TECH TRAINING 1 – THE ART OF EXPLOITING INJECTION FLAWS

________________

OVERVIEW

OWASP rates injection flaws as the most critical vulnerability within the Top 10 most Critical Web Application Security Risks under the OWASP Top 10 project. http://www.owasp.org/index.php/Top_10_2010-A1

This hands-on session will only focus on the injection flaws and the attendees will get an in-depth understanding of the flaws arising from this vulnerability. The topics covered in the class are:

• SQL Injection

• XPATH Injection

• LDAP Injection

• Hibernate Query Language Injection

• Direct OS Code Injection

• XML Entity Injection

During the 2 days course, the attendees will have access to a number of challenges for each flaw and they will learn a variety of exploitation techniques used by the attackers in the wild.  Identify, extract, escalate, execute; we have got it all covered. The following are the objectives of the course:

LEARNING OBJECTIVES / FOCUS

1. Understand the problem of Injection Flaws

2. Learn a variety of advanced exploitation techniques which hackers use.

3. learn how to fix these problems?

WHO SHOULD ATTEND 

Penetration Testers, Web Developers, Security Auditors/Administrators/Managers, anyone else who wants to take their skills to the next level.

COURSE AGENDA

DAY 1:

SQL Injection

1. Identifying SQL Injections

1. Exploiting SQL Injections

• With Error Messages enabled

•  With Error Messages disabled

•  Blind Injection

•  Union Queries

•  Time delays

•  Out of Band Channels

•  Heavy Queries

1. Advanced Topics:

• Injection in Order by, group by, limit, SQL name etc.

• 2nd Order SQL Injections

• Exploiting Non Interactive SQL Injections

• SQL injection vs prepared statements and bind parameters

• Injection in stored procedures

• Privilege Escalation (Becoming DBA and ‘SA’)

• OS code execution under MS-SQL, Mysql and Oracle from web apps.

• Obtaining and Cracking Database password hashes

1. Fixing SQL Injection

DAY 2:

1. Hibernate Query Language Injection

• Advanced HQLi

1. Xpath Injection

• Blind Injection

• Automating XPATH Injection

• XPATH 2.0 Injection

1. LDAP Injection

• Blind Injection

• Automating LDAP Injection

1. XML external Entity Injection

• Reading arbitrary files

1. XML Tag Injection

PREREQUISITES

• A prior knowledge of databases/SQL would be handy but is not a strict requirement.

HARDWARE / SOFTWARE REQUIREMENTS 

Students must bring their own laptop and must have administrative access to perform tasks like install software, disable antivirus etc. Student must have VMPlayer/Workstation installed on their laptops. A backtrack DVD will be provided during the class. Devices which don’t have Ethernet connection (e.g. Macbook Air, tablets etc) are not supported. A prior knowledge of Database systems and SQL language will be an added advantage but it’s not a strict requirement.

ABOUT THE TRAINERS

Sumit Siddharth (Founder, NotSoSecure Ltd.)

Sumit “sid” Siddharth is the founder of NotSoSecure Ltd, a specialist IT security firm delivering high-end IT security consultancy and Training. Prior to NotSoSecure, he worked as Head of Penetration Testing for a leading IT security company in UK. He has more than 8 years of experience in Penetration Testing. Sid has authored a number of whitepapers and tools. He has been a Speaker/Trainer at many security conferences including numerous Black Hat, DEF CON, OWASP Appsec, HITB etc. He also runs the popular IT security blog: http://www.notsosecure.com. Sid is also a co-author of the book SQL Injection: Attacks and Defence (2nd edition). Over the years, Sid has identified several critical flaws in leading software and helped fix these bugs. These include products from Microsoft, Oracle, Intel, WordPress etc. He has trained several security consultants/penetration testers and helped them get better at their jobs. Sid also holds both CREST certifications (Application and Infrastructure)