Web application security training in 2015?
It’s a valid question we get asked sometimes. With the amount of books available on the subject, the tools that seemingly automate the process coupled with the fact that findings bugs in web apps should be harder now that frameworks and developers are more likely to produce secure code, is there a need to still train people up in the art of application exploitation?
Our response is yes. Our application assessment course constantly changes. We look at the thousands of assessments that we perform for our customers and take those vulnerabilities discovered, new architectures and designs and try and build practical exploitation scenarios for our students. We love breaking the web, the cloud, ‘the box that’s hosted somewhere you can’t recall but just works’, as there’s always new approaches and methods one can take to own the application layer.
Last month I discovered a vulnerability in Redhat’s OpenStack Platform. What was cool about this vulnerability is that it’s not a new class of vulnerability but when deployed in an organisation, it allows an authenticated user the ability to read files on the filesystem with the permissions of the web server. Owning organisations is all about exploiting flaws and chaining them together to achieve the end goal.
We want to teach you the same process: from learning how to own the application layer whilst having fun doing it at BlackHat Asia – Singapore.
During the course we will have a view on:
- Introduction to the hacker mindset (more important than it sounds!)
- Reconnaissance techniques.
…and…breaking the web…
- Understanding and exploiting data validation issues such as SQLi, XSS, XML and LDAP injections.
- Session Management issues…oh cookies!
- Attacking web services.
- Glance of client-side technologies such as Silverlight, ActiveX.
This course will be hands on. It won’t just be me standing up and speaking but you learning how to own web apps and exploit common vulnerabilities just like the best.
Come and join us! It will be fun :)
/S