Breaking Apps: An Introduction to Web Application Pentesting
This is a 6-hour intensive survey of web security from the vantage point of professional app breakers, delivered over two consecutive Wednesday evenings.
We're offering a brief intro to the principles of application security, followed by hands-on exercises aimed at getting you started actually exploiting application security vulnerabilities. We'll be using Burp Suite, the industry standard tool for web pentesting, and using it to uncover functionality, capture and manipulate HTTP requests, and exploit a wide variety of common and subtle flaws.
Developers who want to know more about the threats their apps face, or want to wipe the smug looks off the face of their next appsec audit team.
QA/QC testers or devops staff who want to integrate more app security testing into their testing, staging, and monitoring plans.
Network security staff who want to move "up the stack" into app testing, and are looking for a strong, assertive push. Particularly testers who have been leaning on automated scanners and would like to lose the crutch.
Wednesday, February 22 (Part I: Introduction, Toolchain, Discovery, Manipulation) 6-9pm
Wednesday, February 29 (Part II: Injection) 6-9pm
Morningstar, 22 West Washington Blvd, Chicago, IL
Free - IF you show up!
There is a $20 registration fee that will be refunded in cash the second you walk in the door on the first day of class.
We tried having events without registration fees, but too many people would sign up and not show up, taking the limited spaces for those who wanted to learn.
All funds left over from Day 1 will be used for food and drinks for the class on Day 2. So, if you sign up and don't go, at least you bought the remaining students some beer and tasty snacks!
Enrollment is limited, so sign up early.
An interest in breaking web applications. That's mostly it.
No previous experience in web application penetration testing expected or required.
A working knowledge of web development on any stack, from J2EE to Django, would be helpful but is not absolutely required.
You will need to bring a laptop with wireless functionality.
We will send some introductory reading material and toolchain setup instructions to registered students prior to class.
If you have experience with testing proxies, finding cross-site scripting, exploiting Clickjacking and blind SQL injection, spidering applications, and all that stuff: this isn't for you. (If you want to help teach, we'd love to talk to you).
- Introduction to Web Application Security Principles
- Building your toolchain
- Discovering content and mapping the attack surface
- Manipulating Requests, including exploiting Insecure Direct Object References
- Injection Attacks, including Cross-Site Scripting and SQL Injection
- Automating Injection Attacks