2107, 2022

DeepSec 2022 Training: Bypassing Content Security Policy via ajax.googleapis.com – Dawid Czagan

Sanna/ July 21, 2022/ Training

Content Security Policy (CSP) is the number one defensive technology in modern web applications. Many developers add ajax.googleapis.com to CSP definitions, because they use libraries from this very popular CDN in their web applications. The problem is that it completely bypasses the CSP and obviously you don’t want that to happen. In a free video, Dawid Czagan (DeepSec instructor) will show you step by step how your CSP can be bypassed by hackers. Watch this free video and feel the taste of Dawid Czagan’s training ”Black Belt Pentesting / Bug Hunting Millionaire: Mastering Web Attacks with Full-Stack Exploitation” (DeepSec 2022; 15-16 November; https://deepsec.net/speaker.html#WSLOT564) Dawid Czagan (@dawidczagan) is an internationally recognized security researcher and trainer. He is listed among the top hackers at HackerOne. Dawid Czagan has found security vulnerabilities in Google, Yahoo, Mozilla, Microsoft, Twitter and other companies.

2007, 2022

DeepSec 2022 Training: Token Hijacking via PDF File – Dawid Czagan

Sanna/ July 20, 2022/ Training

PDF files are everywhere and they can be used to hack your web application. Imagine that the attacker prepares a malicious PDF file which steals sensitive data from a user. The PDF file is uploaded to the web application, the user reads this PDF file, and finally sensitive data is exfiltrated from the user’s browser. It’s scary, isn’t it? In a free video, Dawid Czagan (your DeepSec instructor) will show you step by step how this attack works and how you can check if your web application is vulnerable to this attack. Watch this free video and feel the taste of Dawid Czagan’s training ”Black Belt Pentesting / Bug Hunting Millionaire: Mastering Web Attacks with Full-Stack Exploitation” (DeepSec 2022; 15-16 November; https://deepsec.net/speaker.html#WSLOT564) Dawid Czagan (@dawidczagan) is an internationally recognized security researcher and trainer. He is

1207, 2022

DeepSec 2022 Training: Mobile Security Testing Guide Hands-On (Hybrid edition) – Sven Schleier

Sanna/ July 12, 2022/ Training

This course teaches you how to analyse Android and iOS apps for security vulnerabilities, by going through the different phases of testing, including dynamic testing, static analysis and reverse engineering. Sven will share his experience and many small tips and tricks to attack mobile apps that he collected throughout his career and bug hunting adventures. We asked Sven a few more questions about his training. Please tell us the top 5 facts about your training. Learn a holistic and consistent method for testing the security of mobile apps A full Penetration Test against iOS apps can also be done on a non-jailbroken device! Learn how to bypass Anti-Frida security controls in a mobile app with… FRIDA! Focus on hands-on exercises during the training with vulnerable apps build by the trainer You just need to

2606, 2022

Preliminary Schedule DeepSec 2022 – Trainings

René Pfeiffer/ June 26, 2022/ Conference, Training

👨‍🎓 👩‍🎓 The „full preliminary“ schedule of DeepSec 2022 is due in mid-August. Until then, we have some training options for you. The remaining trainings will be published as soon as we have the confirmation from the trainers. The following courses have been confirmed: Hacking JavaScript Desktop apps: Master the Future of Attack Vector – The desktop is the entry to organisations and companies. Employees are connected to the resources attackers look for. The training illustrates how modern desktop applications work, how they connect to the outside world, and how you can use them to gain access to the internal networks (or the cloud platforms used by the code). Mobile Security Testing Guide Hands-On – This course tells you all you need to know about the desktop-to-go versions of applications. Mobiles devices are a

0110, 2021

DeepSec2021 Press Release: Company Desktops as a Gateway for Digital Attacks

Sanna/ October 1, 2021/ Conference, Press

Home office relocates the digital company door across countries and cities into the living space. Teleworking has been around for over 50 years. The virtual way of working has gained a lot in importance since last year. The pandemic has increased the distance and technology for the home workplace has made a real breakthrough. Unfortunately, the same cannot be said for information security. Many installations lack basic security, especially when using personal devices without company in-house configuration. The DeepSec conference and Certitude Consulting warn against the use of systems without adequate protection. Bring your own demise with private hardware The COVID-19 pandemic has created great pressure to give employees access to their work environment from home. The implementation requires careful planning and the use of secure end devices and protocols in network transmission. Popular

