TECH TRAINING 7: Hacking Web Applications: Case Studies of Award-Winning Bugs in Google, Yahoo, Mozilla and More

DURATION: 2 DAYS

CAPACITY: 20 pax

SEATS AVAILABLE: 5

PRICE:   EUR1499 (early bird)

EUR1999 (normal)

Early bird registration rate ends on the 1st of March


Overview

Have you ever thought of hacking web applications for fun and profit? How about playing with authentic, award-winning security bugs identified in some of the greatest companies? If that sounds interesting, join this two-day hands-on training!

I will discuss security bugs that I have found together with Michał Bentkowski in a number of bug bounty programs (including Google, Yahoo, Mozilla, Twitter and others). You will learn how bug hunters think and how to hunt for security bugs effectively.

To be successful in bug hunting, you need to go beyond automated scanners. If you are not afraid of going into detail and doing manual/semi-automated analysis, then this hands-on training is for you. After completing this training, you will have learned about:

– tools/techniques for effective hacking of web applications

– non-standard XSS, SQLi, CSRF

– RCE via serialization/deserialization

– bypassing password verification

– remote cookie tampering

– tricky user impersonation

– serious information leaks

– browser/environment dependent attacks

– XXE attack

– insecure cookie processing

– session related vulnerabilities

– mixed content vulnerability

– SSL strip attack

– path traversal

– response splitting

– bypassing authorization

– caching problems

– clickjacking attacks

– logical flaws

– and more…

What Students Will Receive

Students will be handed in a VMware image with a specially prepared testing environment to play with the bugs. What’s more, this environment is self-contained and when the training is over, students can take it home (after signing a non-disclosure agreement) to hack again at their own pace.

Prerequisite Knowledge

To get the most of this training basic knowledge of web application security is needed. Students should have some experience in using a proxy, such as Burp, or similar, to analyze or modify the traffic.

Hardware / Software Requirements

Students will need a laptop with 64-bit operating system, at least 4 GB RAM (8 GB preferred), 35 GB free hard drive space, USB and Ethernet ports, administrative access, ability to turn off AV/firewall and VMware Player installed (64-bit version).

Who Should Attend

Pentesters, bug hunters, security researchers/consultants.

TRAINING
Location: De Beurs van Berlage Date: May 26, 2015 Time: 9:00 am - 6:00 pm Dawid Czagan