AI Hack Day - Brisbane
AI Hack Day - Brisbane
Sat, Oct 29, 9:00 AM
SSW Brisbane • Brisbane City, QLD
Free
CrikeyCon 2017 Training - Advanced Web Hacking and Secure Coding
Description
Objectives
Tired of alert(‘xss’)? You want to learn advanced web hacking techniques then this training is for you.
Training starts with the basic web app hacking and then move into more advanced stuff such as bypassing the XSS filters, HTML5 attacks and recent vulnerabilities such as Shellshock, Heartbleed, POODLE etc. You’ll learn how to get shell on the box using web application vulnerabilities.
This training is Hands-on training on Web Hacking and Secure coding, and covers both offensive and defensive approach towards web applications.
The course covers how to use certain attack on web application and then how does this attack happened. So it covers where the developer went wrong and how to write secure code so that the attack would not happen. It covers various mistakes made by developers and wrote vulnerable code. It further covers how to write secure code in multiple languages such as PHP, Java, C# etc.
The lab contains multiple CMS such as Wordpress, Drupal, Joomla and multiple databases such as MySql, SQL Server, MongoDB etc. You will learn how to exploit and attack machines in the internal network using public facing servers. After this training attendees will successfully write secure code and test their web applications for vulnerabilities.
It contains various client side attacks as well as server side attacks such as XSS, CSRF, SQL Injections etc. Attendees will get to know the difference between vulnerable code and secure code. It contains secure coding practices recommended by OWASP.
This training contains over 50 labs and 30+ challenges which are inspired by real world vulnerabilities and case studies.
Training Outline
- Introduction
- Input Validation - attack and defense
- User Enumeration - attack and defense
- Information Leakage - attack and defense
- HTTP Verb Tampering - attack and defense
- HTML Injection - attack and defense
- Cross Site Scripting (XSS) - attack and defense
- iFrame Injection - attack and defense
- LDAP Injection - attack and defense
- Cascading Style Sheet Injection - attack and defense
- AJAX Security - JSON Injection - attack and defense
- Cross Site Request Forgery (CSRF) - attack and defense
- Clickjacking - attack and defense
- Insecure direct object reference - attack and defense
- Open Redirects - attack and defense
- Broken Access Control - attack and defense
- Server Side Request Forgery (SSRF) - attack and defense
- Server Side Includes Injection (SSI Injection) - attack and defense
- Output Encoding - attack and defense
- Authentication and Password management - attack and defense
- JavaScript Validation Bypass - attack and defense
- SQL Injection - attack and defense
- JSON Hijacking - attack and defense
- Session Management - attack and defense
- Cookie Stealing - attack and defense
- Data Protection - attack and defense
- Denial-of-Service - attack and defence
- Man-in-the-Middle - attack and defense
- HTML5 - attack and defense
- XPATH and XQUERY language injection - attack and defense
- JSON Web Token - attack and defense
- Insecure System Configuration
- Database Security - attack and defense
- Privilege Escalation - attack and defense
- Remote Command or OS Command Injection - attack and defense
- Path traversal - attack and defense
- Local File Inclusion (LFI) - attack and defense
- Remote File Inclusion (RFI) - attack and defense
- Buffer Overflow - attack and defense
- HTTP Response Splitting - attack and defense
- MongoDB - attack and defence
- Wordpress - attack and defence
- Drupal - attack and defence
- Joomla - attack and defence
- Shellshock vulnerability
- Heartbleed vulnerability
- OWASP Top 10 Attacks
- OWASP Secure Coding Practices
- Logical Flaws
- and more ...
Upon the completion of this training, attendees will:
- This training brings attendees into a world of web hacking and secure coding
- Understand difference between vulnerable code and secure code
- Attendees can test their application for security vulnerabilities
- They can test different CMS such as Wordpress, Drupal, Joomla
- They can successfully write secure code as well as test web applications for vulnerabilities
- Attendees will get to know the common but dangerous coding mistakes done by the developers
- They can think like developer as well as penetration tester
- Attendees will learn how to exploit and attack machines in the internal network using public facing servers
Attendees will be provided with:
- Multiple vulnerable applications
- Hosted VMs for testing and training labs.
- Over 50 labs and 30+ challenges to solve
- Training materials – presentation materials and lab examples.
- Custom tools and scripts
- Additional reading materials
Attendee requirements for this training:
- Modern laptop with wired or wireless networking capabilities
- Minimum 4 GB RAM installed
- At least 60 GB HD Free
- VMware Workstation / Fusion installed
Pre-requisites:
- This course requires following pre-requisites:
- Web application development skills
- Basic knowledge on HTTP, HTML and Scripting
- Reading and understanding of PHP, Java, C# Server-side Code (Optional)
Who should attend this training?
- Penetration Testers
- Security Consultants
- Web Developers
- QA testers
- Web Application Tester
- System administrators
- IT Security professionals with a technical background
- IT managers
- System architects
- Bug Bounty Hunters
Trainer Biography
Vikram Salunke is the Information Security Researcher, Consultant and Founder at Vmaskers. Vmaskers provide network, wireless, web, Android and iOS applications penetration testing services and training for corporatations. His main responsibilities are to look after application security, lead security automation and provide training. He has also developed several internal security tools for the organisation to handle the security issues. Vmaskers provide training for organisation’s internal team that includes developers and penetration testers to improve quality of the applications.
He has also discovered serious web application security flaws in many unique product giants all over the world. He enjoys finding and exploiting software vulnerabilities via reverse engineering, source code auditing, and fuzzing. His research is primarily focused on Web App, Android, and iOS App Pentesting. He is responsible for Pentesting, Code Review and Security Certification of Hybrid Mobile Applications, as well as breaking and fixing business critical Web Applications, Web Services, and client facing applications built with HTML5 and JS. He has previously trained in CHCon and will be training in OWASP Morocco.