Presented By: Marcus Pinto and Aaron Devaney, MDSec
The Web Application Hacker’s Handbook (WAHH) Series is the most deep and comprehensive general purpose guide to hacking web applications that is currently available. This course is a practical opportunity to take the skills and theory taught in the book to the next level, experimenting with all of the tools and techniques against numerous vulnerable web applications and labs, under the guidance of the book’s authors. The course also includes new material from the second edition of WAHH, bringing the course right up to date with the latest attacks.
The course follows the contents of WAHH, with a strong focus on practical techniques:
- Overview of web application security (chapters 1-3)
- Mapping the application and its attack surface (chapter 4)
- Bypassing client-side controls (chapter 5)
- Attacking core security mechanisms: authentication, session handling, access controls (chapters 6-8)
- Using automation to enhance manual testing (chapter 13)
- Injecting code and other input-based attacks (chapters 9-10)
- Attacking application logic (chapter 11)
- Attacking other users (chapter 12)
We will cover a huge range of attacks and techniques, focusing on arming you up with methods and capability to target the vast cocktail of technologies and situations:
- Writing Burp Extensions, Burp Macros and other tips to automate your work further and test ‘untestable’ web apps
- Exploiting seemingly “low risk” issues to achieve full application compromise
- Understanding JWT, SAML, and API testing
- Turning theoretical attacks into practical exploits
- The latest attack techniques which have been developed in recent months
- And much more …The course employs a range of demo applications and lab exercises, containing hundreds of different examples of web application vulnerabilities.
This course itself is CREST approved and listed as helpful towards CCT APP.
Delegates should be able to meet the following:
- Familiarity using an intercepting proxy
- Understanding of basic concepts such as the HTTP protocol, session management, and basic HTML.
- Computers capable of running Burp Suite (www.portswigger.net). Note that attendees should have
- administrative access on these machines in order to set IP addresses, modify hosts files and install software.
What to Bring
- A version of the JRE, capable of running Burp Suite.
- An Ethernet connection.
- Administrative access to the laptop, and the ability to install a few tools, and disable personal firewalls or virus scanners should they get in the way of the lab exercises.
We strongly recommend a personal laptop – if your corporate laptop build is too restrictive this may affect your ability to participate in the course fully.
About the Trainer
Marcus Pinto is internationally recognised as a leader in the application and database security field, having spent the last nine years in Information Security both as a consultant and as an end user responsible for a global team securing over 200 build tracks and 50+ externally facing applications. He has delivered training to some of the most high-profile audiences, at 44CON, BlackHat, SyScan, and Hack in the Box. Privately he has run training for many technical audiences including CESG’s penetration testing team.
Marcus also sat on the assessors panel providing input for the CREST Web Application Exam, the UK’s number one certification for application assessment.