0707, 2020

Bypassing CSP via ajax.googleapis.com – Dawid Czagan

Sanna/ July 7, 2020/ Training

Content Security Policy (CSP) is the number one defensive technology in modern web applications. Many developers add ajax.googleapis.com to CSP definitions, because they use libraries from this very popular CDN in their web applications. The problem is that it completely bypasses the CSP and obviously you don’t want that to happen. Since CSP should be part of any modern application, you better get to work and brush up your knowledge. In a free video Dawid Czagan (DeepSec Instructor) will show you step-by-step how your CSP can be bypassed by hackers. Watch this free video and feel the taste of Dawid Czagan’s Live Online Training ”Black Belt Pentesting / Bug Hunting Millionaire: Mastering Web Attacks with Full-Stack Exploitation” (training at DeepSec 2020; 17/18 November)

0205, 2020

First DeepSec 2020 Trainings confirmed

René Pfeiffer/ May 2, 2020/ Conference

We haven’t been idle in the past weeks. The Austrian government is reducing the lock-down rules to see how normal business and private life can go on. We take this as an opportunity to announce the first three confirmed trainings for DeepSec 2020. The preliminary descriptions can be found on our schedule web site. Black Belt Pentesting / Bug Hunting Millionaire: Mastering Web Attacks with Full-Stack Exploitation – Dawid Czagan (Silesia Security Lab) Open Hardware Hacking – Paula de la Hoz Garrido (Telefónica Security Engineering) Defending Industrial Control Systems – Tobias Zillner & Thomas Brandstetter (Limes Security) Early Bird tickets are available. Given the unusual start into 2020 we ask you to consider buying Early Bird tickets (especially for the trainings). We are exploring special attendee tickets for remote attendance of the trainings. A

2511, 2019

DeepSec 2019 Press Release: High-quality Randomness protects Companies

Sanna/ November 25, 2019/ Conference, Training

The ‘bugs’ of the’ 90s are still alive – hidden in IoT devices, integrated systems and industrial controls. Modern information security can’t manage without mathematics. It is less about statistics in the form of operational data or risk analysis. It’s about cryptography, which is constantly used in everyday life. It uses elements that build on high-quality random numbers to protect information from attacks. This year’s DeepSec Security Conference addresses key aspects of product implementation – data protection during transport and storage. Protecting the Digital Transformation Whether “intelligent” bulbs and illuminants, heating or building controls, tv-sets, industrial plants or entire production lines – the digital transformation covers all areas of our lives and leads to changes. On the one hand, digitization opens up opportunities such as the optimization of processes, the more efficient use of

2011, 2019

DeepSec2019 Training: Incident Response Detection and Investigation with Open Source Tools – Thomas Fischer & Craig Jones

Sanna/ November 20, 2019/ Conference

Defences focus on what you know! But what happens when the attackers gain access to your network by exploiting endpoints, software or even you people. Under the assumption that you have been breached, how do you work backwards to gain knowledge of what happened? How can you find those adversaries in your infrastructure? IR detection and response relies on a structured process of identifying observables and collecting evidence. One aspect of this is the practice of proactively seeking out evil in your infrastructure, finding needles in haystacks that link to other needles and unveiling how an organization was compromised and possibly even answering the “why?”. This is commonly referred to as Threat Hunting. In this hands-on training participants will learn about the basic building blocks for an IR detection and investigation programme. The training

2610, 2019

DeepSec 2019 Training: Threat Hunting with OSSEC – Xavier Mertens

Sanna/ October 26, 2019/ Training

OSSEC is sometimes described as a low-cost log management solution but it has many interesting features which, when combined with external sources of information, may help in hunting for suspicious activity occurring on your servers and end-points. During this training, you will learn the basic of OSSEC and its components, how to deploy it and quickly get results. The second part will focus on the deployment of specific rules to catch suspicious activities. From an input point of view, we will see how easy it is to learn new log formats to increase the detection scope and, from an output point of view, how we can generate alerts by interconnecting OSSEC with other tools like MISP, TheHive or an ELK Stack / Splunk / … and add more contextual content with OSINT feeds. We

