DeepSec Training: Improve your Pen-Testing Skills for Mobile Devices

René Pfeiffer/ September 29, 2023/ Conference, Training/ 0 comments

Mobile devices are a common tool for businesses and private users. We have become accustomed to carry Internet-enabled devices with us. How do you test if your device is secure? What is the best way to find security weaknesses? Mobile security testing requires different tools and different knowledge of the platform and the applications involved. DeepSec 2023 offers a training to get you started with pen-testing all things mobile. The focus is on Android and iOS apps. Sven Schleier will help you to analyse apps, intercept network traffic, and to identify weaknesses that can be turned into exploits. The course is a deep-dive into mobile technology. It also helps you when you need to bypass SSL pinning, Touch ID, Face ID, or similar barriers. Circumventing anti-jailbreaking technologies are covered, too. The skills are absolutely

Read More

DeepSec 2023 Training: Security Intelligence: Practical Social Engineering & Open-source Intelligence for Security Teams – Christina Lekati

Sanna/ August 25, 2023/ Conference, Interview, Training

Social engineering attacks remain at the top of the threat landscape and data breach reports. Reports tend to oversimplify breaches as just phishing attacks, but current research shows it’s more complex. Social engineering attacks have been evolving. Successful phishing emails are usually a result of a larger attack based on research and intelligence that identifies organizational vulnerabilities. But it doesn’t stop there. Weaponized psychology is still a powerful component of social engineering attacks. Security professionals and testers need to know how social engineering works and how to stop attacks. This class aims to provide participants with the necessary knowledge on open-source intelligence and social engineering, to help security teams build better protective measures (proactive & reactive) and to inform their security strategy. It also aims to help penetration testers improve their recommendations and provide

Read More

Training Teaser: Token Hijacking via PDF File – Video Tutorial

René Pfeiffer/ July 4, 2023/ Conference, Security, Training

Tokens make the world go around. Therefore, we want to share with you the next teaser about Dawid Czagan’s training at DeepSec 2023. PDF files are everywhere and they can be used to hack your web application. Imagine that the attacker prepares a malicious PDF file which steals sensitive data from a user. The PDF file is uploaded to the web application, the user reads this PDF file, and finally sensitive data is exfiltrated from the user’s browser. It’s scary, isn’t it? Dawid will show you in a free video step by step how this attack works and how you can check if your web application is vulnerable to this attack. Watch the video and consider joining Dawid Czagan’s training Full-Stack Pentesting Laboratory: 100% Hands-On + Lifetime LAB Access (14-15 November, DeepSec 2023).

Training Teaser: Token Hijacking via PDF File – Video Tutorial

René Pfeiffer/ June 15, 2023/ Conference, Training

Portable documents are nice. It’s always an advantage to read and process documents on different platforms. The Portable Document Format (PDF) is a common format. Unfortunately, PDF can be abused to attack you. PDF files are everywhere and these files can be used to hack your web application. Imagine that the attacker prepares a malicious PDF file which steals sensitive data from a user. The PDF file is uploaded to the web application, the user reads this PDF file, and finally sensitive data is exfiltrated from the user’s browser. It’s scary, isn’t it? In a free video, Dawid Czagan (DeepSec instructor) will show you step by step how this attack works and how you can check if your web application is vulnerable to this attack. Dawid has prepared a free video for you. Have

Read More

DeepSec 2023 Training: Mobile Security Testing Guide Hands-On – Sven Schleier

Sanna/ June 5, 2023/ Training

Software cannot be tested by machines alone. In order to identify security weaknesses, you will need the right toolchain and expertise on how to use the tools. Therefore, we asked Sven Schleier to give you a two-day deep dive into mobile security testing. Embark on an exciting journey to master the art of hacking mobile apps! Join this course led by Sven Schleier, where you’ll learn how to analyze mobile apps for security vulnerabilities. With dynamic testing, static analysis, and reverse engineering techniques, you’ll uncover the secrets of app attacks. Dive into Android and iOS testing, using virtualized devices provided by Corellium. Each student will get a rooted Android and jail broken iOS instance for the duration of the training and the only pre-requisite is having a laptop with macOS, Windows, or Linux. Explore

