The course follows the chapters of the Second Edition of The Web Application Hacker's Handbook, with strong focus on practical attacks (there are only 136 slides in either of the 2 or 3 day courses). After a short introduction to the subject we delve into common insecurities in logical order:
Introduction to Web Application Security Assessment (Chapters 1-3)
Automating Bespoke Attacks: Practical hands-on experience with Burp
Suite (Chapter 13)
Application mapping and bypassing client-side controls (Chapters 4-5)
Failures in Core Defense Mechanisms: Authentication, Session
Management, Access Control, Input Validation (Chapters 6-8)
Injection and API flaws: (Chapters 9-10)
- User-to-User Attacks (Chapters 12-13)
Attendees will gain theoretical and practical experience of:
How to quickly and efficiently pinpoint and exploit vulnerabilities in web applications
How to hack using LDAP, XPath, SOAP, HTTP Parameter Pollution (HPP), and HPI
Real-world, 2012 techniques in SQL Injection against Oracle, MySQL and MSSQL
The real risk: how to turn XSS/CSRF vulnerabilities into full account compromise
Harnessing new technologies such as HTML5, NoSQL, and Ajax
New attack types and techniques: Bit Flipping, Padding Oracle, Automated
Access Control checking
- How to immediately recognise and exploit Logic Flaws
For more detailed information about the course's practical structure, see the Web Application Hacker's Methodology chapter from the original version of the book.
To see the practical exercises, in action, please visit:
http://www.mdsec.net/labs/demo.html