Web Application Hacker’s Handbook Live Training + DevSecCon 2016
This is a past event
This is the page of a past DevSecCon event. To view and select current events, please return to DevSecCon.com.
DevSecCon is proud to host MDSec’s Web Application Hacker’s Handbook Live Course, which has been previously delivered at BlackHat, HiTB, Syscan, Countermeasure and 44con. MDSec works at the forefront of Application Security and they run numerous global training courses on web application security for development teams, and professional testers alike.
This year we’re offering combined tickets, allowing you to attend the training course and DevSecCon on three consecutive days.
MDSec’s Web Application Hacker’s Handbook (WAHH) Live series has been running for seven years and is well respected as an authoritative source for web application security assessment, backed by the author’s Burp Suite tool. Our training course covers the practical aspects of this book, allowing you to gain hands-on experience in how to understand, find and exploit the latest vulnerabilities in web applications.
Because this is DevSecCon, we will also be giving a nod to the effectiveness of automated tools in identifying the issues under discussion. Additionally, many of the vulnerabilities you will be exploiting will be within familiar DevOps applications: Jenkins, GoCD and other familiar names will be exploited to gain full control over the DevOps toolchain!
The course is highly practical. There are only 140 slides in the course, which relies primarily on 400+ vulnerable examples from all of the chapters of the book, and a Capture the Flag exercise.
After a short introduction to the subject we delve into common insecurities in logical order:
Introduction to Web Application Security Assessment (Chapters 1-3)
Automating Bespoke Attacks: Practical hands-on experience with Burp Suite (Chapter 13)
Application mapping and bypassing client-side controls (Chapters 4-5)
Attendees will gain theoretical and practical experience of:
How to quickly and efficiently pinpoint and exploit vulnerabilities in web applications
How to hack using LDAP, XPath, SOAP, HTTP Parameter Pollution (HPP), and HPI
Real-world, 2015 techniques in SQL Injection against Oracle, MySQL and MSSQL
The real risk: how to turn XSS/CSRF vulnerabilities into full account compromise
Harnessing new technologies such as HTML5, NoSQL, and Ajax
New attack types and techniques: Bit Flipping, Padding Oracle, Automated Access Control checking
How to immediately recognise and exploit Logic Flaws
Burp Suite Training, at your level.
Our course features Burp Suite at its heart. Whilst many experienced Web Application testers may be currently using Burp, there are often many options and extended capabilities that users do not have time to investigate on time-limited assessments.
Meanwhile, if the above is unfamiliar territory, you can be reassured that if you want a full “zero to hero” approach, we can take you through from the basics of the HTTP Protocol, setting up the tool for optimal use, the capabilities and use of each of the key portions of Burp Suite, and get you performing both automated and manual web application tests. QA Teams love it!
Who is this course for?
DevOps, Developers and Security professionals who want to learn and improve web application security skills.
What students should bring:
Students should bring a laptop – A standard windows, Linux or Mac laptop is fine providing it meets the following prerequisites:
A version of the JRE, capable of running Burp Suite.
An Ethernet connection.
Administrative access to the laptop, and the ability to install a few tools, and disable personal firewalls or virus scanners should they get in the way of the lab exercises.
We strongly recommend a personal laptop – if your corporate laptop build is too restrictive this may affect your ability to participate in the course fully.
What students will be provided with:
2-week trial version of Burp Suite Pro
Book your combined ticket
Get completely immersed in DevSecOps with the 2-day Web Application Hacker’s Handbook Live Training course, followed by a day filled with inspiring talks and workshops at DevSecCon. The combined ticket allows you to attend the training course and DevSecCon on three consecutive days.
Marcus Pinto is a director at MDSec Consulting and author of the “Web Application Hacker’s Handbook” series.
He is internationally recognised as a leader in the application and database security field, having spent the last nine years in Information Security both as a consultant and as an end user responsible for a global team securing over 200 build tracks and 50+ externally facing applications.
He has delivered training to some of the most high-profile audiences, at Blackhat, Syscan, and Hack in the Box. Privately he has run training for many technical audiences including CESG’s penetration testing team.
Marcus also sat on the assessors’ panel providing input for the CREST Web Application Exam, the UK’s number one certification for application assessment.