Hacking Extreme Web Applications – Special Edition
Instructors: Michael Brügge and Joshua Tiago
Content:
Web-based applications are becoming a favorite target, not only because more and more companies provide web services, online shops, banking applications, employee portals and other interactive applications with web front ends, but also because new methods are available allowing to attack and manipulate these systems.
"Hacking Extreme Web Applications" is a course based on our successful "Hacking Extreme" course, but, as the name suggests, is concerned with attacks on web applications and the databases located behind them.
The intensive course teaches you about the methods used by attackers, and both well-known and lesser-known techniques for attacking web applications and the databases and back ends located behind them. The training takes a hands-on approach and is enhanced by numerous laboratory exercises.
Using different exercises, we explain the theory and practice behind buzzwords like "SQL injection", "hidden manipulation", "cross-site scripting" and many others.
Each participant has an individual notebook containing a large number of tools at his disposal, allowing him to gain practical experience from an attacker's point of view. The trainers carry out security audits on a regular basis, and they are known as experts in the application security field.
The training covers all OWASP Top Ten 2013 vulnerability types.
Main topics:
Information gathering
- Classic information gathering by banners, error pages, etc.
- Web server fingerprinting
- Using crawlers
- Metadata information
- Decompiling client components (Flash, Java Applets, Silverlight)
Attacks on web and application servers
- Software vulnerabilities in web and application servers (buffer overflows, etc.)
- Exploiting misconfigurations (directory listings, etc.)
- Application framework vulnerabilities
Attacks on the transport
- Eavesdropping on the communication, SSL-man-in-the-middle attacks
- SSL vulnerabilities and misconfigurations
- Vulnerabilities in application layer encryption
Attacks on the application
- Attacks on the authentication process
- Attacks on stored passwords
- Bypassing CAPTCHAs
- Attacks on the session management
- Cross-site scripting (persistent, non-persistent, DOM-based)
- Cross-site request forgery (CSRF), vulnerabilities in anti-CSRF mechanisms
- Vulnerabilities in function-level access control
- Vulnerabilities in object-level access control
- File inclusion (local/remote)
- Open redirects
- Command injection
- File upload vulnerabilities
- Application logic vulnerabilities
- Vulnerabilities in client-side JavaScript logic
- Attacks on AJAX services
- HTML5-based attack vectors
- Web spoofing
Attacks on the back end
- SQL injection / blind SQL injection
- LDAP injection
- Vulnerabilities in web services
- XML injection / XML bombs
- XPath injection
- XSLT injection
Systems covered:
Unix-based or Windows-based web servers, databases, application servers, etc.
Target group:
Administrators and security officers who are not afraid to see security through the eyes of an attacker, diving deeply into his world. The training is also interesting for developers and administrators of web servers and e-business systems.
Prerequisite:
Basic knowledge of web servers, HTTP and HTML.
Price: € 2,000
Date: January 25-26, 2016, the two days before the IT-Defense conference starts.
The training is conducted in German by two experienced trainers.
You will receive CPE Points for participating in the Hacking Extreme Web Applications training. The training takes 16 hours.
For information on our regular dates of the training "Hacking Extreme Web Applications" and more details, please click here.
Location:
Hyatt Regency Mainz
Malakoff-Terrasse 1
55116 Mainz
Tel: +49 6131 73 1234
Fax: +49 6131 73 1235
E-Mail: mainz.regency@hyatt.com