The course follows the chapters of the Second Edition of The Web Application Hacker’s Handbook, with strong focus on practical attacks (there are only 136 slides in either of the 2 or 3 day courses). After a short introduction to the subject we delve into common insecurities in logical order:
- Introduction to Web Application Security Assessment (Chapters 1-3)
- Automating Bespoke Attacks: Practical hands-on experience with Burp Suite (Chapter 13)
- Application mapping and bypassing client-side controls (Chapters 4-5)
- Failures in Core Defense Mechanisms: Authentication, Session Management, Access Control, Input Validation (Chapters 6-8)
- Injection and API flaws: (Chapters 9-10)
- User-to-User Attacks (Chapters 12-13)
Attendees will gain theoretical and practical experience of:
- How to quickly and efficiently pinpoint and exploit vulnerabilities in web applications
- How to hack using LDAP, XPath, SOAP, HTTP Parameter Pollution (HPP), and HPI
- Real-world, 2012 techniques in SQL Injection against Oracle, MySQL and MSSQL
- The real risk: how to turn XSS/CSRF vulnerabilities into full account compromise
- Harnessing new technologies such as HTML5, NoSQL, and Ajax
- New attack types and techniques: Bit Flipping, Padding Oracle, Automated Access Control checking
- How to immediately recognise and exploit Logic Flaws
