The Web Application Hacker's Handbook
Dafydd Stuttard & Marcus Pinto
Europe 2011 Training Session // march 15-16
This course is taught by the authors of the "Web Application Hacker's Handbook" which is the most deep and comprehensive general purpose guide to hacking web applications that is currently available. The book has a solid basis in the theory and practice of exploiting today's enterprise web applications. This course is a practical opportunity to take the skills taught in the book to the next level, experimenting with all of the tools and techniques against numerous vulnerable web applications and labs, under the guidance of the book's authors. The course also includes new material from the forthcoming second edition of the Handbook, bringing the book right up to date with the latest attacks.
The course concludes with a capture-the-flag contest. As an added bonus, a free web application will be provided to allow students to continue their learning after the course.
The course syllabus follows the chapters of The Web Application Hacker's Handbook, with strong focus on practical attacks and methods. After a short introduction to the subject we delve into common insecurities in logical order:
Introduction to Web Application Security Assessment (Chapters 1-3)
Automating Bespoke Attacks: Practical hands-on experience with Burp Suite (Chapter 13)
Application mapping and bypassing client-side controls (Chapters 4-5)
Failures in Core Defense Mechanisms: Authentication, Session Management, Access Control, Input Validation (Chapters 6-8)
Injection and API flaws: (Chapters 9-10)
User-to-User Attacks (Chapter 12)
Attendees will learn:
- how to hack using LDAP, XPath, SOAP and other Injection
- the nuances of SQL Injection against Oracle, MySQL and MSSQL
- how to exploit 'low-risk' vulnerabilities such as 'XSS' and 'Cross-Site Request Forgery' attacks to achieve automated account compromise
- how to turn theoretical attacks into practical exploits
- the latest attack techniques which have been developed in recent months
- and much more…
For more detailed information about the course's practical structure, see the Web Application Hacker's Methodology chapter from the book.
This is a 2-day course.
- Brief theory delivered in lecture-style with examples
- Interactive demonstrations
- Hands-on Hacking: Interactively supported by the trainers
- Capture the Flag
Students should ideally be familiar with using an intercepting proxy, and at minimum should be familiar with basic concepts such as the HTTP protocol, session management, and basic HTML.
What you should bring:
Students should bring a copy of the Web Application Hacker's Handbook. A standard windows, Linux or Mac laptop should be brought with Java installed, capable of running Burp Suite
What you will get:
Printed handbook of the course slides and other reference material. Interactive web-based version of the WAHH methodology, supported by practical examples of each vulnerability type. A standalone web application which can be used to practice the techniques and attacks from the course.
Dafydd Stuttard is an independent security consultant, author and software developer. He has ten years' experience in security consulting and specializes in the penetration testing of web applications and compiled software. He works with banks, retailers and other enterprises to help secure their critical applications.
Dafydd is author of The Web Application Hacker's Handbook and SQL Injection Attacks and Defense. Under the alias “PortSwigger” Dafydd created the popular Burp Suite of web application hacking tools. He has developed and presented training courses at security conferences around the world.
Marcus Pinto is internationally recognised as a leader in the application and database security field, having spent the last nine years in Information Security. His consulting experience has placed him in front of hundreds of clients and some of the most technical areas of security currently in commercial demand. He has delivered to some of the most high-profile audiences, including training CESG's penetration testing team, heading up an internal UK Government security team, and advising banks on structuring their online banking applications.
Marcus is a technical advisor to CREST, and develops a certification set up to test the best application and infrastructure security consultants in the world.
Marcus currently works as Head of Application Security for a tech-focused company with over 2 million registered customers settling over 6 million real-time transactions per day.