Presented By: Marcus Pinto and Aaron Devaney, MDSec
The Web Program Hacker's Guide (WAHH) Collection will be the almost all deep and comprehensive general objective guidebook to hacking web applications that is usually currently obtainable. This program can be a useful chance to get the abilities and theory taught in the publication to the following level, testing with all of the tools and methods against many vulnerable web applications and labs, under the guidance of the book's authors. The training course also includes new materials from the 2nd version of WAHH, getting the course right up to date with the latest attacks.
The second day begins with the reconnaissance and mapping phases of a web app penetration test. Reconnaissance includes gathering publicly available information regarding the target application and organization, identifying the machines that support our target application, and building a profile of each server, including the operating system, specific software, and configuration.
The 2 day course will take place on the 10tl amp; 11th September 2019 at the Novotel Manchester West
Cost is usually £ 1,300 (inc VAT). Purchase your place in our shop today.
Cost is usually £ 1,300 (inc VAT). Purchase your place in our shop today.
Program Outline
The program comes after the items of WAHH, with a solid focus on useful techniques:
- Review of web application safety (chapters 1-3)
- Mapping the application and its assault surface area (section 4)
- Decoding client-side handles (part 5)
- Attacking core security mechanisms: authentication, program handling, access controls (chapters 6-8)
- Making use of automation to improve manual tests (part 13)
- Injecting code and some other input-based attacks (chapters 9-10)
- Attacking application reasoning (part 11)
- Targeting other users (part 12)
We will include a massive variety of attacks and techniques, concentrating on arming you up with methods and ability to target the vast cocktail of technologies and circumstances:
- Shot methods and methodology to target any vocabulary (XXE, SQL, LDAP, JavaScript)
- Creating Burp Extensions, Burp Macros and various other ideas to automate your function more and test ‘untestable' web apps
- Taking advantage of seemingly “low chance” issues to accomplish full application compromise
- Understanding JWT, SAML, and API screening
- Switching theoretical attacks into useful exploits
- The most recent attack techniques which have been created in current a few months
- And very much even more …The training course utilizes a variety of demo programs and laboratory exercises, formulated with 100s of different good examples of web program vulnerabilities.
This training course itself is definitely CREST accepted and shown as helpful towards CCT APP.
Pupil Specifications
Delegates should be capable to meet up with the following:
- Understanding making use of an intercepting proxy
- Knowing of fundamental concepts like as the HTTP protocol, session management, and simple HTML.
- Computer systems able of working Burp Suite (www.portswigger.net). Note that participants should have
- management accessibility on these machines in purchase to set IP handles, modify website hosts documents and install software.
What to Bring
- A edition of the JRE, capable of operating Burp Selection.
- An Ethernet connection.
- Administrative gain access to to the laptop computer, and the ability to set up a few equipment, and disable individual firewalls or computer virus scanners should they get in the method of the laboratory exercises.
We strongly recommend a individual laptop - if your commercial laptop computer build is definitely too restrictive this may impact your capability to take part in the program fully.
About the Trainer
Marcus Pinto is internationally recognised as a leader in the application and data source security field, having invested the last nine yrs in Info Protection both as a advisor and as an finish user responsible for a global team securing over 200 build songs and 50+ externally dealing with applications. He provides delivered training to some of the nearly all high-profile viewers, at 44CON, BlackHat, SyScan, and Hack in the Package. Independently he has run training for many technical viewers like CESG's penetration testing team.
Marcus furthermore sat on the assessors board providing insight for the CREST Web Application Exam, the British's number one certification for program assessment.