Workshop: Web Hacking – Attacks, Exploits and Defence

René Pfeiffer/ September 23, 2011/ Conference

In 2011 we have seen a lot of articles about „cyber“ attacks in the media. Judging from the media echo it looks as if a lot of servers were suddenly compromised and exploited for intruding into networks. While attacks usually take advantage of weaknesses in software, servers do not develop vulnerabilities over night. Most are on-board by design, by accident or by a series of mistakes. The first line of defence are web applications. Every modern company has a web site or uses web portals. Attackers know this and look for suitable attack vectors. If you want to improve your security, you have to start right at this first line. This is why we recommend the workshop Web Hacking – Attacks, Exploits and Defence by Shreeraj Shah & Vimal Patel of Blueinfy Solutions.

As soon as you put web applications online, no matter if you develop in-house, adapt existing software or completely rely on off-the-shelf code, your job of securing this application and everything connected to it gets difficult. The Web consists of a very rich environment of data formats and code (in terms of many programming languages and frameworks). It’s not just HTML or plain text any more. Every web application has its own profile and its own weak points that attackers can probe for exploits. This is why a „one size fits all“ (web)firewall won’t get you far. You need to understand what’s going on, how the HTTP requests and replies look like, what data is transferred, how the data is processed and which data can be abused by attackers. This is especially true for mashups that access many different sources of data and roll it into a seemingly single web document. Even if your API and the servers behind it behave well, what about the twenty others? Better find out before the black hats do.

The training features an introduction to and adaptation of new technologies like Ajax, Rich Internet Applications (RIA) and web services has changed the dimension of web hacking and security. We are witnessing new ways of hacking and exploiting web based applications and it needs better understanding of technologies to perform penetration testing and assessment of web security. The course is designed by the author of “Web Hacking: Attacks and Defence”, “Hacking Web Services” and “Web 2.0 Security – Defending Ajax, RIA and SOA” bringing his experience in application security and research as part of his curriculum to address new challenges for pen-testers, consultants, auditors and QA teams. Web Hacking 2.0 is an extensively hands-on class with real life challenges and lab exercises. Participants will be methodically exposed to various different attack vectors and exploits.

You will learn everything you need for penetration testing, quality assurance or auditing of web applications. The course includes practical exercises. All concepts taught in this class are punctuated with hands-on exercises based on situations observed in real life. The class modules end with a challenge exercise. Working within a limited time period, participants are expected to analyse, scan, pen-test, identify loopholes, exploit vulnerabilities present in the applications on the basis of learnt concepts.

Share this Post

About René Pfeiffer

System administrator, lecturer, hacker, security consultant, technical writer and DeepSec organisation team member. Has done some particle physics, too. Prefers encrypted messages for the sake of admiring the mathematical algorithms at work.