Web Application (In)Security
NGS Software
// jan 31 - feb 1 |
Overview:
This is a cutting-edge, hands-on course aimed at hackers who want to exploit web applications, and developers who want to know how to defend them. The course is presented by the authors of the critically-acclaimed Web Application Hacker’s Handbook, and covers the entire process of hacking a web application, from initial mapping and analysis, probing for common vulnerabilities, through to advanced exploitation techniques.
This year, the course contains more than 300 brand new lab examples, containing virtually every vulnerability that has ever been found in web applications. Even the most capable hackers will be challenged and find plenty to take away. We will also demonstrate the very latest hacking techniques developed over the past year.
Some highlights include:
Exploiting SQL injection using second-order attacks, filter bypasses, query chaining and fully blind exploitation
Breaking authentication and access control mechanisms
Reverse engineering Java, Flash and Silverlight to bypass client-side controls
Exploiting cross-site scripting to log keystrokes, port scan the victim’s computer and network, and execute custom payloads
Exploiting LDAP, XPath and command injection; and
Uncovering common logic flaws found in web applications.
The course concludes with a catch-the-flag contest, where participants try out their skills against a series of challenging scenarios, with prizes for winners. Attendees are expected to be familiar with core web technologies like HTTP and JavaScript.
A terrific resource for this course is the book "The Web Application Hacker's Handbook: Discovering and Exploiting Security Flaws" by Dafydd Stuttard and Marcus Pinto. The book is available for purchase from Amazon.com and provides pertinent and relevant information directly related to the course.
Course Length:
Two days. All course materials, lunch and two coffee breaks will be provided. A Certificate of Completion will be offered. You must provide your own laptop.
What to bring:
Basic networking knowledge required. Understanding of programming languages (especially PHP, ASP and ASP.NET) preferred.
Participants are requested to bring their own laptops. No particular OS is required, but Windows, Linux or Mac is recommended.
Trainers:
NGS Software is offering the chance to benefit from the experience of its consultants and award-winning research team. This course teaches how to recognize the insecurities present within common database systems and how these flaws can leave you wide open to attack. It is tailored to teach security consultants,database administrators and IT professionals how hackers discover and exploit vulnerabilities to gain access to your data and further penetrate internal networks. By learning these techniques, we can discover the flaws for ourselves and effectively develop strategies to keep attackers out.
John Heasman joined NGS as a Senior Security Consultant in 2003. He is currently the VP of Research for NGS US and lives in Seattle, WA. John has significant experience in network and web application penetration testing, vulnerability research, black-box testing and source code review. He has worked with a multitude of vendors and some of the world’s largest corporations to secure enterprise-level software. He has co-authored several publications including “The Database Hacker’s Handbook” and “The Shellcoder’s Handbook, 2nd Ed.” and he is a regular speaker at international security conferences. He holds a Master Degree in Engineering and Computing from Oxford University.
Pablo Sisca joined NGS as a Security Consultant with an extensive background in security technology. Previously, he served as a member of the Argentine Government in the Information Security Research & Development Lab of the Army Forces. He was responsible for all day-to-day research, penetration testing and deployment of mission-critical computer security applications for the Ministry of Defense. As part of Core Security Technologies, Pablo has also gained a large amount of software security audit, application’s source code review, and binary security auditing, working mainly in C/C++, Java and Python platforms, including a number of engagements for Microsoft. Pablo has also deep experience in designing and testing security software to meet evolving market demands. He has independently consulted and developed security products for several corporations, banks and government agencies such as the UNESCO Antivirus Lab, across America. In addition he also writes for numerous technical publications, and speaks frequently at industry events and conferences.
Pablo has also carried out application testing within the last 4 years on Microsoft Products on many successful engagements with NGS such as Microsoft Internet Explorer 7, Microsoft IE7 on Vista, Antivirus, Spyware and Antigen solutions, Windows IPTV Windows Centro Solution, PlayReady and recently MS-Forefront. Pablo has been also leading the NGS penetration test team for Silverlight, and Windows Live Core projects.
Super Early: |
Early: |
Regular: |
Onsite: |
$2000 |
$2100 |
$2300 |
$2800 |