Advanced Web Attacks and Exploitation

Overview

The days of porous network perimeters are fading fast as services become more resilient and harder to exploit. In order to penetrate today's modern networks, a new approach is required. In order to gain that initial critical foothold in a network, penetration testers must be fluent in the art of exploiting front-facing web applications. Offensive Security's Advanced Web Attacks and Exploitation will take you far beyond the simple basics of SQL injection and bring you deep into the realm of web application penetration testing.

From mind-bending XSS attacks, to exploiting race conditions, to advanced SQL injection attacks, Advanced Web Attacks and Exploitation will broaden your knowledge of web application hacking and help you identify and circumvent various protection mechanisms in use on the web today.

This intensive, hands-on course will take your skills beyond run-of-the-mill SQL injection or mediocre file inclusion attacks and propel you into a world of brain-melting SQL queries, race conditions, and more - leaving you gasping in disbelief.

Topics Covered

• Advanced XSS, filter bypass and exotic payloads
• Advanced CSRF, filter bypass, cross site printing, DNS pinning
• Intensely advanced SQL injection attacks, Mappable SQL injections
• Command execution attacks, Shell injection, Dynamic Evaluation
• Business logic issues and Race conditions
• Advanced file inclusion attacks, and more

Lab Description

This course includes complex hands-on labs throughout the training. All students will be provided with pre-configured VMware images which include both instructional and real world web vulnerabilities. These vulnorable web applications are analyzed and exploited for the duration of the course.

Who should attend

Advanced Web Attacks and Exploitation is NOT an entry level course. The pace or learning is fast and furious - students are expected to have a solid understanding of how to perform basic web application attacks, at a minimum. This class is aimed at penetration testers and security auditors who need to take their web application penetration testing skills to a new level.

Prerequisites

It is assumed that the student already has a medium understanding of the underlying protocols and technologies involved in testing web applications such as the HTTP protocol, SSL communications, and the usage of various browser plugins and proxies. A basic familiarity with web based programming languages such as php, javascript and mysql will also prove helpful.

What to bring

• Students are required to bring their own laptops with a minimum 2 GB RAM installed.
• VMware Workstation / Fusion installed.
• At least 60 GB HD free
• Wired Network Support
• DVD-ROM / USB 2.0 support

Course Length

Four days. All course materials, custom BackTrack CD's, lunch and two coffee breaks will be provided. A Certificate of Completion will be offered.

Trainer

Mati Aharoni is the lead BackTrack Developer, and founder of Offensive Security. With over 10 years of experience as a professional penetration tester, Mati has uncovered several major security flaws and is actively involved in the offensive security arena.

Devon Kearns is an Offensive Security instructor, the administrator of the Exploit Database and Metasploit Unleashed projects, exploitation fanatic, and co-author of Metasploit: The Penetration Tester's Guide.