Web Application (In)Security: 2010

John Heasman & Daniel Martin

Register Now // jul 24 - 27

USA 2010 Weekend Training Session //July 24-25

USA 2010 Weekday Training Session //July 26-27


Finally, the long awaited successor to NGS’s hugely popular Web Application (In)Security Course is coming to BlackHat Vegas this year! The course has been completely updated with new and challenging labs, demos and material which cover both the fundamentals of web application assessment and as well as key web technologies such as Ruby on Rails, Flex Remoting, Silverlight WCF, Java Server Faces, HTML5 and NoSQL.

This is a cutting-edge, hands-on course aimed at hackers who want to exploit web applications, and developers who want to know how to defend them. The course covers the entire process of hacking a web application, from initial mapping and analysis, probing for common vulnerabilities, through to advanced exploitation techniques.

This year, the course contains more than 300 brand new lab examples, containing virtually every vulnerability that has ever been found in web applications. Even the most capable hackers will be challenged and find plenty to take away. We will also demonstrate the very latest hacking techniques developed over the past year.

Some highlights include:

  • Exploiting SQL injection using second-order attacks, filter bypasses, query chaining and fully blind exploitation
  • Breaking authentication and access control mechanisms
  • Reverse engineering Java, Flash and Silverlight to bypass client-side controls
  • Exploiting cross-site scripting to log keystrokes, port scan the victim’s computer and network, and execute custom payloads
  • Exploiting LDAP, XPath and command injection; and
  • Uncovering common logic flaws found in web applications.

The course concludes with a catch-the-flag contest, where participants try out their skills against a series of challenging scenarios, with prizes for winners. Attendees are expected to be familiar with core web technologies like HTTP and JavaScript.

A terrific resource for this course is the book "The Web Application Hacker's Handbook: Discovering and Exploiting Security Flaws" by Dafydd Stuttard and Marcus Pinto. The book is available for purchase from Amazon.com and provides pertinent and relevant information directly related to the course.

Course Length:

Two days. All course materials, lunch and two coffee breaks will be provided. A Certificate of Completion will be offered. You must provide your own laptop.

What to bring:

Basic networking knowledge required. Understanding of programming languages (especially PHP, ASP and ASP.NET) preferred.

Participants are requested to bring their own laptops. No particular OS is required, but Windows, Linux or Mac is recommended.

What you get:

All attendees will receive a free virtual machine containing the course labs to take home and continue improving their skills.


NGS Software is offering the chance to benefit from the experience of its consultants and award-winning research team. This course teaches how to recognize the insecurities present within common database systems and how these flaws can leave you wide open to attack. It is tailored to teach security consultants,database administrators and IT professionals how hackers discover and exploit vulnerabilities to gain access to your data and further penetrate internal networks. By learning these techniques, we can discover the flaws for ourselves and effectively develop strategies to keep attackers out.

Daniel Martin is a Principal Security Consultant at NGS, with over six years of experience in the industry specializing in application security. He has helped clients in the finance, high-end engineering, telecommunications and software sectors reviewing enterprise-level software through some of our most demanding consultancy and structured training engagements. Daniel has authored the Secure Web Application Development guide for the Centre for the Protection of National Infrastructure (CPNI) in the UK. He has been involved in security testing teams in the US, UK and Spain and he is also an experienced researcher that has identified vulnerabilities in software such as Oracle BPEL, Microsoft SharePoint and the XBOX 360 gaming platform. He has a strong coding background in a number of programming languages including C++, J2EE and Ruby on Rails and a deep understanding of Windows core technologies such as RPC, DCOM and service development. With excellent communications and presentation skills, he is an active member of the security industry contributing technical articles to a number of blogs and being active member of several security related open source projects. He has presented in a number of conferences including last year's DEFCON in Las Vegas and DC4420 in London.

John Heasman joined NGS as a Senior Security Consultant in 2003. He is currently the VP of Research for NGS US and lives in Seattle, WA. John has significant experience in network and web application penetration testing, vulnerability research, black-box testing and source code review. He has worked with a multitude of vendors and some of the world’s largest corporations to secure enterprise-level software. He has co-authored several publications including “The Database Hacker’s Handbook” and “The Shellcoder’s Handbook, 2nd Ed.” and he is a regular speaker at international security conferences. He holds a Master Degree in Engineering and Computing from Oxford University.

Super Early:
Ends Apr 1

Ends May 15

Ends Jun 15

Ends Jul 23