Web Hacking Training presented at DeepSec 2007

by Shreeraj Shah,

Summary : A growing concern has been Web application security Web and application servers are the target of regular attacks by attackers that exploit security loopholes or vulnerabilities in code or design. Adding to this concern are next generation applications; applications that are on the fast track and more appealing to the user, utilizing dynamic AJAX scripts, Web services and newer Web technologies to create intuitive and easy interfaces. The only constant in this space is change. In this dynamically changing scenario it is important to understand new threats that emerge in order to build constructive strategies to protect corporate assets. This two day workshop will expose students to both aspects of security: attacks and defense. To think of newer Web applications without Web services is a big mistake. Sooner or later existing applications will be forced to migrate to the new framework. This workshop includes several cases, demonstrations and hands-on exercises with newer tools to give you a head start over others in the field. The following topics will be covered in-depth during these sessions: # Web Security Fundamentals and Principles, Trends and Opportunities # Methods, Components and Protocols (HTTP, HTTPS and SOAP) # Web application assessment methods - Blackbox and Whitebox approaches # Web application Deployment and Security Deployment issues # Web application Footprinting, Discovery and Profiling # Search engines and their role in Web Application hacking (Google & MSN) # Web application attack vectors and assets-to-attacks-mapping # XML-based attacks # SQL, LDAP, XPATH injection techniques # XSS, Cross-site cookie spoiling and AJAX-hacking # Web services footprinting, discovery and profiling # Web services attacks # Web application firewall - Build and Deploy # Web security controls and best practices # Secure coding and reverse engineering methods # Tools and Techniques # Hands-on challenges and labs