[ mainpage :: register :: conference :: training :: the venue ]
[ capture the flag (CTF) :: zone-h/hitb hacking challenge :: bzflag ]
[ call for papers (CFP) :: conference agenda :: sponsors :: press/media :: forum ]
[ conference kit (PDF) :: past conferences :: contact us ]

Keynote Videos Now Available for Download

Day 1 Keynote: Bruce Schneier - Schneier on Security
Day 2 Keynote: Jeremiah Grossman - Hacks Happen

TECH TRAINING 1 - Web Application Security – Advanced Attacks and Defense

Filed under: Main Page — Administrator @ 7:45 pm

Title: Web Application Security – Advanced Attacks and Defense
Trainer: Shreeraj Shah (Director, BlueInfy)
Capacity: 20 pax
Seats left: 2
Duration: 2 days
Cost: (per pax) USD1499 (early bird) / USD1799 (non early-bird)

REGISTER NOW

Content:

Introduction and adaptation of new technologies like Ajax, Rich Internet Applications and Web Services has changed the dimension of Application Hacking. We are witnessing new ways of hacking web based applications and it needs better understanding of technologies to secure applications. The only constant in this space is change. In this dynamically changing scenario in the era of Web 2.0 it is important to understand new threats that emerge in order to build constructive strategies to protect corporate application assets. Application layers are evolving and lot of client side attack vectors are on the rise like Ajax based XSS, CSRF, Widget injections, RSS exploits, Mashup manipulations and client side logic exploitations. At the same time various new attack vectors are evolving around SOA by attacking SOAP, XML-RPC and REST. It is time to understand these advanced attack vectors and defense strategies.

The course is designed by the author of “Web Hacking: Attacks and Defense”, “Hacking Web Services” and “Web 2.0 Security – Defending Ajax, RIA and SOA” bringing his experience in application security and research as part of curriculum to address new challenges. Application Hacking 2.0 is hands-on class. The class features real life cases, hands one exercises, new scanning tools and defense mechanisms. Participants would be methodically exposed to various different attack vectors and exploits. In the class instructor will explain new tools like wsScanner, scanweb2.0, AppMap, AppCodeScan etc. for better pen-testing and application audits.

Course outline

• Application security fundamentals: Application evolution, Web 2.0 framework, Layered threats, Threat models, Attack vectors and Hacker’s perspective.

• Application infrastructure overview: Protocols (HTTP/SSL), SOAP, XML-RPC, REST, Tools for analysis, Server layers and Browsers with plugins.

• Application Architecture: Overview to .NET and J2EE application frameworks, Web 2.0 application architecture, Widgets framework, Application layers and
components, Resources and interactions, other languages.

• Advanced Web Technologies: Ajax, Rich Internet Applications (RIA) and Web Services.

• Application attack vectors and detail understanding: SQL injection, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Path traversal, Session hijacking, LDAP/XPATH/Command injection, Buffer overflow, Input validation bypassing, Database hacks and Blind SQL injections.

• Advanced Attacks: Ajax based XSS, CSRF with Web Services, Decompiling Flash and RIA apps, WSDL scanning, XML poisoning, SQL injections through XML, External Entity attacks, Widget exploitation, RSS injections, Cross Domain bypass, and many more.

• Application methodologies: Blackbox /Whitebox approaches, tools, techniques and little tricks

• Advanced application footprinting and discovery: Leveraging search engines, Cross domain mashup discovery and Web 2.0 application domain enumeration.

• Fingerprinting: Web and Application server, Ajax framework, Flash based application and technology fingerprinting.

• Advanced browser based attacks: XSS proxy and browser hijacking, Intranet scanning, JavaScript manipulation and DOM injections.

• Web Fuzzing: Fuzzing XML, JSON, RPCs etc. for vulnerability detection.

• Scanning Web Services: Footprinting, discovery, scanning and attacking XML-RPC, SOAP and REST based applications.

• Scanning for vulnerabilities through Source: Function and Method signature mapping, entry point identification, data access layer calls, tracing variables and
functions.

• Applying validations: Input validations, Output validations, Data access filtering, and Authentication validates.

• Web Application Firewall: Advanced content filtering by tools and techniques.



About the trainer

Shreeraj Shah

Shreeraj Shah, B.E., MSCS, MBA, is the founder of Blueinfy, a company that provides application security services. Prior to founding Blueinfy, he was founder and board member at Net Square. He also worked with Foundstone (McAfee), Chase Manhattan Bank and IBM in security space. He has performed several security consulting assignments in the area of penetration testing, code reviews, web application assessments and security architecture reviews.

He is also the author of popular books like Hacking Web Services (Thomson 06) and Web Hacking: Attacks and Defense (Addison-Wesley 03). In addition, he has published several advisories, tools, and whitepapers, and has presented at numerous conferences including RSA, AusCERT, InfosecWorld (Misti), HackInTheBox, Blackhat, OSCON, Bellua, Syscan, ISACA etc. His articles are regularly published on Securityfocus, InformIT, DevX, O’reilly, HNS. His work has been quoted on BBC, Dark Reading, Bank Technology as an expert.



Event Organizer


Hack In The Box (M) Sdn. Bhd.

Event Partner


SCANIT ME LLC


OGER SYSTEMS

Supported & Endorsed By


UAE Telecommunications Regulatory Authority (TRA)


Malaysian Communications and Multimedia Commission (MCMC)


Malaysian Administrative Modernisation & Management Planning Unit

Platinum Sponsors

Titanium Sponsor (Post Conference Reception)


ArgenISS

Gold Sponsors


Google


Microsoft Corporation

Official Media Partner (Magazine)


Network Middle East


Arabian Computer News


ITP Business

Official Airline Partner


Emirates Airlines

Our Speakers are Supported By


Bellua Asia Pacific

Supporting Media:

Virus Bulletin

Virus Bulletin (VB)

InfoSec News

(ISN) InfoSec News

InfoSec News

XAKEP (Russia)

Insecure Magazine

PHRACK Magazine

Hakin9 Magazine

Supporting Organizations



CONFidence


ISECOM - Insititue for Security and Open Methodologies


ISACA Malaysia


IT Underground


X-Focus China

Zone-H Defacement Mirror


Xatrix Security


Special Interest Group in Security & Information InteGrity Singapore


Syscan