title: Xtreme Web Hacking
Duration: 3 Days
Date: 13th - 15th Oct, 2016

Objective

Are you a pen tester who can test web applications? Are you good with web application scanners? Are you good at finding if a site is vulnerable to SQL injection and XSS? Do you know how to test for CSRF weaknesses? Have you heard about DOM XSS and Server Side Request Forgeries? Have you tested applications for HTML5 Security? Maybe you have tried to find such vulnerabilities in the past but weren't confident of your tools and approaches.

This 3 day fast paced course with complete hands-on exercises will teach you to exploit security vulnerabilities like never before. You will be able to identify, detect and exploit advanced attacks that you may be aware of but haven’t tried in real world security testing. Practical web crypto attacks like hash extension attacks, ECB and padding oracle will also be covered.

All of the above and more in a realistic scenario based learning environment with the same tools attackers use to hack and compromise web applications and networks on the Internet.

Syllabus

Day 1

• Introduction to the training
• Very quick primer on TCP/IP
• Hands-On Basics of Hyper Text Transfer Protocol (HTTP)
• Hands-On Session Management
• Hands-On Basics of TLS/SSL
• Hands-On Setting up Interception Proxy
• Hands-On with Capturing Requests and Responses in the proxy
• Hands-On user input requests
• Hands-On OWASP Top 10
• Hands-On for Files and permissions for Linux

Day 2

• Scenario Driver War Game for Pen Testers (Beyond this point, everything is hands-on)
• Domain Enumeration
• Advanced SQL Injection Attacks
• File Inclusion and Path Traversal Attacks
• Serialization Attacks
• XSS for the modern pen tester
• Basic primer on SOP and CORS
• Bypassing XSS filters
• Stealing cookies for taste and hacking
• Bypassing File Upload Restrictions
• Shell for the web

Day 3

• Pivoting to internal networks
1. Meterpreter
2. Custom Scripts
3. Standard TCP tools for bidirectional data transfer
• SSRF and XSPA attacks
• Attacks against Cryptographic Hashes
• Attacks against web crypto (padding oracle)
• Hands-on CTF Style Assessment (3 hours)

What to expect?

• Intense, fast paced learning using a combination of scenarios, case studies, hacker tools.
• Attacking applications using specialized tools and custom scripts that you will be writing over the three days.
• Completely hands-on.
• Coverage of vulnerabilities across platforms like Java, PHP, .net, Python, Rails and more
• A custom CTF to end the three days of training

Skill and knowledge required (Pre-requisites)

• You should be a web application penetration tester. Although we will cover the basics on Day 1, this should not be considered a beginner level course
• Ability and familiarity of command line on Windows and Linux
• Knowledge of JavaScript and at least 1 scripting language like Python, PHP or Ruby

What you will need to bring ?

• A laptop with administrator privileges.
• 30 GB of free Hard Disk Space.
• Ideally 8 GB of RAM but minimum 4 GB.
• Laptop should have a working wireless and wired/Ethernet connection.
• Laptop should support hardware based virtualisation
1. If your laptop can run a virtual machine in Oracle Virtualbox it should work
• Other virtualization software might work but we will not be able to provide support for that.

What not to expect ?

• A lot of hand holding about basic concepts already mentioned in the things you should be familiar with.
• A lot of theory. This is meant to be a completely hands-on training!!
• To become an accomplished hacker in a day.

What you will get ?

• Tools and software provided for the training
• Completely documented script and programs
• A simple to follow step by step walk through of the entire training in a PDF file
• Virtual machines with code used during the training so that you can even practice after the training is over

About the Trainer

Riyaz Walikar is the Chief Offensive Security Officer at Appsecco, a company that specializes in Web Application Security. His primary interests lie with application security, penetration testing and security evangelism. He is a security evangelist, offensive security expert and researcher with over 9 years of experience in the Internet and web application security industry. He has many years of experience providing web application security assessments, has lead penetration testing engagements in many countries and performed numerous onsite reviews on infrastructure and system security.

He also leads the Bangalore chapters of OWASP and the null community, actively encouraging participation and mentoring new comers in the industry.

Riyaz is also a frequent speaker at security events and conferences around the world including BlackHat, nullcon, c0c0n, xorconf and OWASP AppsecUSA.

He also dabbles in vulnerability research and has found bugs with several popular online services of major companies including Facebook, Twitter, Google, Cisco, Symantec, Mozilla, PayPal, and EBay. When he is not writing/breaking code, you can find him sleeping, playing football, reading or fishing.

Akash is a Director at Appsecco, a company that specializes in Web Application Security. He is an accomplished security professional with over a decade’s experience of providing specialist application and infrastructure consulting services at the highest levels to companies, governments and organisations around the world.

He has a deep experience of working with clients to provide cutting edge security insight that truly reflects the commercial and operational needs of the organisation from strategic advice to testing and analysis to incident response and recovery.

Akash has also authored a book titled “BurpSuite Essentials” that comes recommended by the creator of BurpSuite itself and is an active participant in the international security community and conference speaker both individually, as chapter lead of the Bangalore chapter of OWASP the global organisation responsible for defining the standards for web application security and as a co-founder of NULL India’s largest open security community.