DeepSec 2022 Online-Onsite Training: Hacking JavaScript Desktop Apps: Master the Future of Attack Vector – Abraham Aranguren
This course is the culmination of years of experience gained via practical penetration testing of JavaScript Desktop applications as well as countless hours spent doing research. We have structured this course around the OWASP Security Testing Guide, it covers the OWASP Top Ten and specific attack vectors against JavaScript Desktop apps. This course provides participants with actionable skills that can be applied immediately from day 1.
Please note our courses are 100% hands-on, we do not lecture students with boring bullet points and theories, instead we give you practical challenges and help you solve them, teaching you how to troubleshoot common issues and get the most out of this training. Training then continues after the course through our frequently updated course material, for which you keep lifetime access, as well as unlimited email support.
Get a FREE taste for this training, including access to video recording, slides and vulnerable apps to play with: 1.5 hour workshop
https://7asecurity.com/free-workshop-desktop-apps
Each section starts with a brief introduction to the JavaScript platform (i.e. Node.js, Electron) for that section and then continues with a look at static analysis, moves on to dynamic checks finishing off with a nice CTF session to test the skills gained.
Day 1: Focused on Hacking JavaScript Desktop Apps: We start with understanding JavaScript Desktop apps and various security considerations. We then focus on static and dynamic analysis of the applications at hand. The section is filled with hands-on exercises ending with a CTF for more practical fun.
Day 2: Dedicated to instrumentation and Advanced JavaScript Desktop App attacks: We cover advanced usage of instrumentation to debug and workaround typical assessment problems and then move on to cover attacks specifically targeting Electron and other platforms such as interesting XSS scenarios, multiple edge cases to gain RCE, local & remote attacks, prototype pollution, and more. The day is full of hands-on exercises and ends with CTF-style open challenges for additional practice.
Teaser Video: https://www.youtube.com/watch?v=Qckegc2gbfo
After 13 years in itsec and 20 in IT Abraham is now the CEO of 7ASecurity (7asecurity.com), a company specializing in penetration testing of web/mobile apps, infrastructure, code reviews and training. Co-Author of the Mobile, Web and Desktop (Electron) app 7ASecurity courses. Security Trainer at Blackhat USA, HITB, OWASP Global AppSec and many other events. Former senior penetration tester / team lead at Cure53 and Version 1. Creator of “Practical Web Defense”, a hands-on eLearnSecurity attack / defense course, OWASP OWTF project leader, an OWASP flagship project (owtf.org), Major degree and Diploma in Computer Science, some certs: CISSP, OSCP, GWEB, OSWP, CPTS, CEH, MCSE:Security, MCSA:Security, Security+. As a shell scripting fan trained by unix dinosaurs, Abraham wears a proud manly beard. He writes on Twitter as @7asecurity @7a_ @owtfp or https://7asecurity.com/blog. Multiple presentations, pentest reports and recordings can be found at https://7asecurity.com/publications