OVERVIEW

Tired of alert(1)? You think there is more to life than running Burp scanner? You went through PentesterLab's exercises and thought "I WANT MORE!!"? This training is for you!

This 2-day training will get you to the next level. We will look into CORS, WebSockets, the exploitation of vulnerabilities published in 2014 (Struts RCE, Rails', Heartbleed...). We will also get shells using serialisation in multiple languages and find vulnerabilities that you may have missed in the past.

After a quick overview of what you need to know to attack web applications, we will directly jump to the interesting stuff: Hands-on training and real attacks. The class is a succession of 10 minute explanations on what you need to know, followed by hands-on examples to really understand and exploit vulnerabilities.

After the training, you go home with the course (slides based), the detailed version of the course (in-depth walk-through), and the systems to be able to play and refresh your memory!

SYLLABUS

The following subjects will be covered:

• Cross-origin resource sharing
• WebSockets
• Struts RCE
• Multiple Serialisation attacks (PHP, Python, Java)
• Jboss web-console
• Blind XML entities attacks
• Heartbleed
• Tricky SQL injections

ABOUT THE TRAINER

Louis Nyffenegger is an experienced and sought-after security consultant specialising in web penetration testing. He is a regular guest speaker at local security conferences including Ruxcon and Owasp, and has conducted a web application security training at both conferences. In his spare time Louis helps set up Ruxcon’s Capture the Flag competition. In 2011, Louis started PentesterLab, a company specialising in security training. A free version of some of the PentesterLab exercises are available here. Recently, Louis published Bootcamp, a learning path for getting into penetration testing.

Luke Jahnke is the creator of Bitcoin CTF, one of the hardest CTF dedicated to web security. He is a regular guest speaker at local security conferences. After working as a web developer, Luke moved to security and has been popping shells for several years now.

RECOMMENDATIONS

This training is aimed at penetration testers and security professionals who want to improve their Web mojo.

The following skills/knowledge are required:

• Exposure to information security technologies
• The ability to use a web proxy like Burp Suite, Paros.
• The ability to write basic scripts in Ruby, Python or Perl.

HARDWARE AND SOFTWARE REQUIREMENTS

• Laptop with at least eight (8) GB of hard drive space and two (2) GB of RAM
• Latest VMware Player, VMware Workstation, VWware Fusion installed.
• Other virtualization software such as Parallels or VirtualBox will probably work if the attendee is familiar with its functionality, however VMware Player should be prepared as a backup just in case.
• A working version of Burp Suite (free version)