TECH TRAINING 3 – ADVANCED WEB HACKING – WEB 2.0, HTML5 AND WEB SERVICES DEFENSE
TRAINER: Shreeraj Shah (Founder/Director, Blueinfy) and Vimal Patel (Founder/Director, Blueinfy) |
CAPACITY: 20 pax |
SEATS LEFT: REGISTRATION CLOSED
|
DURATION: 2 days (8th & 9th October 2012) |
COST (per pax): MYR3999 (early bird) / MYR4999 (non early-bird) |
OVERVIEW
Introduction and adaptation of new technologies like Ajax, RIA, HTML 5 and Web Services has changed the dimension of Web and Mobile Application Hacking. There are several new ways of hacking techniques are evolving and hacking in migrating to new dimension. Exploiting browser/mobile stack and server side injections are becoming common across applications. Cloud and Mobile are adding new attack surface to application layer. It is imperative to learn these advanced attack vectors and their countermeasures.
The course is designed by the author of “Web Hacking: Attacks and Defense”, “Hacking Web Services” and “Web 2.0 Security – Defending Ajax, RIA and SOA” bringing his experience in application security and research as part of curriculum to address new challenges. Advanced Application Hacking is hands-on class along with right tools. The class features real life cases, hands one exercises, new scanning tools and defense mechanisms. Participants would be methodically exposed to various different attack vectors and exploits. Following broad areas will be covered in various sessions along with hands-on and tools.
ADVANCED APPLICATION ARCHITECTURE AND THREATS
-
Application Architecture and Threats in era of HTML5/Web 2.0
-
Application Attack Surface and Scenarios
-
Technology trends and Threats in web and Mobile space
-
Web Protocols and Structures (JSON, XML, AMF, WCF, RPC etc.)
-
Ajax and RIA Components and understanding
-
Web 2.0/HTML5 Applications and Components
-
Understanding of HTML5, RIA and Silverlight Applications
-
Attack trends and threat models from HTML5 and Mobile perspective
ASSESSMENT AND HACKING METHODOLOGIES
-
Application Assessment methodologies
-
Blackbox Vs. Whitebox – Picking the right one
-
Threat Modeling for Applications – HTML5/Mobile
-
Application Footprinting, Discoveries and Profiling with respect to new threats and architecture
INJECTION AND FUZZING STREAMS (ZERO KNOWLEDGE)
-
Injections and Fuzzing with Web and AMF streams
-
SQL injection over XML and JSON
-
Blind SQL injections with Web Components
-
Detecting Injections and Tools
-
XML and XPATH injections
-
JavaScript and Command Injections
-
LDAP injection
-
AMF/WCF injections
-
Fuzzing and server side stream injections
-
Business logic flaws
-
Exploiting Injection points and tools
CLIENT SIDE HACKING
-
XSS and DOM based hacking
-
HTML 5 injections and script executions
-
CSRF and SOP bypass
-
ClickJacking
-
Mashup and Widget Hacking
-
RSS and Client side data poisoning
-
DOM based open redirects and forwards
-
Securing browser and client side components
-
CORS bypass
-
COR Jacking
-
DOM Hijacking
-
Web Messaging & Workers hacks
-
Geo-Location, Drag-Drop and API vectors
REVERSE ENGINEERING AND STATIC ANALYTICS
-
Analyzing Application code
-
Debugging JavaScript for vulnerabilities
-
Logic bypass and vulnerabilities
-
Reverse engineering Flash/Flex
-
Analyzing Silverlight driven applications
-
Dissecting HTML 5 applications
-
Mobile application and Web view engineering
WEB SERVICES, SOA AND CLOUD HACKING
-
Cloud based application and architecture
-
Hacking SaaS
-
Open API abusing
-
Web Services Scanning and Assessment
-
Attacking Web Services and SOAP
-
XML and SOAP poisoning and Vulnerabilities
-
Filtering Web 2.0 traffic for security
-
REST based hacks
MOBILE LAYER APPLICATION HACKS AND ATTACKS
-
Mobile interfaces and stack
-
Application architecture and business access
-
Android hacking and security
-
iPAD and iPhone hacks and attacks
-
Mobile security and countermeasures
HANDS-ON AND CHALLENGES
-
Challenges for SQL Injection and XSS – Advanced Attack Vectors
-
Hacking web store application
-
Hacking Trading Application
-
Exploiting and Securing Applications
-
Tools – Proxies, Tracers, Debuggers, Fuzzers etc.
WHAT TO BRING / HARDWARE REQUIREMENTS
To participate in hands-on exercises you will need to come with a windows-based laptop.
-
OS : XP, Vista or Server family
-
Please install .NET framework
-
1 GB RAM
-
All other tools will be provided
-
Laptop should be wi-fi enabled