| |
Accueil / Home (EN)
Conférences
Formations
Inscription
Venir
Evénements
Sponsors
Partenaires
Histoire
Boutique
|
| |
|
|
| |
Formations FRHACK
Formations en sécurité informatique
ATTENTION: Le nombre de places disponibles étant limité, veuillez nous contacter au plus tôt.
Nouveaux tarifs disponibles!
Inscription avant le 15 Août 2009 (pensez à réserver votre hôtel au plus tôt)
frhack@frhack.org
Le prix des formations inclu une entrée pour les conférences
NB: Ces formations sont valides pour le DIF ou imputable sur le budget formation.
Numéro de déclaration d'activité de formation: 43250224925
JA-PSI
9 b Rue Stéphane Mallarmé
25000 BESANCON
Tel: +33 (0)950 654 586
Mail: contact@ja-psi.fr
Formations FRHACK
2 jours - 800 Euros HT par participant
Formateur: Jérôme ATHIAS, JA-PSI
2 jours - 800 Euros HT par participant
Formateur: Andres Riancho, le créateur de W3AF
Par Andres Riancho
Discovery and exploitation of web application vulnerabilities
=============================================================
Overview
========
This training course focus is on manual and automated, discovery and exploitation of web application vulnerabilities. During this course you are going to go through a series of lectures followed by hands on practice. In each practice you will find vulnerabilities to exploit, each with a different level of complexity, which will defy your understanding of the subject. After the hands on practice, a small lecture on how the vulnerability is fixed is presented, together with common errors introduced by developers in that process.
The training will also teach you how to use the most advanced tools used by professionals in the field, like w3af (developed by the trainer), the burp suite, sqlmap and many others.
Course Structure
================
This is a two-day course that combines lectures with increasingly difficult hands-on exercises designed to teach the attendee different ways to discover and exploit web application vulnerabilities. All course materials, and a certificate of completion will be offered. You must provide your own laptop.
Audience
========
Security consultants, system and network administrators, experienced web application developers, information security officers, government agencies.
Topics Covered
==============
Day One
=======
1. HTTP protocol review
- Web architecture
- HTTP headers and methods
- HTTP authentication
- HTTPS
- Session management: cookies
2. Common web server misconfigurations
- Banners
- Directory Indexing
- HTTP authentication
- HTTP method restrictions
4. Common development and configuration errors
- HTML comments and versioning
- File inclusions
- Backup and local database files
- Hidden HTML Fields
- Path Disclosure and directory enumeration
- Exceptions and error messages
5. Types of analysis
- Static code analysis, black box testing and gray box testing:
- Definitions
- Vulnerabilities that can be detected
- Vulnerabilities that CAN'T be detected
6. Web Application Vulnerabilities
- Reverse engineering of Java applets y Flash movies
- Local file read
- Local file inclusions
- Path Traversal and Null Bytes
- Remote file inclusions
- Cross Site Scripting (XSS)
- Cross Site Tracing
- Cross Site Request Forgeries / Session Riding
- HTTP Response Splitting
Day Two
=======
7. Web Application Vulnerabilities
- Uncommon attack vectors
- LDAP Injection
- OS Commanding
- SQL Injection:
- Enumeration of tables and columns
- Execution of queries and stored procedures
- Creation of files
- Execution of OS commands
- Blind SQL Injection
8. Web application privilege escalation
- Session handling
- Logical vulnerabilities
9. Countermeasures
- mod_security
- PHP hardening:
- Secure configuration parameters
- GRASP
- Hardening for Java - HDIV
|
|
|