2510, 2019

DeepSec 2019 Training: Pentesting Industrial Control Systems – Arnaud Soullie

Sanna/ October 25, 2019/ Training

In this intense two day training at DeepSec, you will learn everything you need to start pentesting Industrial Control Networks [also called Industrial Control Systems (ICS)]. We will cover the basics to help you understand what are the most common ICS vulnerabilities. We will then spend some time learning and exploiting Windows & Active Directory weaknesses, as most ICS are controlled by Windows systems. And we will cover the most common ICS protocols (Modbus, S7, Profinet, Ethernet/IP, DNP3, OPC…), analyze packet captures and learn how to use these protocols to talk to Programmable Logic Controllers (PLCs). You will learn how to program a PLC, to better understand how to exploit them. The training will end with an afternoon dedicated to a challenging hands-on exercise: The first [Capture The Flag] CTF in which you capture

2410, 2019

DeepSec 2019 Training: Mobile Hacking – Davy Douhine and Guillaume Lopes

Sanna/ October 24, 2019/ Training

Guillaume Lopes and Davy Douhine, senior pentesters, will share many techniques, tips and tricks with pentesters, bug bounty researchers or just the curious in a 100% “hands-on” training. Their goal is to introduce tools(Adb, Apktool, Jadx, Androguard, Cycript, Drozer, Frida, Hopper, Needle, MobSF, etc.) and techniques to help you to work faster and in a more efficient way in the mobile ecosystem. This is exactly the training that you would have liked to have before wasting your precious time trying and failing while testing. Agenda Two days based mainly on practical exercises: – Day 1: Android Hacking – Day 2: iOS Hacking Main topics of the training are based on the fresh OWASP MSTG (Mobile Security Testing Guide): – Review the codebase of a mobile app (aka static analysis) – Run the app on

1909, 2019

DeepSec 2019 Training: IoT/Embedded Development – Attack and Defense Lior Yaari

Sanna/ September 19, 2019/ Training

Every developer makes mistakes. If you are unlucky, these mistakes result in a security vulnerability, an almost untraceable bug for the normal developer. Going around the world, helping developers to find and understand the vulnerabilities they’ve accidentally created, we learned that unlike bugs, vulnerabilities are invisible to the eye, mind and UT. No one teaches developers how an attacker thinks, what computers security mechanisms are capable of (and what not), and how to avoid creating possible security mistakes endangering your customers. In this course we will teach you the basics of Embedded Devices security from the beginning: How vulnerabilities are created and how an attacker approaches a new device. From the internals, – physical manipulations, buffer overflows, memory corruptions, timing attacks, all the way to the solution: How to avoid common mistakes and even

1809, 2019

DeepSec 2019 Training: Analysing Intrusions with Suricata – Peter Manev & Eric Leblond

Sanna/ September 18, 2019/ Security, Training

Defending your network starts with understanding your traffic. More than just an IDS/IPS, Suricata can provide the visibility to solve incidents quickly and more accurately by enabling context before, during, and after an alert. In this course, attendees will learn the skills required to identify, respond and protect against threats in their network day to day as well as to identify new threats through structured data aggregation and analysis. Hands-on labs consisting of real-world malware and network traffic will reinforce the course’s concepts while utilizing the latest Suricata features. Come and see what you’ve been missing in your network and unlock the full potential of network security, detection, and response with Threat Hunting with Suricata at the DeepSec 2019 training. In this course, students will learn through a combination of lecture and approximately 15

2608, 2019

DeepSec Training: Black Belt Pentesting / Bug Hunting Secrets you’ve always wanted to know

René Pfeiffer/ August 26, 2019/ Conference, Security, Training

The Web and its technologies have become the perfect frontier for security experts for finding bugs and getting a foothold when doing penetration tests. Everything has a web server these days. And everything web server will happily talk to web clients. The components involved are more than just simple HTML and JavaScript. The developer notion of doing things full stack requires security experts to do the same. This is where our DeepSec 2019 training session Black Belt Pentesting / Bug Hunting Millionaire: Mastering Web Attacks with Full-Stack Exploitation by Dawid Czagan comes into play. Dawid Czagan will show you how modern applications work, how they interact, and how you can analyse their inner workings. He will enable you to efficiently test applications, find bugs, and compile the set of information needed to fix the

1908, 2019

DeepSec Training: Black Belt Pentesting / Bug Hunting Millionaire – Mastering Web Attacks with Full-Stack Exploitation

René Pfeiffer/ August 19, 2019/ Conference, Training

Web applications are gateways for users and attackers alike. Web technology is used to grant access to information, public and sensitive alike. The latest example is the Biostar 2 software, a web-based biometric security smart lock platform application. During a security test the auditors were able to access over 1 million fingerprint records, as well as facial recognition information. How can you defend against leaks like this? Well, you have to understand all layers of the application stack. Modern web applications are complex and it’s all about full-stack nowadays. That’s why you need to dive into full-stack exploitation if you want to master web attacks and maximize your payouts. Say no to classic web application hacking. Join the training session at DeepSec 2019 and take advantage of Dawid Czagan’s unique hands-on exercises and become

1107, 2019

Training Teaser: Black Belt Pentesting a.k.a. Bug Hunting Millionaire – Mastering Web Attacks with Full-Stack Exploitation

René Pfeiffer/ July 11, 2019/ Conference, Training

Modern web applications consist of far more components than HTML content and a few scripts. In turn properly attacking web applications requires a diverse set of skills. You need to know how the back-end and the front-end works. This includes all of the scripting languages, data storage technologies, user interface peculiarities, frameworks, hosting technologies, and many more layers. DeepSec 2019 will feature a full-stack web exploitation dojo enabling you to understand the security of web applications, how to break them, and how to protect them. The training will be hosted by Dawid Czagan, expert in the field. He will guide you through every technology and attack method relevant to information security of web applications such as: REST API hacking AngularJS-based application hacking DOM-based exploitation Bypassing Content Security Policy (CSP) Server-side request forgery Browser-dependent exploitation

0204, 2019

Ongoing DeepSec Call for Workshops – Trainers welcome!

René Pfeiffer/ April 2, 2019/ Call for Papers, Training

The Call for Workshops for the DeepSec conference in November 2019 is still open. If you have something to teach, let us know as soon as possible! We intend to inform potential trainees in the beginning of May about their options. This allows for a better planning and preparation, because we receive early requests for workshop content every year. So if you have something to teach, please let us know! You don’t need to use the Call for Papers manager in case you have content ready in a different format or just want to send us teaser materials. Topics we are looking for include (applied) cryptography, secure software development & design, helpful in-depth hints for penetration testers, sensible guides for combining machine learning/artificial intelligence with information security, in-depth network knowledge, threat hunting, and strategic

1911, 2018

Special Offer for “Mastering Web Attacks with Full-Stack Exploitation” Training – get 3 for the Price of 1

René Pfeiffer/ November 19, 2018/ Conference

The DeepSec training Bug Hunting Millionaire: Mastering Web Attacks with Full-Stack Exploitation by Dawid Czagan has some seats left. Dawid has agreed to give away free access to two of his online courses for everyone booking tickets until Wednesday, 21 November 2018 (2359 CET). This gives you a perfect preparation for penetration testing, software development, and an edge for any bug bounty programmes out there. You can get a glimpse of the online trainings, well, online of course. Every penetration test and every attempt to defend your own assets can’t do without knowledge of web technologies. Since the Web has evolved from being simple HTML content, you absolutely have to know about all layers modern web applications use. The training will give you the means to understand what’s going on, to find bugs, and

0911, 2018

Last Call for your Web Application Security Training – Break all teh Web and enjoy it!

René Pfeiffer/ November 9, 2018/ Conference, Security

The Internet is full of web applications. Sysadmins used to joke that HTTP is short for Hypertext Tunnelling Protocol, because anything but web content is transported via HTTP these days. It’s the best way to break out of restricted environment, too. So the chances are good that you will need the skills for dealing with all kinds web. Fortunately our training Bug Hunting Millionaire: Mastering Web Attacks with Full-Stack Exploitation conducted by Dawid Czagan has a few seats left. Don’t get distracted by the title. Focus on the phrase full-stack exploitation. It’s not just about sending HTTP requests and seeing what the application does. It’s all about using the full spectrum of components and technologies used for modern web applications. The training is not only suited for information security researchers. The course addresses REST

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this: