DeepSec 2012 Workshop: Web Application Penetration Testing
If eyes are the window to your soul, then web applications are the gateways to your heart. Of course this is only a figure of speech, but once you take a look at security incidents and the role of web applications, then you get the idea of the analogy. Web applications are everywhere. It’s not always about your favorite intranet application. A lot of devices run web applications, too. And there are portals which really give you access to a whole variety of information and services. Speaking of services, you can have application programming interfaces (APIs), too. APIs usually do not talk to humans, but maybe they can be automated to do Bad Things™. This is where penetration testing comes in. Ari Elias-Bachrach will teach you how to approach web applications in the context of serious penetration testing.
Network-wise you have far less to worry about. Testing web applications for security weaknesses involves a lot more data to sort out. To keep things interesting no two web applications are alike. Even packaged content management systems or simple blogs suffer from customisation by additional modules, templates or code. You have to analyse more than just the rendered HTML content. There’s JavaScript, other active content, the communication between client and server, and all of the problems simulating states over HTTP (cookies, right). And there is the complexity of modern web applications. They consist of hundreds and thousands of files, libraries, frameworks and everything. So where to start?
The workshop will give you a hands-on experience with the various tools and methods you can employ to discover security vulnerabilities and bugs on live systems (running virtualised on your laptop). You will learn what the attacker’s view of your web application is and how you approach it. The training is intended for (web) developers, security -minded persons, pen testers, and IT experts dealing with web application (in)security.