0609, 2021

DeepSec 2021 Training: Advanced Deployment and Architecture for Network Traffic Analysis – Peter Manev & Eric Leblond

Sanna/ September 6, 2021/ Training

The foundation for effective intrusion detection and response is based on proper sensor placement and configuration. Sensor placement is crucial for developing a comprehensive network security and monitoring solution. Misconfigurations and improper placement can lead to gaps in network visibility, which can allow attackers to go undetected for prolonged periods of time and to penetrate deeper into your network. In Advanced Deployment and Architecture for Network Traffic Analysis, you will learn the skills necessary to successfully design, deploy and optimize a high-performance network monitoring and security solution. Filled with hands-on exercises and comprehensive demonstrations, this class will elevate your skills to maximize your network visibility and data management with Suricata. By the end of this course you will have gained a deep technical understanding and hands on experience with Suricata’s versatile arsenal of features

0109, 2021

DeepSec 2021 Training: Mobile Security Testing Guide Hands-On – Sven Schleier

Sanna/ September 1, 2021/ Training

LIVE ONLINE TRAINING [Note: This training will be completely remote. This allows you to better plan your workshop commitments when booking tickets. You can also by a ticket for just attending this training (without access to the conference). In that case please write an e-mail to speaker@deepsec.net] Mobile apps are omnipresent in our lives and we are using more and more apps to support us, ranging from simple to complex daily tasks. Even though modern mobile operating systems like iOS and Android offer great functionalities to secure data storage and communication, these have to be used correctly in order to be effective. Data storage, inter-app communication, proper usage of cryptographic APIs and secure network communication are only some aspects that require careful consideration. The OWASP Mobile Security Testing Guide (MSTG) is a comprehensive manual

3008, 2021

DeepSec 2021 Training: Mobile Network Operations and Security – David Burgess

Sanna/ August 30, 2021/ Conference

This workshop describes security risks in mobile networks, both in the core network and in the radio network, based on case studies reported in the press. For each case, we will dig into the technical elements of what actually happened. The workshop will be especially useful for IT security people who are responsible for mobile devices but are not yet familiar with mobile network technology. The material will also be useful for anyone who works with individuals who have special security concerns, or who report on telecom security topics. The workshop will start with an overview of cellular technology in general and types of security flaws common to all mobile networks, and then proceed to specific examples for different network segments and technology types. The workshop will include demonstrations of some security failures and

2308, 2021

DeepSec 2021 Training: How to Break and Secure Single Sign-On (OAuth and OpenID Connect) – Karsten Meyer zu Selhausen

Sanna/ August 23, 2021/ Training

Implementing single sign-on has huge benefits in general. It allows to design the registration and login process for users to be as simple as possible, and enables applications to be connected to social networks. Although OAuth and OpenID Connect are established as today’s common standards, serious attacks on them have been discovered within recent years. These attacks exploit the complexity of the underlying standards and implementation flaws, and allow attackers to authenticate themselves as arbitrary users or to access confidential user data. By doing so, attackers can potentially read, manipulate, or delete data of arbitrary users across these applications. Due to the critical role that single sign-on fulfills in applications nowadays, it is important to understand and address pitfalls when using OAuth and OpenID Connect. However, automatic security scanners are not able to properly

0106, 2021

Press Release: Modern Desktops as a Security Hole – DeepSec Conference offers Trainings and Tests for Secure Applications

Sanna/ June 1, 2021/ Press, Training

What do a modern office application and a fancy oil pipeline have in common? A desktop that led to disaster. Graphical interfaces for operating computers go back to research in the 1960s and 1970s. At that time people thought about how computers can best support people. By the 1990s at the latest, the desktop became a battleground for market dominance. That has stayed the same, only there are additional security aspects. After all, the desktop is often the first step from an attacker to a company’s digital treasures. The annual DeepSec conference offers security experts and developers a two-day crash course on desktop security. No attack without interaction Many successful attacks on companies or infrastructure depend on cooperation with the victims. Malware is executed using tricks and only then does it compromise the system.

0510, 2020

DeepSec 2020 Training: Threat Modelling: The Ultimate “Shift Left” – Irene Michlin & Kreshnik Rexha

Sanna/ October 5, 2020/ Training

The earlier in the life-cycle you pay attention to security, the better are the outcomes. Threat modelling is one of the best techniques for improving the security of your software. It is a structured method for identifying weaknesses on design level. The participants will learn the technique and gain practical skills through exercises. The curriculum of the training consists of : Threat modelling: introduction and motivation Data Flow Diagrams STRIDE Beyond STRIDE Prioritization Mitigations Integrating threat modelling in SDLC This training targets mainly blue teamers, as well as software developers, QA engineers, and architects; but will be also beneficial for scrum masters and product owners. We asked Irene and Kreshnik a few more questions about their training. Please tell us the top 5 facts about your training. Lots of hands-on exercises and group work

1009, 2020

DeepSec 2020 Training: Open Source Intelligence Gathering on Human Targets – Robert Sell

Sanna/ September 10, 2020/ Training

Robert Sell conducts a two-day training at DeepSec. In his own words: „In this workshop I provide the class with real humans (missing persons) and while they are collaborating on this I provide tools and techniques for them to use to bring them closer to their goal. This is a hands on workshop where students will also have the opportunity to learn from each other. The beginning of the class will consist of a brief intro to OpSec considerations while the end will wrap up with report prep and intel safe guarding.“ We asked Robert a few more questions about his training. Please tell us the top 5 facts about your training. The Intelligence Community has been involved in open source intelligence (OSINT) for more than 50 years. The value of open source information

0909, 2020

Reminder for your Training @ DeepSec 2020: Token Hijacking via PDF – Dawid Czagan

René Pfeiffer/ September 9, 2020/ Conference

PDF files are everywhere. No day goes by without someone having used a PDF document. This is why PDF files are the perfect hacking tool. They can even be used to hack your web application. Imagine that the attacker prepares a malicious PDF file which steals sensitive data from a user. The PDF file is uploaded to the web application, the user reads this PDF file, and finally sensitive data is exfiltrated from the user’s browser. It’s scary, isn’t it? In a free video Dawid Czagan (DeepSec Instructor) will show you-step-by step how this attack works and how you can check if your web application is vulnerable to this attack. Watch this free video and feel the taste of Dawid Czagan’s Live Online Training ”Black Belt Pentesting / Bug Hunting Millionaire: Mastering Web Attacks with

0309, 2020

DeepSec 2020 Online Training: Mobile Security Testing Guide Hands-On – Sven Schleier & Ryan Teoh

Sanna/ September 3, 2020/ Conference, Training

This online course teaches you how to analyse Android and iOS apps for security vulnerabilities, by going through the different phases of testing, including dynamic testing, static analysis and reverse engineering. Sven and Ryan will share their experience and many small tips and tricks to attack mobile apps. We asked Sven and Ryan a few more questions about their training. Please tell us the top 5 facts about your training. Learn a holistic methodology for testing the security of mobile apps A full Penetration Test against iOS apps can also be done on non-jailbroken devices! Learn how to bypass Anti-Frida security controls in a mobile app with Frida Focus on hands-on exercises during the training with vulnerable apps build by the trainers You just need to have a laptop (no Android or iOS devices

2007, 2020

Token Hijacking via PDF – Dawid Czagan

Sanna/ July 20, 2020/ Training

PDF files are everywhere and they can be used to hack your web application. Imagine that the attacker prepares a malicious PDF file which steals sensitive data from a user. The PDF file is uploaded to the web application, the user reads this PDF file, and finally sensitive data is exfiltrated from the user’s browser. It’s scary, isn’t it? In a free video Dawid Czagan (DeepSec Instructor) will show you-step-by step how this attack works and how you can check if your web application is vulnerable to this attack. Watch this free video and feel the taste of Dawid Czagan’s Live Online Training ”Black Belt Pentesting / Bug Hunting Millionaire: Mastering Web Attacks with Full-Stack Exploitation” (DeepSec 2020; 17/18 November) Tags:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this: