TT1 – Web Application (in)Security

Trainer: Marcus Pinto (Author, Web Application Hackers Handbook)
Capacity: 25 pax
Duration: 2 days
Cost: (per pax) MYR3599 (early bird) / MYR3899 (non early-bird)


NGS performs penetration tests against some of the most high-profile sites on the internet, and has published the seminal papers in SQL Injection, Oracle Application Server, and many advisories on Web Application Software. This course will demonstrate the full NGS methodology for finding vulnerabilities in web applications, sharing techniques, tools, tips and tricks, and revealing the breakdown of vulnerabilities found on assessment by NGS.

With much of Web Application security now common knowledge, NGS pushes this subject to its new limits, sharing the techniques which make the difference between most methodologies and a deep hack. As well as the conventional attacks covered in this field, delegates will be able to try their hand at some more unique, in-depth attacks:

• Exploiting Cross Site Scripting to log keystrokes, port scan the victim’s computer and network, and execute custom payloads
• Exploiting SQL Injection by bypassing filters, using second-order attacks, chaining queries and fully blind exploitation, using techniques from NGS’ papers as well as some newer ones from the NGS research labs.
• Exploiting LDAP Injection and Command Injection.
• Reverse engineering AcitveX and Java applets to bypass client controls (similar to those currently found in online games)
• See how Authentication and Authorisation are commonly broken
• View the common logic flaws found in web applications, and how these can be exploited with examples.

The course is backed up by a comprehensive manual covering vulnerabilities, hacking methodology, and corresponding security advice. NGS will provide a toolset for delegates in all of the demonstrations, and move on from labs to a final web application where delegates participate in a “capture the flag” contest.


The ideal delegate will have some familiarity with web application security, being familiar with terms such as Cross Site Scripting and SQL Injection even if they haven’t had the chance to exploit these fully. This course has a heavy lab content, so familiarity with common web application tools and vulnerabilities is required for full appreciation of the course. Understanding of programming languages (especially PHP, ASP and ASP.NET) preferred.

Course Agenda
Day 1:

Introduction to web application security

Bypassing client-side controls
– HTML/Javascript
– Flash, Java, Silverlight

Authentication vulnerabilities
– login
– peripheral authentication mechanisms
– credential handling

Attacking session management
– Session token generation
– Session token handling

Broken access controls
– horizontal controls
– vertical controls
– insecure control methods

Day 2:

Injecting code
– SQL Injection
– LDAP Injection

Logic flaws
– 8 case studies from the author’s experience

Attacking other users
– Cross Site Scripting
– Header Injection
– Onsite+Cross-site Request Forgery
– + ClickJacking, Redirection, DNS Pinning and many others

Exploiting path traversal
– arbitrary file read access
– arbitrary file write access

Handling bad input and attackers
– input validation
– boundary validation rules

Web Application Scanners
– strengths
– weaknesses

Course Contents

Course Introduction
Course Abstract
Course Objectives
Course Instructors
Course Delegates
Course Domestics & Timetable

An Introduction to Web Applications
Module Abstract
Module Overview
The Advantages of a Web Application
Common Uses and Configurations
The Core Security Issue
Module Summary

Application Structure
Module Abstract
Module Overview
Sample Application Overview
Input Validation
Session Checking
Privilege Management
Auditing and Logging
Error Handling
Module Summary

Module Abstract
Module Overview
Mapping the Application
Module Abstract
Module Overview
Determining Technologies in Use
Dissecting a Request
Learning the Behaviour of the Application
Content discovery
Module Summary

Bypassing Client Controls
Module Abstract
Module Overview
Bypassing HTML Controls
JavaScript and VbScript
Securing Client-Side Content
Module Summary

Authentication Vulnerabilities
Module Abstract
Module Overview
Design flaws in authentication mechanisms
Implementation flaws in authentication
Securing authentication
Module Summary

Vulnerable Session Management
Module Abstract
Module Overview
Background to session management
Weaknesses in session token generation
Weaknesses in session token handling
Securing session management
Module Summary

Broken Access Controls
Module Abstract
Module Overview
Common vulnerabilities
Attacking access controls
Attacking access controls
Securing access controls
Module Summary

Vulnerabilities – Injection
Module Abstract
Module Overview
Interpreted Languages
SQL Injection
LDAP Injection
Command Injection
XML Injection
Module Summary

Vulnerabilities – Logic Flaws
Module Abstract
Module Overview
Forced Browsing
Case Study 1: Registration Bug
Case Study 2: AOL Password Handling
Case Study 3: Multi-Stage Login
Case Study 4: The Memorable Word Bypass
Case Study 5: Text Searches
Case Study 6: Race Condition During Authentication
Beating a Business Limit
Module Summary
Path Traversal
Module Abstract
Module Overview

Common vulnerabilities
Detecting and exploiting path traversal vulnerabilities
Avoiding path traversal vulnerabilities
Module Summary

Information Disclosure
Module Abstract
Module Overview
Common vulnerabilities
Preventing information leakage
Google Hacking
Module Summary

Attacking Other Users
Module Abstract
Module Overview
Cross-Site Scripting
Redirection attacks
HTTP header injection
Frame injection
Cross-site request forgery (XSRF)
Session fixation
Attacking ActiveX controls
Advanced exploitation techniques
Module Summary

Classic Vulnerabilities
Module Abstract
Module Overview
Classic vulnerabilities in web applications
Buffer overflows
Integer vulnerabilities
Format String Bugs
Module Summary

Flaws in Web Application Architecture
Module Abstract
Module Overview
The Tiered Architecture
Shared Hosting Environments
Application Service Providers (ASPs)
Third Party Systems
Module Summary

Web Server Flaws
Module Abstract
Module Overview
Web Server Vulnerabilities
Oracle Application Server
Module Summary

A Web Application Assessment Toolkit
Module Abstract
Module Overview
Web Browsers
Site Spiders
Vulnerability Scanners
Local Proxies
Brute Forcing Tools
Custom Toolkits
Programming for Pentesters
Module Summary

Brute Forcing Techniques
Module Abstract
Module Overview
Targets for Brute Forcing
Performing a brute force attack
Module Summary

Security Devices
Module Abstract
Module Overview
Intrusion Detection
Application Firewalls
Module Summary

Identifying Vulnerabilities in Source Code
Module Abstract
Module Overview
Approaches to code review
Signatures of common vulnerabilities
Module Summary

About the trainer
Marcus Pinto

Marcus Pinto is a Principal Security Consultant at Next Generation Security Software. He has eight years’ experience in security consulting and specializes in penetration testing of web applications and supporting architectures. Marcus has worked with numerous banks, retailers, and other enterprises to help secure their web applications, and has provided security consulting to the development projects of several security-critical applications. He has worked extensively with large-scale web application deployments in the financial services industry.

Marcus has developed and presented database and web application training courses at the Black Hat and other security conferences around the world, and has been an advisor for the British Ministry of Defense and on other industry bodies. Marcus is the author of the “Web Application Hacker’s Handbook” [Wiley], which covers all of the subjects presented here in depth from the perspectives of both theory and practice.