MDSec's Web Application Hacker's Handbook: Live
Thursday, June 4, 2015 at 9:00 AM - Friday, June 5, 2015 at 5:00 PM (BST)
This is a two-day course presented by the author of the Web Application Hacker's Handbook. At the end of the two days, you will recieve an extra day (8 hours) of self-paced access to the online materials at http://mdsec.net, where you can continue your learning.
The course is now recognised by CREST as recommended material for the CREST Certified Web Application Tester qualification.
The syllabus follows the chapters of the Second Edition of The Web Application Hacker's Handbook, with strong focus on practical attacks and methods. After a short introduction to the subject we delve into common insecurities in logical order:
- Introduction to Web Application Security Assessment (Chapters 1-3)
- Automating Bespoke Attacks: Practical hands-on experience with Burp Suite (Chapter 13)
- Application mapping and bypassing client-side controls (Chapters 4-5)
- Failures in Core Defense Mechanisms: Authentication, Session Management, Access Control, Input Validation (Chapters 6-8)
- Injection and API flaws: (Chapters 9-10)
- User-to-User Attacks (Chapters 12-13)
Attendees will gain theoretical and practical experience of:
- Real-world, 2015 techniques in blind / parameter XXE injection, request method abuse, relative path overwrites, XSS filter evasion
- How to hack using all of the "OWASP top 10"...from SQLi to LDAP, XPath, SOAP, HTTP Parameter Pollution (HPP), and HPI
- How to quickly and efficiently pinpoint and exploit vulnerabilities in web applications
- The real risk: how to turn XSS/CSRF vulnerabilities into full account compromise
- Harnessing new technologies such as HTML5, NoSQL, and Ajax
- New attack types and techniques: Bit Flipping, Padding Oracle, Automated Access Control checking
- How to immediately recognize and exploit Logic Flaws
Full details of this two-day course are provided on our website.
Where can I contact the organizer with any questions?
You can contact us at www.mdsec.co.uk/contact.
How long is the training?
Training is two days, and is expected to run from 9am-5:30pm
What should I take?
A laptop that you have administrative privileges over (ie, you should be able to disable firewalls, install Java, modify your browser proxy.
What will be provided?
Training materials will include
- 8 hours' access to the online labs at http://mdsec.net where you can complete any exercises you didn't have time to complete on the day
- Copies of the course slides
When & Where
MDSec is a specialist company offering online training in Web Application Security, by the authors of the Web Application Hacker's Handbook [Wiley, 2011]