OVERVIEW

MDSec’s Web Application Hacker’s Handbook Series (WAHH) has sold over 20,000 copies. As a training course, this has been delivered to over 30% of the CREST member companies, covering all of the vulnerabilities and technologies in the WAHH, under the guidance of the book’s authors.

The course syllabus follows the chapters of the Second Edition of The Web Application Hacker's Handbook, with strong focus on practical attacks and methods. After a short introduction to the subject we delve into common insecurities in logical order:

• Introduction to Web Application Security Assessment (Chapters 1-3)
• Automating Bespoke Attacks: Practical hands-on experience with Burp Suite (Chapter 13)
• Application mapping and bypassing client-side controls (Chapters 4-5)
• Failures in Core Defense Mechanisms: Authentication, Session Management, Access Control, Input Validation (Chapters 6-8)
• Injection and API flaws: (Chapters 9-10)
• User-to-User Attacks (Chapters 12-13)

Attendees will gain practical experience of:

• Real-world, 2017 techniques in blind XXE injection, Java Deserialization, request method abuse, relative path overwrites, XSS filter evasion
• How to hack using all of the "OWASP top 10"...from SQLi to LDAP, XPath, SOAP, HTTP Parameter Pollution (HPP), and HPI
• How to quickly and efficiently pinpoint and exploit vulnerabilities in web applications
• The real risk: how to turn XSS/CSRF vulnerabilities into full account compromise
• Harnessing new technologies such as HTML5, NoSQL, and Ajax
• New attack types and techniques: Bit Flipping, Padding Oracle, Automated Access Control checking
• How to immediately recognize and exploit Logic Flaws

For more detailed information about the course's practical structure, see the Web Application Hacker's Methodology chapter from the original version of the book.

ABOUT THE TRAINER

Marcus Pinto is the author of the well-known Web Application Hacker's Handbook series, and has been working within Application Security for over 15 years, going back to its origin as a subject. After 5 years in technical security consulting, the past 10 years in application security training have also included everything from longer-term SDLC engagements to technical security assessment. Marcus is Director at MDSec, a company specialising in education and technical security assessment for finance, software, retail and government clients.

RECOMMENDATIONS

• An Understanding of HTTP (eg the GET and POST methods and how they differ)
• Some basic understanding of JavaScript and HTML

WHAT TO BRING

• Your own laptop
• The ability to set your proxy (make sure of this if you are using a corporate laptop)
• A version of the JRE, capable of running Burp Suite. Try the free version of Burp Suite from www.portswigger.net to make sure it works
• As networks are set up with Wifi, please ensure that your laptop will allow you to configure and join typical Wifi networks.

Students will be provided with:

• A 2-week full version of Burp Suite Professional Edition
• Course slides
• Access to 400 lab examples during the course