TT4 – Web Hacking 2.0: Attacks, Penetration and Exploits

Trainer: Shreeraj Shah (Founder, BlueInfy) & Vimal Patel (Director, BlueInfy)
Capacity: 20 pax
Duration: 2 days
Cost: (per pax) MYR3999 (early bird) / MYR4999 (non early-bird)


Introduction and adaptation of new technologies like Ajax, Rich Internet Applications and Web Services has changed the dimension of Web Hacking and Security. We are witnessing new ways of hacking and exploiting web based applications and it needs better understanding of technologies to perform penetration testing and assessment of web security. The course is designed by the author of “Web Hacking: Attacks and Defense”, “Hacking Web Services” and “Web 2.0 Security – Defending Ajax, RIA and SOA” bringing his experience in application security and research as part of curriculum to address new challenges for pen-testers, consultants, auditors and QA teams. Web Hacking 2.0 is extensively hands-on class with real life challenges and lab exercises. Participants would be methodically exposed to various different attack vectors and exploits. The learning sessions feature real life cases, hands one exercises, new scanning tools and exploits.

Learning Objectives

• Web hacking landscape and attack surface analysis.
• Advanced protocol analysis and exploitation.
• Penetration testing methodologies and modeling techniques.
• Web application footprinting, discoveries and profiling.
• Fault injection and fuzzing for applications and error enumeration techniques.
• Abuse of functionalities, Denial of Services, Overflows and application traversal attack vectors and penetration.
• Advanced injections with SQL, LDAP, XPATH and OS command.
• Dealing with Blind injections across applications.
• Client Side Attacks and Exploits with XSS, CSRF, Open Redirects, Clickjacking and Browser hacking.
• Exploiting application with various tools and scripts.
• Web 2.0 attacks with Widgets, Mashups and JavaScripts.
• Hacking RIA components written in Flash and Silverlight.
• Reverse engineering Web based applications and tools for deep scanning and analysis.
• Hacking and exploiting cloud based APIs and SOAP structures.
• DOM based attack surface and mobile application pen-testing.
• Source code analysis and hybrid pen-testing approaches.
• Introduction to exploit tools for web hacking.
• Build your tool – writing your own tools for pen-testing.
• Understanding and exposure to scanners and their limitations.
• Live Hacking on sample .NET and J2EE applications.
• Advanced labs for Web 2.0 and RIA applications.
• WAF bypass and obfuscation techniques.
• Defense planning and report building for end users.

All concepts taught in this class are punctuated with hands-on exercises based on situations observed in real life. The class modules end with a challenge exercise. Working within a limited time period, participants are expected to analyze, scan, pen-test, identify loopholes, exploit vulnerabilities present in the applications on the basis of learnt concepts.

Class Prerequisites

• Basic knowledge on Web Application Architecture and Design.
• Basic understanding of web technologies and languages.
• Familiarity with application scanning tools and approaches would be handy.
• Script writing ability using perl, ruby or python would help in coding quick tools (Not a must)

Who Should Attend?

• Web Security analyst, auditors (PCI-DSS), consultants, pen-testers and security professionals who are looking to upgrade their skill-set on enterprise application security and hacking.
• QA and Developers who are looking for new tools and methodologies.
• Program managers and team leaders, responsible for securing SDLC in their enterprise environment.

Hardware / Software Requirements

To participate in hands-on exercises you will need to come with a windows-based laptop.

• OS : XP, Vista, Win7 or Server family
• Please install .NET and J2EE.
• 1 GB RAM
• All other tools will be provided

About Shreeraj Shah

Shreeraj Shah, B.E., MSCS, MBA, is the founder of Blueinfy, a company that provides application security services. Prior to founding Blueinfy, he was founder and board member at Net Square. He also worked with Foundstone (McAfee), Chase Manhattan Bank and IBM in security space. He is also the author of popular books like Hacking Web Services (Thomson 06) and Web Hacking: Attacks and Defense (Addison-Wesley 03). In addition, he has published several advisories, tools, and whitepapers, and has presented at numerous conferences including RSA, AusCERT, InfosecWorld (Misti), HackInTheBox, Blackhat, OSCON, Bellua, Syscan, ISACA etc. His articles are regularly published on Securityfocus, InformIT, DevX, O’reilly, HNS. His work has been quoted on BBC, Dark Reading, Bank Technology as an expert.

About Vimal Patel

Vimal Patel is founder of Blueinfy, a company that provides products and services for application security. Vimal leads research and product development efforts at Blueinfy.
Prior to founding Blueinfy, he held position of Vice President at Citigroup where he led architecture, design and development of various financial applications. Vimal holds Masters in Computer Science. Vimal has over a decade of experience and expertise in many technologies. His experience ranges from design of complex digital circuits and microcontroller based products to enterprise applications.