Course Description
In this 2 day course you will push Asp.Net to the limit and will be shown how Asp .NET applications and environments can be exploited by skilled attackers. Advanced exploitation techniques will be presented together with low-level technical analysis of the .Net Framework. You will also learn advanced defense techniques such as: Building an Asp .NET Security Protection layer (also called a Web Application Firewall) and Real time patching of vulnerabilities in the target application, the .Net Framework or the CLR.
Structure:
The Course is made of 4 modules (2 per day, one in the morning and one in the afternoon)
Module 1: Security principles and .NET Framework Architecture
Module 2: Guerrilla Threat Modeling and Exploiting Asp.Net Applications
Module 3: Exploiting Full Trust and Partial Trust Asp.Net Environments
Module 4: Advanced Asp.Net Countermeasures
You will walk away from this class with a much better understanding of some of the weaknesses of .NET applications, particularly the internals of the .NET framework. You will also get the chance to put your skills to the test against a target application over the course of the class.
Prerequisites:
This is an advanced course targeted at industry professionals who want to understand the weaknesses and the power of the .Net Framework.
To get the most of this course and to be able to do the extensive practice material provided (using a VMWare image), the participants must:
The material is presented at a pace adjusted for experienced developers and/or security consultants.
Dinis Cruz is a Senior IOActive Security Consultant based in London (UK) and specialized in: ASP.NET Application Security, Active Directory deployments, Application Security audits and .NET Security Curriculum Development.
Since the 1.1 release of the .Net Framework, Dinis has been one of the strongest proponents of the need to write .Net applications that can be executed in secure Partially Trusted .Net environments, and has done extensive research on: Rooting the CLR, exposing the dangers of Full Trust Asp.Net Code, Type Confusion vulnerabilities in Full Trust (i.e. non verifiable) code, creating .Net Security Protection Layers and using Reflection to dynamically manipulate .Net Client applications.
Dinis is also the current Owasp .Net Project leader and the main developer of several of OWASP .Net tools (SAM'SHE, ANBS, SiteGenerator, PenTest Reporter, Asp.Net Reflector, Online IIS Metabase Explorer).
Early:
Ends |
Regular: |
Late/Onsite: |
USD |
USD |
USD |