Attacking and Defending Web Applications: Hands-OnWinter Working Connections, Dec. 12-14, 2016Schedule · Lecture Notes · Projects · Links · Sam BowneTextbook"The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws 2nd Edition", by Dafydd Stuttard , Marcus Pinto; ISBN-10: 1118026470 Buy from Amazon
Welcome!SURVEYS |
Workshop DescriptionIn this workshop, participants will perform attacks on Web applications, including command injection, ImageMagick exploitation, SQL injection, Cross-Site Request Forgery, Cross-Site Scripting, and basic and advanced cookie manipulations. They will also configure defenses to stop these attacks. We will use Burp, Zed Attack Proxy, Tripwire, Snort, DNSCrypt, and CrypTool 2. Prerequisites: participants should know security and networking at the Security+ and Network+ level. Previous experience with Linux, Web development, and hacking is helpful but not necessary. Students must have a computer with a Web browser and Java. To do the optional Tripwire project, students need a Kali or Ubuntu Linux virtual machine. You can download one here: https://www.offensive-security.com/kali-linux-vmware-virtualbox-image-download/ All project instructions and lecture materials are freely available online for use in other classes. Learning OutcomesAfter completing this workshop, participants will be able to:
|
Schedule | ||
---|---|---|
Date | Lectures | Projects |
Mon 12-12 8:30 - 5:00 |
Ch 1: Web Application (In)security Ch 2: Core Defense Mechanisms Ch 3: Web Application Technologies |
Project 1: Command Injection Project 2: SQL Injection Project 3: Intro to Burp Project 1x: Command Injection Challenges Project 2x: SQL Injection Challenges |
Tue 12-13 8:30 - 5:00 |
Ch 4: Mapping the Application Ch 5: Bypassing Client-Side Controls Ch 6: Attacking Authentication |
Project 4: Zed Attack Proxy Project 5: Mapping an Application with Burp Project 7: Using Tripwire for Intrusion Detection Project 8: Defeating Client-Side Validation with Burp Project 3x: DNSCrypt on Windows Project 4x: Encrypting Text in ECB and CBC Modes |
Wed 12-14 8:30 - 12:00 |
Ch 7: Attacking Session Management | Project 9: reCAPTCHA Project 10: Exploiting ECB-Encrypted Tokens with Burp Project 5x: Exploiting ECB Encryption |