Web Hacking – Threats & Countermeasure

Introduction and adaptation of new technologies like Ajax, Rich Internet Applications and Web Services has changed the dimension of Web Hacking and Security. We are witnessing new ways of hacking and exploiting web based applications and it needs better understanding of technologies to perform penetration testing and assessment of web security. The course is designed by the author of “Web Hacking: Attacks and Defense”, “Hacking Web Services” and “Web 2.0 Security – Defending Ajax, RIA and SOA” bringing his experience in application security and research as part of curriculum to address new challenges for pen-testers, consultants, auditors and QA teams. Web Hacking 2.0 is extensively hands-on class with real life challenges and lab exercises. Participants would be methodically exposed to various different attack vectors and exploits. The learning sessions feature real life cases, hands one exercises, new scanning tools and exploits.

Learning Objectives

• Web hacking landscape and attack surface analysis.
• Advanced protocol analysis and exploitation.
• Penetration testing methodologies and modeling techniques.
• Web application footprinting, discoveries and profiling.
• Fault injection and fuzzing for applications and error enumeration techniques.
• Abuse of functionalities, Denial of Services, Overflows and application traversal attack vectors and penetration.
• Advanced injections with SQL, LDAP, XPATH and OS command.
• Dealing with Blind injections across applications.
• Client Side Attacks and Exploits with XSS, CSRF, Open Redirects, Clickjacking and Browser hacking.
• Exploiting application with various tools and scripts.
• Web 2.0 attacks with Widgets, Mashups and JavaScripts.
• Hacking RIA components written in Flash and Silverlight.
• Reverse engineering Web based applications and tools for deep scanning and analysis.
• Hacking and exploiting cloud based APIs and SOAP structures.
• DOM based attack surface and mobile application pen-testing.
• Source code analysis and hybrid pen-testing approaches.
• Introduction to exploit tools for web hacking.
• Build your tool – writing your own tools for pen-testing.
• Understanding and exposure to scanners and their limitations.
• Live Hacking on sample .NET and J2EE applications.
• Advanced labs for Web 2.0 and RIA applications.
• WAF bypass and obfuscation techniques.
• Defense planning and report building for end users.

All concepts taught in this class are punctuated with hands-on exercises based on situations observed in real life. The class modules end with a challenge exercise. Working within a limited time period, participants are expected to analyze, scan, pen-test, identify loopholes, exploit vulnerabilities present in the applications on the basis of learnt concepts.

Class Prerequisites

• Basic knowledge on Web Application Architecture and Design.
• Basic understanding of web technologies and languages.
• Familiarity with application scanning tools and approaches would be handy.
• Script writing ability using perl, ruby or python would help in coding quick tools (Not a must)

Who Should Attend?

• Web Security analyst, auditors (PCI-DSS), consultants, pen-testers and security professionals who are looking to upgrade their skill-set on enterprise application security and hacking.
• QA and Developers who are looking for new tools and methodologies.
• Program managers and team leaders, responsible for securing SDLC in their enterprise environment.

Hardware / Software Requirements

To participate in hands-on exercises you will need to come with a windows-based laptop.

• OS : XP, Vista, Win7 or Server family
• Please install .NET and J2EE.
• 1 GB RAM
• All other tools will be provided