Sorry, this event’s been and gone
Hands-on: Ethical Hacking of Web Applications

When:

Mon Nov 10 2014, 8:00am–5:00pm
Tue Nov 11 2014, 8:00am–5:00pm
Wed Nov 12 2014, 8:00am–5:00pm

Where: Sheraton Towers, 39 Scotts Road, Newton, Singapore

Restrictions: All ages

Listed by: Ad Astra

This workshop, through hands-on labs and demonstrations, will introduce the student to the tools and techniques needed to remotely detect and validate the presence of common insecurities for web-based applications. Testing will be conducted from the perspective of the end user (as opposed to a source code audit). Security testing helps to fulfill industry best practices and validate implementation. Security testing is especially useful since it can be done at various phases within the application's lifecycle (e.g. during development), or when source code is not available for review.

This workshop will focus on the most popular and critical threats based on the industry standard OWASP "Top Ten"

Students will be introduced to the OWASP Testing Guide, and will conduct various portions via hands-on labs against intentionally flawed web applications. Exploiting popular flaws, such as cross-site scripting (XSS) and SQL injection will be covered so students know how to validate findings and demonstrate impact. Finally, the course will wrap up with several real-world applications that student will have to assess (from start to finish) for flaws using the techniques & methodologies learned in class.

Course Objectives:
• Understand the most popular security threats facing web applications.
• Introduction and hands-on use of the tools and techniques to remotely validate a
web application's security.
• Enhance secure programming practices by raising awareness and giving developers
and auditors the tools & knowledge needed to test their web application’s security
from the user's perspective.

Who should attend:
People who are auditing web application security, developing web applications, or managing the development of web applications. Some essentials of HTTP will be covered in the course to assist those with limited prior experience.

Course Agenda:

These items are woven throughout each day:
The OWASP Testing Guide – web app penetration testing framework
Leveraging Automated Tools – Speed, Safety, Accuracy, and Limitations
Overall Testing Advice & Strategies – Real-world advice from the trenches
Exploitation of findings - For validation and impact analysis

Day 1
Web Primer (HTML, HTTP, Cookies, the basics)
Overview of Tools & Techniques (MITM Proxies, Fuzzing, etc)
Threat Classification Systems (OWASP Top Ten & WASC Threat Classes)
Vulnerability Category: A1 – Injection
Vulnerability Category: A3 – Cross-Site Scripting (XSS)
Vulnerability Category: A2 – Broken Authentication and Session Management

Day 2
Review of Tools & Techniques (MITM Proxies, Fuzzing, etc)
Vulnerability Category: A4 – Insecure Direct Object References
Vulnerability Category: A8 – Cross-Site Request Forgery (CSRF)
Vulnerability Category: A7 – Missing Function Level Access Control
Vulnerability Category: A6 – Sensitive Data Exposure

Day 3
Review of Tools & Techniques (MITM Proxies, Fuzzing, etc)
Vulnerability Category: A5 – Security Misconfiguration
Vulnerability Category: A9 – Using Components with Known Vulnerabilities
Vulnerability Category: A10 – Unvalidated Redirects and Forwards
Putting it all together via Capture the Flag – Real-world applications to assess in class (from login to logout, and everything in between).

Instructor

David Rhoades is a Director with Maven Security Consulting Inc., a corporation that provides information security assessments & training services to a global clientele.
His expertise includes web application security and vulnerability assessments. He has been active in information security consulting since 1996, when he began his career with the computer security and telephony fraud group at Bell Communications Research (Bellcore). David has taught at various security conferences around the globe (Interop, USENIX, ISACA, SANS, DefCon, Black Hat).