TECHNICAL TRAINING TRACK 1
April 21, 2005
Title: Web Application – Attacks and Defense
Trainer: Shreeraj Shah Director Net-Square Consulting
Capacity: 30 pax
Seats left: CLASS IS FULL
Duration : 2 days
Cost: (per pax) RM1800 (early bird) / RM2200 (non early-bird)
Content:
Beginning with an introduction to Web applications and Web Services, the participants will be offered an insight into web hacks and their resulting effects, followed by thorough assessment methodologies and defense strategies for varying environments.
Introduction to web applications
1. Components of a web application
2. Basics of web technologies and protocol information
3. Evolution of technologies and impact on security
4. Understanding other basic web security-related concepts
5. Learning tools like netcat, achilles etc. to understand its usage and
6. Application. (Hands on for the group)
Web Hacking – Areas of attack
Various attacks will be covered in detail with demonstration followed by hands on exercises. Following is a brief list of attacks.
1. Cross-site scripting attacks
2. SQL Query Injection
3. Session Hijacking
4. Buffer Overflows
5. Java Decompilation
6. HTTP brute forcing
7. Trojan Horses and Malware products
8. Form Manipulation, Query Poisoning
9. Input Validation,Parameter Tampering
10. Authentication
11. Information leakage
12. File operations
13. Client-side manipulations
14. Cryptography
15. Error/Exception handling
Attack and Defense strategies
1. Impact of attacks
2. Risk analysis
3. Countermeasures
4. Defense strategies and methods
Assessment Methodology and Defending Applications
1. Footprinting and Discovery
2. Reconnaissance – Profiling a web application
3. Black-box and White-box testing
4. Exploiting vulnerabilities
5. Defending applications
6. Secure coding strategies
Web Services Assessment
1. Footprinting
2. Discovery
3. Technology Identification
4. Attack vector for web services
5. Defense methods
6. Toolkit – wsChess (http://www.net-square.com/wschess) play around and learn more from Author of the toolkit.
Hands-on : The training programme will end with an “assessment challenge†– a live Web Application. Working with time constraints, participants are expected to analyze the application, identify and exploit loopholes and apply all defense strategies learnt, to secure the application.
About Shreeraj:
Shreeraj Shah is founder and director of Net-Square. He has five years of experience in the field of security with a strong academic background. He has experience in system security architecture, system administration, network architecture, web application development, security consulting and has performed network penetration testing and application evaluation exercises for many significant companies in the IT arena. Shreeraj graduated from Marist College with a Masters in Computer Science, and has a strong research background in computer networking, application development, and object-oriented programming. He received his Bachelor’s degree in Engineering, Instrumentation and Control from Gujarat University, and an MBA from Nirma Institute of Management, India.
Shreeraj is the co-author of “Web Hacking: Attacks and Defense†published by Addison Wesley. He has published several advisories, tools, and white papers as researcher, and has presented at conferences including HackInTheBox, RSA, Blackhat, Bellua, CII, NASSCOM etc. You can find his blog at http://shreeraj.blogspot.com/.