Read More

DeepSec 2023 Workshop: Black Belt Pentesting / Bug Hunting Millionaire (100% Hands-On, Live Online Training, 24-25 October) – Dawid Czagan

Sanna/ June 1, 2023/ Conference, Training

Have you ever thought of hacking web applications for fun and profit? How about playing with authentic, award-winning security bugs identified in some of the greatest companies? If that sounds interesting, join this unique 100% hands-on training! I will discuss security bugs found by several bug bounty programs (including Google, Yahoo, Mozilla, Twitter and others). You will learn how bug hunters think and how to hunt for security bugs effectively. To be successful in bug hunting, you need to go beyond automated scanners. If you are not afraid of going into detail and diving into full-stack exploitation, then this 100% hands-on training is for you. There is a lab exercise for each attack presented in this training + students can take the complete lab environment home after the training session. Watch 3 exclusive videos

Read More

DeepSec 2023 Workshop: Web Hacking Expert: Full-Stack Exploitation Mastery [Video Training, Lifetime Access] – Dawid Czagan

Sanna/ May 30, 2023/ Conference, Training

Watch the trailer for your training! Modern web applications are complex and it’s all about full-stack nowadays. That’s why you need to dive into full-stack exploitation if you want to master web attacks. Say ‘No’ to classical web application hacking, join this unique video training, and take your professional pentesting career to the next level. Dawid Czagan has found security bugs in many companies, including Google, Yahoo, Mozilla, Twitter, and in this video training he will share his experience with you. You will dive deep into full-stack exploitation of modern web applications and you will learn how to hunt for security bugs effectively. Almost 5 hours of high-quality video courses with lots of recorded demos You will get lifetime access to these 5 video courses: Bypassing Content Security Policy in Modern Web Applications –

Read More

DeepSec Workshop 2023: Full-Stack Pentesting Laboratory: 100% Hands-On + Lifetime LAB Access – Dawid Czagan

Sanna/ May 26, 2023/ Conference, Training

Modern IT systems are complex and it’s all about full-stack nowadays. To become a pentesting expert, you need to dive into full-stack exploitation and gain a lot of practical skills. That’s why I created the Full-Stack Pentesting Laboratory. For each attack, vulnerability and technique presented in this training there is a lab exercise to help you master full-stack pentesting step by step. Also, when the training is over, you can take the complete lab environment home to hack again at your own pace. I found security bugs in many companies including Google, Yahoo, Mozilla, Twitter and in this training I’ll share my experience with you. The content of this training has been carefully selected to cover the topics most frequently requested by professional penetration testers. Key Learning Objectives After completing this training, you will

Read More

Exploiting Race Conditions – Video Tutorial

René Pfeiffer/ May 25, 2023/ Training

We updated our schedule. There are already some workshops for you. In addition, we have a video tutorial for you, provided by our trainer Dawid Czagan. It explains how race conditions work. A race condition attack is one of the most dangerous and underestimated attacks on modern web applications. It’s related to concurrency and multi-threading. Because of this attack, an attacker who has $1000 in his bank account can transfer more than $1000 from his bank account. This is just one example, but it clearly shows how dangerous this attack is. In a free video Dawid Czagan (DeepSec instructor) will show you step by step how this attack works and will tell you how to prevent this attack from happening. You can find the video online. The full two-day training session has much more

Read More

Reminder for virtual Training: Exploiting Race Conditions

René Pfeiffer/ November 15, 2022/ Security, Training

A race condition attack is one of the most dangerous and underestimated attacks on modern web applications. It’s related to concurrency and multi-threading. Because of this attack, an attacker who has $1000 in his bank account can transfer more than $1000 from his bank account. This is just one example, but it clearly shows how dangerous this attack is. In a free video Dawid Czagan (DeepSec instructor) will show you step by step how this attack works and will tell you how to prevent this attack from happening. Watch this free video and feel the taste of Dawid Czagan’s live online training ”Black Belt Pentesting / Bug Hunting Millionaire: Mastering Web Attacks with Full-Stack Exploitation”- Because of our hybrid configuration of DeepSec for trainings and the conference, the Mastering Web Attacks with Full-Stack Exploitation

Read More

DeepSec 2022 Trainings have started

René Pfeiffer/ November 15, 2022/ Security, Training

The DeepSec trainings have started. Today is the first day. The topics cover attacking modern desktop applications, network threat hunting, incident response, creating malicious office documents for offensive tests, and secure code review. The spectrum covers a lot of content, and it will be very helpful for defending the information security landscape. One of our trainings can still be booked. The workshop titled “Web Hacking Expert: Full-Stack Exploitation Mastery” by Dawid Czagan has been postponed to 28/29 November 2022. It will be an online training. You can take part virtually. Bookings are still possible via our ticket shop.

