Slide 1
Slide 1
Slide 1
Slide 1
Slide 1
Slide 1

PRESENTATION MATERIALS

PHOTOS / VIDEOS

Official conference photos and HD videos will be made available in the next 2-3 weeks. Please follow @hitbsecconf on Twitter for links or join our Facebook Group

TECH TRAINING 3 – ADVANCED APPLICATION HACKING – ATTACKS, EXPLOITS & DEFENSE

TRAINER: Shreeraj Shah (Founder, Blueinfy) and Vimal Patel (Founder, Blueinfy)

CAPACITY: 20 pax

SEATS LEFT: REGISTRATION CLOSED

DURATION: 2 days (22nd & 23rd May 2012)

COST (per pax): EUR1499 (early bird) / EUR1899 (non early-bird)

 

OVERVIEW

Introduction and adaptation of new technologies like Ajax, RIA, HTML 5 and Web Services has changed the dimension of Application Hacking. There are several new ways of hacking techniques are evolving and hacking in migrating to new dimension. Exploiting browser stack and server side injections are becoming common across applications. Cloud and Mobile are adding new attack surface to application layer. It is imperative to learn these advanced attack vectors and their countermeasures.

The course is designed by the author of “Web Hacking: Attacks and Defense”, “Hacking Web Services” and “Web 2.0 Security – Defending Ajax, RIA and SOA” bringing his experience in application security and research as part of curriculum to address new challenges. Advanced Application Hacking is hands-on class along with right tools. The class features real life cases, hands one exercises, new scanning tools and defense mechanisms. Participants would be methodically exposed to various different attack vectors and exploits. Following broad areas will be covered in various sessions along with hands-on and tools.

ADVANCED APPLICATION ARCHITECTURE AND THREATS 

  • Application Architecture and Threats
  • Application Attack Surface and Scenarios
  • Technology trends and Threats
  • Web Protocols and Structures (JSON, XML, AMF, WCF, RPC etc.)
  • Ajax and RIA Components and understanding
  • Web 2.0 Applications and Components
  • Understanding of RIA and Silverlight Applications
  • Attack trends and threat models

ASSESSMENT AND HACKING METHODOLOGIES 

  • Application Assessment methodologies
  • Blackbox Vs. Whitebox – Picking the right one
  • Threat Modeling for Applications
  • Application Footprinting, Discoveries and Profiling

INJECTION AND FUZZING STREAMS (ZERO KNOWLEDGE) 

  • Injections and Fuzzing with Web and AMF streams
  • SQL injection over XML and JSON
  • Blind SQL injections with Web  Components
  • Detecting Injections and Tools
  • XML and XPATH injections
  • JavaScript and Command Injections
  • LDAP injection
  • AMF/WCF injections
  • Fuzzing and server side stream injections
  • Business logic flaws
  • Exploiting Injection points and tools

CLIENT SIDE HACKING

  • XSS and DOM based hacking
  • HTML 5 injections and script executions
  • CSRF and SOP bypass
  • ClickJacking
  • Mashup and Widget Hacking
  • RSS and Client side data poisoning
  • DOM based open redirects and forwards
  • Securing browser and client side components
  • CORS bypass

REVERSE ENGINEERING AND STATIC ANALYTICS

  • Analyzing Application code
  • Debugging JavaScript for vulnerabilities
  • Logic bypass and vulnerabilities
  • Reverse engineering Flash/Flex
  • Analyzing Silverlight driven applications
  • Dissecting HTML 5 applications

WEB SERVICES, SOA AND CLOUD HACKING 

  • Cloud based application and architecture
  • Hacking SaaS
  • Open API abusing
  • Web Services Scanning and Assessment
  • Attacking Web Services and SOAP
  • XML and SOAP poisoning and Vulnerabilities
  • Filtering Web 2.0 traffic for security

MOBILE LAYER APPLICATION HACKS AND ATTACKS 

  • Mobile interfaces and stack
  • Application architecture and business access
  • Android hacking and security
  • iPAD and iPhone hacks and attacks
  • Mobile security and countermeasures

HANDS-ON AND CHALLENGES

  • Challenges for SQL Injection and XSS – Advanced Attack Vectors
  • Hacking web store application
  • Hacking Trading Application
  • Exploiting and Securing Applications
  • Tools – Proxies, Tracers, Debuggers, Fuzzers etc.

