Web Application (In)Security
NGS Software
// apr 12 - 13 |
Overview:
This is a cutting-edge, hands-on course aimed at hackers who want to exploit web applications, and developers who want to know how to defend them. The course is presented by the authors of the critically-acclaimed Web Application Hacker’s Handbook, and covers the entire process of hacking a web application, from initial mapping and analysis, probing for common vulnerabilities, through to advanced exploitation techniques.
This year, the course contains more than 300 brand new lab examples, containing virtually every vulnerability that has ever been found in web applications. Even the most capable hackers will be challenged and find plenty to take away. We will also demonstrate the very latest hacking techniques developed over the past year.
Some highlights include:
Exploiting SQL injection using second-order attacks, filter bypasses, query chaining and fully blind exploitation
Breaking authentication and access control mechanisms
Reverse engineering Java, Flash and Silverlight to bypass client-side controls
Exploiting cross-site scripting to log keystrokes, port scan the victim’s computer and network, and execute custom payloads
Exploiting LDAP, XPath and command injection; and
Uncovering common logic flaws found in web applications.
The course concludes with a catch-the-flag contest, where participants try out their skills against a series of challenging scenarios, with prizes for winners. Attendees are expected to be familiar with core web technologies like HTTP and JavaScript.
A terrific resource for this course is the book "The Web Application Hacker's Handbook: Discovering and Exploiting Security Flaws" by Dafydd Stuttard and Marcus Pinto. The book is available for purchase from Amazon.com and provides pertinent and relevant information directly related to the course.
Course Length:
Two days. All course materials, lunch and two coffee breaks will be provided. A Certificate of Completion will be offered. You must provide your own laptop.
What to bring:
Basic networking knowledge required. Understanding of programming languages (especially PHP, ASP and ASP.NET) preferred.
Participants are requested to bring their own laptops. No particular OS is required, but Windows, Linux or Mac is recommended.
Trainer:
NGS Software is offering the chance to benefit from the experience of its consultants and award-winning research team. This course teaches how to recognize the insecurities present within common database systems and how these flaws can leave you wide open to attack. It is tailored to teach security consultants,database administrators and IT professionals how hackers discover and exploit vulnerabilities to gain access to your data and further penetrate internal networks. By learning these techniques, we can discover the flaws for ourselves and effectively develop strategies to keep attackers out.
Pablo Sisca has served as consultant/expert to both private and public sectors, nationally and internationally, and has extensive experience and background in security technology.
Pablo has spent many years designing and testing security software to meet evolving market demands. He has independently consulted and developed security products for several corporations, financial institutions and government agencies such as the UNESCO Antivirus Lab across America.
As a security vulnerability researcher and part of NGS consulting team Pablo has discovered a large number of vulnerabilities across many different enterprise software packages - including many critical bugs in Microsoft products - mainly inside of paid engagements. Pablo has obtained an extensive degree of experience with application, web technologies and low level security testing, having performed many successful engagements for Microsoft and many NGS' other largest clients.
Pablo has authored several custom fuzzing tools and frameworks, written a variety of low level software testing utilities - such as static binary analysis and reverse engineering tools, which have been used on a number of successful engagements to discover a large number of security flaws.
Prior to joining NGS, Pablo served as a member of the Argentine Government in the Information Security Research & Development Lab team. He was responsible for all day-to-day research, penetration testing and deployment of mission-critical computer security applications for the Ministry of Defense.
John Heasman joined NGS as a Senior Security Consultant in 2003. He is currently the VP of Research for NGS US and lives in Seattle, WA. John has significant experience in network and web application penetration testing, vulnerability research, black-box testing and source code review. He has worked with a multitude of vendors and some of the world’s largest corporations to secure enterprise-level software. He has co-authored several publications including “The Database Hacker’s Handbook” and “The Shellcoder’s Handbook, 2nd Ed.” and he is a regular speaker at international security conferences. He holds a Master Degree in Engineering and Computing from Oxford University.
Super Early: |
Early: |
Regular: |
Late: |
Onsite: |
€1460 |
€1535 |
€1680 |
€1825 |
€2045 |