WEB APPLICATION (IN)SECURITY
|
This is a cutting-edge, hands-on course aimed at hackers who want to exploit web applications, and developers who want to know how to defend them. The course is presented by the authors of the critically-acclaimed Web Application Hacker’s Handbook, and covers the entire process of hacking a web application, from initial mapping and analysis, probing for common vulnerabilities, through to advanced exploitation techniques.
This year, the course contains more than 300 brand new lab examples, containing virtually every vulnerability that has ever been found in web applications. Even the most capable hackers will be challenged and find plenty to take away. We will also demonstrate the very latest hacking techniques developed over the past year.
Some highlights include:
| • |
exploiting SQL injection using second-order attacks, filter bypasses, query chaining and fully blind exploitation; |
| • |
breaking authentication and access control mechanisms; |
| • |
reverse engineering Java, Flash and Sliverlight to bypass client-side controls; |
| • |
exploiting cross-site scripting to log keystrokes, port scan the victim’s computer and network, and execute custom payloads; |
| • |
exploiting LDAP, XPath and command injection; and |
| • |
uncovering common logic flaws found in web applications. |
The course concludes with a catch-the-flag contest, where participants try out their skills against a series of challenging scenarios, with prizes for winners. Attendees are expected to be familiar with core web technologies like HTTP and JavaScript.
Pre-requisite:
The ideal delegate will have some familiarity with web application security, being familiar with terms such as Cross Site Scripting and SQL Injection even if they haven’t had the chance to exploit these fully.
This course has heavy lab content, so familiarity with common web application tools and vulnerabilities is required for full appreciation of the course.
Understanding of programming languages (especially PHP, ASP and ASP.NET) preferred.
Class Outline:
COURSE INTRODUCTION
• Course Abstract
• Course Objectives
• Course Instructors
• Course Delegates
• Course Domestics & Timetable
AN INTRODUCTION TO WEB APPLICATIONS
• The Advantages of a Web Application
• Common Uses and Configurations
• The Core Security Issue
APPLICATION STRUCTURE
• Sample Application Overview
• Input Validation
• Authentication
• Session Checking
• Privilege Management
• Administration
• Auditing and Logging
• Error Handling
TECHNOLOGIES
• J2EE
• ASP.Net
• PHP
MAPPING THE APPLICATION
• Profiling
• Determining Technologies in Use
• Dissecting a Request
• Learning the Behaviour of the Application
• Content discovery
BYPASSING CLIENT CONTROLS
• Bypassing HTML Controls
• JavaScript and VbScript
• Java
• ActiveX
• Securing Client-Side Content
AUTHENTICATION VULNERABILITIES
• Design flaws in authentication mechanisms
• Implementation flaws in authentication
• Securing authentication
VULNERABLE SESSION MANAGEMENT
• Background to session management
• Weaknesses in session token generation
• Weaknesses in session token handling
• Securing session management
BROKEN ACCESS CONTROLS
• Common vulnerabilities
• Attacking access controls
• Attacking access controls
• Securing access controls
VULNERABILITIES - INJECTION
• Interpreted Languages
• SQL Injection
• LDAP Injection
• Command Injection
• XML Injection
VULNERABILITIES - LOGIC FLAWS
• Forced Browsing
• Case Study 1: Registration Bug
• Case Study 2: AOL Password Handling
• Case Study 3: Multi-Stage Login
• Case Study 4: The Memorable Word Bypass
• Case Study 5: Text Searches
• Case Study 6: Race Condition During Authentication
• Beating a Business Limit
PATH TRAVERSAL
• Common vulnerabilities
• Detecting and exploiting path traversal vulnerabilities
• Avoiding path traversal vulnerabilities
INFORMATION DISCLOSURE
• Common vulnerabilities
• Preventing information leakage
• Google Hacking
ATTACKING OTHER USERS
• Cross-Site Scripting
• Redirection attacks
• HTTP header injection
• Frame injection
Cross-site request forgery (XSRF)
• Session fixation
• Attacking ActiveX controls
• Advanced exploitation techniques
CLASSIC VULNERABILITIES
• Classic vulnerabilities in web applications
• Buffer overflows
• Integer vulnerabilities
• Format String Bugs
FLAWS IN WEB APPLICATION ARCHITECTURE
• The Tiered Architecture
• Shared Hosting Environments
• Application Service Providers (ASPs)
• Third Party Systems
WEB SERVER FLAWS
• (Mis)Configuration
• Web Server Vulnerabilities
• Oracle Application Server
A WEB APPLICATION ASSESSMENT TOOLKIT
• Web Browsers
• Site Spiders
• Vulnerability Scanners
• Local Proxies
• Brute Forcing Tools
• Custom Toolkits
• Programming for Pentesters
BRUTE FORCING TECHNIQUES
• Targets for Brute Forcing
• Performing a brute force attack
SECURITY DEVICES
• Module Overview
• Intrusion Detection
• Application Firewalls
IDENTIFYING VULNERABILITIES IN SOURCE CODE
• Approaches to code review
• Signatures of common vulnerabilities
• Java
• ASP.NET
• PHP
• Perl
• SQL
|
MARCUS PINTO
Principal Consultant, NGSS
DAFYDD STUTTARD
Principal Information Security Consultant, NGSS |
Marcus is the author of The Web Application Hackers Handbook: Discovering and Exploiting Security Flaws" <http://www.amazon.com/Web-Application-Hackers-Handbook-Discovering/dp/0470170778/ref=sr_1_1/002-9138979-0048858?ie=UTF8&s=books&qid=1182438884&s> published in October 2007, co-authored with Dafydd Stuttard.
Marcus has over 5 years’ experience in providing technical, hands-on security consultancy to a diverse range of high-profile clients' web applications such as the British Ministry of Defence, High Street Banks, Financial Institutions, Telecommunications and the British National Critical Infrastructure.
In his current employment he is heavily involved with NGS’ financial sector clients. This involvement requires a strong focus on web application vulnerabilities from architectural and penetration testing approaches. This also demands an understanding of the specific vulnerabilities arising from complex, large-scale J2EE and .Net deployments to which many assessment teams are not exposed.
Marcus has experience in web application development, and has spoken at many conferences, as well as providing the original delivery and co-production of NGS’ Black Hat Database Assessment course and Web Application Course.
Before joining NGS, Marcus worked as an advisor to a Vulnerability Assessment Team in the British MoD.
Dafydd Stuttard is a Principal Security Consultant at Next Generation Security Software, where he leads the web application security competency. He has nine years’ experience in security consulting and specializes in the penetration testing of web applications and compiled software.
Dafydd has worked with numerous banks, retailers, and other enterprises to help secure their web applications, and has provided security consulting to several software manufacturers and governments to help secure their compiled software. Dafydd is an accomplished programmer in several languages, and his interests include developing tools to facilitate all kinds of software security testing.
Dafydd has developed and presented training courses at the Black Hat security conferences around the world. Under the alias “PortSwigger” Dafydd created the popular Burp Suite of web application hacking tools. |
