Training

Bypassing CSP via ajax.googleapis.com – Dawid Czagan

Posted by on July 7, 2020 at 8:45 am

Content Security Policy (CSP) is the number one defensive technology in modern web applications. Many developers add ajax.googleapis.com to CSP definitions, because they use libraries from this very popular CDN in their web applications. The problem is that it completely bypasses the CSP and obviously you don’t want that to happen. Since CSP should be […]

Exploiting Race Conditions – Dawid Czagan

Posted by on July 1, 2020 at 12:15 pm

A race condition attack is one of the most dangerous and underestimated attacks on modern web applications. It’s related to concurrency and multithreading.  As a result of this attack an attacker, who has $1000 in his bank account, can transfer way more than $1000 from his bank account. This is just one example, but it […]

Communiqué de presse traduit: Les applis COVID-19 dévoilent leur logiciel pendant la crise

Posted by on May 13, 2020 at 9:05 am

En novembre, la conférence sur la sécurité DeepSec mettra en lumière la mascarade des logiciels. On dit souvent, « il y a forcément une appli pour ça ! ». Cette formule toute faite est souvent prise à la légère, même en dehors du secteur informatique. La crise actuelle du COVID-19 a de nouveau désigné le […]

Translated Press Release: Covid-19 Apps show Software Development in Crisis

Posted by on May 8, 2020 at 4:07 pm

In November, the DeepSec security conference will highlight the software masquerade. In everyday language there is the saying “There’s an app for that!”. The phrase is often used as a joke, even outside the IT industry. The current Covid-19 crisis has once again addressed computer code as a universal solution to problems that are not […]

DeepSec 2019 Press Release: High-quality Randomness protects Companies

Posted by on November 25, 2019 at 9:15 am

The ‘bugs’ of the’ 90s are still alive – hidden in IoT devices, integrated systems and industrial controls. Modern information security can’t manage without mathematics. It is less about statistics in the form of operational data or risk analysis. It’s about cryptography, which is constantly used in everyday life. It uses elements that build on […]

DeepSec 2019 Training: Threat Hunting with OSSEC – Xavier Mertens

Posted by on October 26, 2019 at 9:30 am

OSSEC is sometimes described as a low-cost log management solution but it has many interesting features which, when combined with external sources of information, may help in hunting for suspicious activity occurring on your servers and end-points. During this training, you will learn the basic of OSSEC and its components, how to deploy it and […]

DeepSec 2019 Training: Pentesting Industrial Control Systems – Arnaud Soullie

Posted by on October 25, 2019 at 2:30 pm

In this intense two day training at DeepSec, you will learn everything you need to start pentesting Industrial Control Networks [also called Industrial Control Systems (ICS)]. We will cover the basics to help you understand what are the most common ICS vulnerabilities. We will then spend some time learning and exploiting Windows & Active Directory […]

DeepSec 2019 Training: Mobile Hacking – Davy Douhine and Guillaume Lopes

Posted by on October 24, 2019 at 4:30 pm

Guillaume Lopes and Davy Douhine, senior pentesters, will share many techniques, tips and tricks with pentesters, bug bounty researchers or just the curious in a 100% “hands-on” training. Their goal is to introduce tools(Adb, Apktool, Jadx, Androguard, Cycript, Drozer, Frida, Hopper, Needle, MobSF, etc.) and techniques to help you to work faster and in a […]

DeepSec 2019 Training: IoT/Embedded Development – Attack and Defense Lior Yaari

Posted by on September 19, 2019 at 9:05 am

Every developer makes mistakes. If you are unlucky, these mistakes result in a security vulnerability, an almost untraceable bug for the normal developer. Going around the world, helping developers to find and understand the vulnerabilities they’ve accidentally created, we learned that unlike bugs, vulnerabilities are invisible to the eye, mind and UT. No one teaches […]

DeepSec 2019 Training: Analysing Intrusions with Suricata – Peter Manev & Eric Leblond

Posted by on September 18, 2019 at 9:05 am

Defending your network starts with understanding your traffic. More than just an IDS/IPS, Suricata can provide the visibility to solve incidents quickly and more accurately by enabling context before, during, and after an alert. In this course, attendees will learn the skills required to identify, respond and protect against threats in their network day to […]

DeepSec Training: Black Belt Pentesting / Bug Hunting Secrets you’ve always wanted to know

Posted by on August 26, 2019 at 10:37 am

The Web and its technologies have become the perfect frontier for security experts for finding bugs and getting a foothold when doing penetration tests. Everything has a web server these days. And everything web server will happily talk to web clients. The components involved are more than just simple HTML and JavaScript. The developer notion […]

DeepSec Training: Black Belt Pentesting / Bug Hunting Millionaire – Mastering Web Attacks with Full-Stack Exploitation

Posted by on August 19, 2019 at 9:15 am

Web applications are gateways for users and attackers alike. Web technology is used to grant access to information, public and sensitive alike. The latest example is the Biostar 2 software, a web-based biometric security smart lock platform application. During a security test the auditors were able to access over 1 million fingerprint records, as well […]

Training Teaser: Black Belt Pentesting a.k.a. Bug Hunting Millionaire – Mastering Web Attacks with Full-Stack Exploitation

Posted by on July 11, 2019 at 5:10 pm

Modern web applications consist of far more components than HTML content and a few scripts. In turn properly attacking web applications requires a diverse set of skills. You need to know how the back-end and the front-end works. This includes all of the scripting languages, data storage technologies, user interface peculiarities, frameworks, hosting technologies, and […]

Ongoing DeepSec Call for Workshops – Trainers welcome!

Posted by on April 2, 2019 at 11:09 am

The Call for Workshops for the DeepSec conference in November 2019 is still open. If you have something to teach, let us know as soon as possible! We intend to inform potential trainees in the beginning of May about their options. This allows for a better planning and preparation, because we receive early requests for […]

DeepSec 2018 Training: Advanced Infrastructure Hacking – Anant Shrivastava

Posted by on November 5, 2018 at 1:35 pm

Whether you are penetration testing, Red Teaming or trying to get a better understanding of managing vulnerabilities in your environment, understanding advanced hacking techniques is critical. This course covers a wide variety of neat, new and ridiculous techniques to compromise modern Operating Systems and networking devices. We asked Anant a few more questions about his […]