DeepSec 2014 Workshop: Hacking Web Applications – Case Studies of Award-Winning Bugs

René Pfeiffer/ October 14, 2014/ Conference, Training

The World Wide Web has spread vastly since the 1990s. Web technology has developed a lot of methods, and the modern web site of today has little in common with the early static HTML shop windows. The Web can do more. A lot of applications can be accessed by web browsers, because it is easier in terms of having a client available on most platforms. Of course, sometimes things go wrong, bugs bite, and you might find your web application and its data exposed to the wrong hands. This is where you and your trainer Dawid Czagan come in. We offer you a Web Application Hacking training at DeepSec 2014.

Have you ever thought of hacking web applications for fun and profit? How about playing with authentic, award-winning bugs identified in some of the greatest companies? If that sounds like fun, then you should definitely join this workshop! Dawid will discuss bugs that he has found together with Michał Bentkowski in a number of bug bounty programs (including Google, Yahoo, Mozilla and others). You will learn how bug hunters think and how to hunt for bugs effectively. To be successful in bug hunting, you need to go beyond automated scanners. If you are not afraid of going into detail and doing manual/semi-automated analysis, then this workshop is for you.
You will be given a VMware image with a specially prepared environment to play with the bugs. What’s more, after the workshop is over, you are free to take it home and hack again, at whatever pace is best for you. To get the most of this workshop basic knowledge of web application security is needed. You should also have ever used a proxy, such as Burp, or similar, to analyse or modify the traffic.

Dawid is an experienced security researcher who has found security vulnerabilities in products by Google, Yahoo!, Mozilla, Microsoft, Twitter, BlackBerry and other companies. He will lead you through case studies of high profile and high impact flaws in the fabric of software exposed via HTTP(S). Cryptography doesn’t help you if the web logic behaves faulty. The training will show you how web application work, how they can be analysed, and how critical bugs look like. All you need is your laptop and a way to run the provided virtual images.