WHAT TO BRING / HARDWARE REQUIREMENTS

To participate in hands-on exercises you will need to come with a windows-based laptop.

  • OS : XP, Vista or Server family
  • Please install .NET framework
  • 1 GB RAM
  • All other tools will be provided
  • Laptop should be wi-fi enabled

Note: All concepts taught in this class are punctuated with hands-on exercises based on situations observed in real life. The class ends with a challenge exercise. Working within a limited time period, participants are expected to analyze the code, identify loopholes, exploit vulnerabilities present in the applications and suggest appropriate defense strategies.

ABOUT THE TRAINERS

Shreeraj Shah (Founder/Director, Blueinfy)

Shreeraj Shah, B.E., MSCS, MBA, is the founder of Blueinfy, a company that provides application security services. Prior to founding Blueinfy, he was founder and board member at Net Square. He also worked with Foundstone (McAfee), Chase Manhattan Bank and IBM in security space. He is also the author of popular books like Hacking Web Services (Thomson 06) and Web Hacking: Attacks and Defense (Addison-Wesley 03). In addition, he has published several advisories, tools, and whitepapers, and has presented at numerous conferences including RSA, AusCERT, InfosecWorld (Misti), HackInTheBox, Blackhat, OSCON, Bellua, Syscan, ISACA etc. His articles are regularly published on Securityfocus, InformIT, DevX, O’reilly, HNS. His work has been quoted on BBC, Dark Reading, Bank Technology as an expert.

Vimal Patel (Founder/Director, Blueinfy)

Vimal Patel is founder of Blueinfy, a company that provides products and services for application security. Vimal leads research and product development efforts at Blueinfy. Prior to founding Blueinfy, he held position of Vice President at Citigroup where he led architecture, design and development of various financial applications. Vimal holds Masters in Computer Science. Vimal has over a decade of experience and expertise in many technologies. His experience ranges from design of complex digital circuits and microcontroller based products to enterprise applications.

Okura Hotel Amsterdam
Ferdinand Bolstraat 333, 1072 LH Amsterdam,
The Netherlands

1-Day Intensive Training Sessions – 21st of May / 0900 – 1800

 

SPECIAL OPS 1  - WIRELESS SECURITY KUNGF00

SPECIAL OPS 2  – THE ART OF EXPLOITING SQL INJECTION FLAWS

SPECIAL OPS 3 – MOBILE APPLICATION HACKING – ATTACK & DEFENSE



2-Day Hands on Training Sessions – 22nd – 23rd of May / 0900 – 1800

TECH TRAINING 1  – HUNTING WEB ATTACKERS

TECH TRAINING 2  – ADVANCED LINUX EXPLOITATION METHODS

TECH TRAINING 3  - ADVANCED APPLICATION HACKING – ATTACKS, EXPLOITS & DEFENSE

 

 



3-Day Hands on Training Sessions – 21st, 22nd & 23rd of May / 0900 – 1800

TECH TRAINING 4  – THE EXPLOIT LABORATORY: ADVANCED EDITION




QUAD TRACK CONFERENCE – 24th & 25th of May / 0900 – 1800

Featuring keynotes by BRUCE SCHNEIER and ANDY ELLIS



EVENT ORGANIZER

LOCAL PARTNER

PLATINUM SPONSORS

GOLD SPONSORS

TITANIUM SPONSOR (POST CONFERENCE RECEPTION + SPEAKER RECEPTION)

SILVER SPONSOR

HACKWEEKDAY SPONSOR

ALCO_PWN SPONSOR (POST CONFERENCE RECEPTION)

HITB LAB / SIGINT SPONSOR

NETWORK SPONSORS AND UPLINK

ADDITIONAL SUPPORT BY

SUPPORTING MEDIA

FRIENDS OF HITB

Copyright © 2012 Hack In The Box | http://www.hackinthebox.org

( / 10 )