Basic Web Hacking

NotSoSecure | July 22-23 & July 24-25



Overview

This course familiarizes the attendees with a wealth of tools and techniques needed to breach the security of web applications. The course starts from the very basic and gradually build up to the level where attendees can not only use the tools and techniques to hack various components involved in web application hacking, but also walk away with a solid understanding of the concepts on which these tools work. The course also covers the industry standards such as OWASP Top 10, PCI DSS and contain numerous real life examples to help the attendees understand the true impact of these vulnerabilities. This course is constantly updated on a regular basis to ensure that the latest exploits and vulnerabilities are available within the hacklab and taught in this course.

The following is the course outline:

Day 1:
  • Understanding the HTTP protocol
  • Identifying the attack surface
  • Information gathering
  • Authentication Flaws
  • Online/Offline brute-force attacks
  • Cryptographic Flaws
  • Issues with SSL/TLS
  • Authorization Bypass


Day 2:
  • Insecure Direct Object Reference
  • Cross Site Scripting (XSS)
  • Reflective and Persistent XSS
  • Cross Site Request Forgery (CSRF)
  • SQL Injection (SQLi)
  • Tools and Techniques for exploiting SQLi
  • XML External Entity (XXE) Attacks
  • Insecure File Uploads



Who Should Take this Course

System Administrators, web developers, SOC analysts, entry level/intermediate level penetration testers, network engineers, security enthusiasts and anyone who wants to take their skills to next level.

Student Requirements

Students must bring their own laptop and have admin/root access on it. The laptop should have at least 4 GB RAM and 20 GB of free disk space and a working copy of the latest Kali Operating System. Kali OS should be run inside a Virtual machine (e.g. VMware Workstation/Fusion/Player or Virtual Box).

Also, note that we will use an Ethernet/wired network for this class. If your laptop does not have that, please carry the right adapter to ensure you can connect to the wired network.

What Students Should Bring

same as above

What Students Will Be Provided With

Access to a hacking lab not just during the course but for 30 days after the class too. This gives them plenty of time to practice the concepts taught in the class. Numerous scripts and tools will also be provided during the training, along with student hand-outs.

Trainers

Sunil Yadav is an information security professional having over 7+ years of experience in application security, mobile security and source code review. Consulting experience with large organizations across different sectors assessing network, system and application security. Conducted national and international trainings and seminars on web application security, threat modelling, mobile security and secure coding. Won credits and accolades from organizations like Microsoft, LinkedIn, Yahoo, Nokia, PayPal and Oracle for identifying and reporting security vulnerabilities in their products.

Rohit Salecha is an information security professional with 6+ years of experience in Web/Mobile Applications and Infrastructure Security. He has also delivered training in Secure Coding Practices in JEE. Over the years, Rohit has trained many web developers and security engineers and help them getting better in writing secure code as well as to evaluate the security of their applications.