Reminder for your Training @DeepSec 2022: Bypassing Content Security Policy via ajax.googleapis.com – Dawid Czagan

Sanna/ October 25, 2022/ Training

Content Security Policy (CSP) is the number one defensive technology in modern web applications. Many developers add ajax.googleapis.com to CSP definitions, because they use libraries from this very popular CDN in their web applications. The problem is that it completely bypasses the CSP and obviously you don’t want that to happen. In a free video Dawid Czagan (DeepSec instructor) will show you step by step how your CSP can be bypassed by hackers. Watch this free video and feel the taste of Dawid Czagan’s training ”Black Belt Pentesting / Bug Hunting Millionaire: Mastering Web Attacks with Full-Stack Exploitation” (DeepSec 2022; 15-16 November; https://deepsec.net/speaker.html#WSLOT564)   Dawid Czagan (@dawidczagan) is an internationally recognized security researcher and trainer. He is listed among the top hackers at HackerOne. Dawid Czagan has found security vulnerabilities in Google, Yahoo, Mozilla, Microsoft, Twitter and other companies.

Read More

Reminder for your Training @DeepSec 2022: Exploiting Race Conditions – Dawid Czagan

Sanna/ October 24, 2022/ Training

A race condition attack is one of the most dangerous and underestimated attacks on modern web applications. It’s related to concurrency and multithreading. As a result of this attack an attacker, who has $1000 in his bank account, can transfer more than $1000 from his bank account. This is just one example, but it clearly shows how dangerous this attack is. In a free video Dawid Czagan (DeepSec instructor) will show you step by step how this attack works and will tell you how to prevent this attack from happening. Watch this free video and feel the taste of Dawid Czagan’s training ”Black Belt Pentesting / Bug Hunting Millionaire: Mastering Web Attacks with Full-Stack Exploitation” (DeepSec 2022; 15-16 November; https://deepsec.net/speaker.html#WSLOT564)   Dawid Czagan (@dawidczagan) is an internationally recognized security researcher and trainer. He is listed among the

Read More

Reminder for your Training @DeepSec 2022: Token Hijacking via PDF File – Dawid Czagan

Sanna/ October 22, 2022/ Training

PDF files are everywhere and they can be used to hack your web application. Imagine that the attacker prepares a malicious PDF file which steals sensitive data from a user. The PDF file is uploaded to the web application, the user reads this PDF file, and finally sensitive data is exfiltrated from the user’s browser. It’s scary, isn’t it? In a free video Dawid Czagan (DeepSec instructor) will show you step by step how this attack works and how you can check if your web application is vulnerable to this attack. Watch this free video and feel the taste of Dawid Czagan’s training ”Black Belt Pentesting / Bug Hunting Millionaire: Mastering Web Attacks with Full-Stack Exploitation” (DeepSec 2022; 15-16 November; https://deepsec.net/speaker.html#WSLOT564)   Dawid Czagan (@dawidczagan) is an internationally recognized security researcher and trainer. He is listed

Read More

DeepSec 2022 Training: Practical Secure Code Review – Seth Law, Ken Johnson

Sanna/ September 23, 2022/ Training

Ready to take your bug hunting to a deeper level? Ever been tasked with reviewing source code for SQL Injection, XSS, Access Control and other security flaws? Does the idea of reviewing code leave you with heartburn? This course introduces a proven methodology and framework for performing a secure code review, as well as addressing common challenges in modern secure code review. Short circuit your development of a custom secure code review process by gleaning from Seth & Ken’s past adventures in performing hundreds of code reviews and the lessons we’ve learned along the way. We will share a proven methodology to perform security analysis of any source code repository and suss out security flaws, no matter the size of the code base, or the framework, or the language. We asked Seth and Ken

Read More