Overview

Our "Web Application Hacker's Handbook" is still the most deep and comprehensive general purpose guide to hacking web applications that is currently available. But not for long, because the 2nd Edition is just around the corner.

So if you're a fan of the original want to try your hand exploiting everything in it, you've come to the right place. But this year you're in luck: with the 2nd Edition nearing publication, we're putting out a one-off preview class and you will get the chance to learn from the authors (and hack) what we've put in, before it hits the printers!

Did we mention Burp Suite? If you want to learn from the author of Burp, you're in luck again…

We have run courses for over 5 years at BlackHat, and we know what you want. This structured course is balanced at 120 slides with numerous opportunities to watch instructor-led demos, whilst hacking our library of over 150 lab exercises, spanning .Net, J2EE, PHP and finishing with a "Capture the Flag" contest.

In our labs, no question is left unanswered (or unasked)!

course syllabus

The course syllabus follows the chapters of the Second Edition of The Web Application Hacker's Handbook, with strong focus on practical attacks and methods. After a short introduction to the subject we delve into common insecurities in logical order:

Introduction to Web Application Security Assessment (Chapters 1-3)
Automating Bespoke Attacks: Practical hands-on experience with Burp Suite (Chapter 13)
Application mapping and bypassing client-side controls (Chapters 4-5)
Failures in Core Defense Mechanisms: Authentication, Session Management, Access Control, Input Validation (Chapters 6-8)
Injection and API flaws: (Chapters 9-10) User-to-User Attacks (Chapters 12-13)

Attendees will gain theoretical and practical experience of:

• How to quickly and efficiently pinpoint and exploit vulnerabilities in web applications
• How to hack using LDAP, XPath, SOAP, HTTP Parameter Pollution (HPP), and HPI
• Real-world, 2012 techniques in SQL Injection against Oracle, MySQL and MSSQL
• The real risk: how to turn XSS/CSRF vulnerabilities into full account compromise
• Harnessing new technologies such as HTML5, NoSQL, and Ajax
• New attack types and techniques: Bit Flipping, Padding Oracle, Automated Access Control checking
• How to immediately recognise and exploit Logic Flaws

For more detailed information about the course's practical structure, see the Web Application Hacker's Methodology chapter from the original version of the book.

Course timeline

This is a 2-day course.

teaching methods

• Brief theory delivered in lecture-style with examples
• Interactive demonstrations
• Hands-on Hacking: Interactively supported by the trainers
• Capture the Flag

Student Requirements

Students should bring a copy of the Web Application Hacker's Handbook and a laptop. A standard windows, Linux or Mac laptop is fine providing it meets the following prerequisites:

What you should bring

• A version of the JRE, capable of running Burp Suite.
• An Ethernet connection.
• Administrative access to the laptop, and the ability to install a few tools, and disable personal firewalls or virus scanners should they get in the way of the lab exercises.
• We strongly recommend a personal laptop – if your corporate laptop build is too restrictive this may affect your ability to participate in the course fully.

What you will get

Printed handbook of the course slides and other reference material. Interactive web-based version of the WAHH methodology, supported by practical examples of each vulnerability type. A standalone web application which can be used to practice the techniques and attacks from the course.

Trainers

Dafydd Stuttard is an independent security consultant, author and software developer. He has ten years' experience in security consulting and specializes in the penetration testing of web applications and compiled software. He works with banks, retailers and other enterprises to help secure their critical applications.

Dafydd is author of The Web Application Hacker's Handbook and SQL Injection Attacks and Defense. Under the alias "PortSwigger" Dafydd created the popular Burp Suite of web application hacking tools. He has developed and presented training courses at security conferences around the world.

---

Marcus Pinto is internationally recognised as a leader in the application and database security field, having spent the last nine years in Information Security. His consulting experience has placed him in front of hundreds of clients and some of the most technical areas of security currently in commercial demand. He has delivered to some of the most high-profile audiences, including training CESG's penetration testing team, heading up an internal UK Government security team, and advising banks on structuring their online banking applications.

Marcus is a technical advisor to CREST, and develops a certification set up to test the best application and infrastructure security consultants in the world.

Marcus currently works as Head of Application Security for a tech-focused company with over 2 million registered customers settling over 6 million real-time transactions per day.