It was a nice one guy! ;-)
  FRHACK FRHACK
 

Home / Accueil
Conférence FRHACK

Call For Papers

Registration

Venue

Trainings

Conference

Events

Sponsors

Partners

History

Shop
     
 

FRHACK

FRHACK organizes sessions of technical trainings and workshops, with talented and highly skilled trainers.
New prices available! Save money.
NOTE: Number of seats are limited for each training, so be sure to contact us asap if you are interested!
Registration before August 10th 2009
(Registration for one training gives you 1 ticket for the conferences)
frhack@frhack.org

Trainings

FRHACK's Trainings


Web application security training

2 days - Euros 800 (+VAT) per participant
By Andres Riancho , the w3af creator.


By Andres Riancho , the w3af creator,

Training name: Discovery and exploitation of web application vulnerabilities

Overview

This training course focus is on manual and automated, discovery and exploitation of web application vulnerabilities. During this course you are going to go through a series of lectures followed by hands on practice. In each practice you will find vulnerabilities to exploit, each with a different level of complexity, which will defy your understanding of the subject. After the hands on practice, a small lecture on how the vulnerability is fixed is presented, together with common errors introduced by developers in that process.

The training will also teach you how to use the most advanced tools used by professionals in the field, like w3af (developed by the trainer), the burp suite, sqlmap and many others.

Course Structure

This is a two-day course that combines lectures with increasingly difficult hands-on exercises designed to teach the attendee different ways to discover and exploit web application vulnerabilities. All course materials, and a certificate of completion will be offered. You must provide your own laptop.

About the trainer
Andrés Riancho is an information security researcher and founder of Bonsai, where he is mainly involved in Penetration Testing and Vulnerability Research. In the research field, he discovered critical vulnerabilities in IPS appliances from 3com and ISS; and contributed with SAP research performed at his former employer.
His main focus has always been the Web Application Security field, in which he developed w3af a Web Application Attack and Audit Framework used extensively by penetration testers and security consultants. Andrés has spoken and hold trainings at many security conferences around the globe, like OWASP World C0n (USA), CanSecWest (Canada), T2 (Finland) and ekoparty (Buenos Aires).
Andrés founded Bonsai in 2009 in order to further research into automated Web Application Vulnerability detection and exploitation.
Deliverables

- Training booklet with printed slides and trainer comments
- Live CD with Web Application Security Tools
- VMware image with the training environment
- w3af T-Shirt ;)

Audience

Security consultants, system and network administrators, experienced web application developers, information security officers, government agencies.

Topics Covered

  • Day One

    1. HTTP protocol review
      • Web architecture
      • HTTP headers and methods
      • HTTP authentication
      • HTTPS
      • Session management: cookies

    2. Common web server misconfigurations
      • Banners
      • Directory Indexing
      • HTTP authentication
      • HTTP method restrictions

    3. Common development and configuration errors
      • HTML comments and versioning
      • File inclusions
      • Backup and local database files
      • Hidden HTML Fields
      • Path Disclosure and directory enumeration
      • Exceptions and error messages

    4. Types of analysis
      • Static code analysis, black box testing and gray box testing:
      • Definitions
      • Vulnerabilities that can be detected
      • Vulnerabilities that CAN'T be detected

    5. Web Application Vulnerabilities
      • Reverse engineering of Java applets y Flash movies
      • Local file read
      • Local file inclusions
      • Path Traversal and Null Bytes
      • Remote file inclusions
      • Cross Site Scripting (XSS)
      • Cross Site Tracing
      • Cross Site Request Forgeries / Session Riding
      • HTTP Response Splitting

  • Day Two

    1. Web Application Vulnerabilities
      • Uncommon attack vectors
      • LDAP Injection
      • OS Commanding
      • SQL Injection:
        • Enumeration of tables and columns
        • Execution of queries and stored procedures
        • Creation of files
        • Execution of OS commands
      • Blind SQL Injection

    2. Web application privilege escalation
      • Session handling
      • Logical vulnerabilities

    3. Countermeasures
      • mod_security
      • PHP hardening:
        • Secure configuration parameters
        • GRASP
        • PHP-IDS
      • Hardening for Java - HDIV



  
  IT security conference in France International IT security conference

FRHACK.ORG by JA-PSI