Slide 1
Slide 1
Slide 1
Slide 1
Slide 1
Slide 1

ONLINE REGISTRATION NOW OPEN

           

THERE WILL ONLY BE A MAXIMUM OF 1010 SEATS SOLD - BE SURE TO REGISTER EARLY!!!

For up to the minute updates on HITB2012KUL, please follow our @hitbsecconf Twitter stream or join our Facebook Group

TECH TRAINING 3 – ADVANCED WEB HACKING – WEB 2.0, HTML5 AND WEB SERVICES DEFENSE

TRAINER: Shreeraj Shah (Founder/Director, Blueinfy) and Vimal Patel (Founder/Director, Blueinfy)

CAPACITY: 20 pax

SEATS LEFT: REGISTRATION CLOSED

DURATION: 2 days (8th & 9th October 2012)

COST (per pax): MYR3999 (early bird) / MYR4999 (non early-bird)

OVERVIEW

Introduction and adaptation of new technologies like Ajax, RIA, HTML 5 and Web Services has changed the dimension of Web and Mobile Application Hacking. There are several new ways of hacking techniques are evolving and hacking in migrating to new dimension. Exploiting browser/mobile stack and server side injections are becoming common across applications. Cloud and Mobile are adding new attack surface to application layer. It is imperative to learn these advanced attack vectors and their countermeasures.

The course is designed by the author of “Web Hacking: Attacks and Defense”, “Hacking Web Services” and “Web 2.0 Security – Defending Ajax, RIA and SOA” bringing his experience in application security and research as part of curriculum to address new challenges. Advanced Application Hacking is hands-on class along with right tools. The class features real life cases, hands one exercises, new scanning tools and defense mechanisms. Participants would be methodically exposed to various different attack vectors and exploits. Following broad areas will be covered in various sessions along with hands-on and tools.

ADVANCED APPLICATION ARCHITECTURE AND THREATS 

  • Application Architecture and Threats in era of HTML5/Web 2.0

  • Application Attack Surface and Scenarios

  • Technology trends and Threats in web and Mobile space

  • Web Protocols and Structures (JSON, XML, AMF, WCF, RPC etc.)

  • Ajax and RIA Components and understanding

  • Web 2.0/HTML5 Applications and Components

  • Understanding of HTML5, RIA and Silverlight Applications

  • Attack trends and threat models from HTML5 and Mobile perspective

ASSESSMENT AND HACKING METHODOLOGIES 

  • Application Assessment methodologies

  • Blackbox Vs. Whitebox – Picking the right one

  • Threat Modeling for Applications – HTML5/Mobile

  • Application Footprinting, Discoveries and Profiling with respect to new threats and architecture

INJECTION AND FUZZING STREAMS (ZERO KNOWLEDGE) 

  • Injections and Fuzzing with Web and AMF streams

  • SQL injection over XML and JSON

  • Blind SQL injections with Web  Components

  • Detecting Injections and Tools

  • XML and XPATH injections

  • JavaScript and Command Injections

  • LDAP injection

  • AMF/WCF injections

  • Fuzzing and server side stream injections

  • Business logic flaws

  • Exploiting Injection points and tools

CLIENT SIDE HACKING

  • XSS and DOM based hacking

  • HTML 5 injections and script executions

  • CSRF and SOP bypass

  • ClickJacking

  • Mashup and Widget Hacking

  • RSS and Client side data poisoning

  • DOM based open redirects and forwards

  • Securing browser and client side components

  • CORS bypass

  • COR Jacking

  • DOM Hijacking

  • Web Messaging & Workers hacks

  • Geo-Location, Drag-Drop and API vectors

REVERSE ENGINEERING AND STATIC ANALYTICS

  • Analyzing Application code

  • Debugging JavaScript for vulnerabilities

  • Logic bypass and vulnerabilities

  • Reverse engineering Flash/Flex

  • Analyzing Silverlight driven applications

  • Dissecting HTML 5 applications

  • Mobile application and Web view engineering

WEB SERVICES, SOA AND CLOUD HACKING 

  • Cloud based application and architecture

  • Hacking SaaS

  • Open API abusing

  • Web Services Scanning and Assessment

  • Attacking Web Services and SOAP

  • XML and SOAP poisoning and Vulnerabilities

  • Filtering Web 2.0 traffic for security

  • REST based hacks

MOBILE LAYER APPLICATION HACKS AND ATTACKS 

  • Mobile interfaces and stack

  • Application architecture and business access

  • Android hacking and security

  • iPAD and iPhone hacks and attacks

  • Mobile security and countermeasures

HANDS-ON AND CHALLENGES

  • Challenges for SQL Injection and XSS – Advanced Attack Vectors

  • Hacking web store application

  • Hacking Trading Application

  • Exploiting and Securing Applications

  • Tools – Proxies, Tracers, Debuggers, Fuzzers etc.

WHAT TO BRING / HARDWARE REQUIREMENTS

To participate in hands-on exercises you will need to come with a windows-based laptop.

  • OS : XP, Vista or Server family

  • Please install .NET framework

  • 1 GB RAM

  • All other tools will be provided

  • Laptop should be wi-fi enabled

Note: All concepts taught in this class are punctuated with hands-on exercises based on situations observed in real life. The class ends with a challenge exercise. Working within a limited time period, participants are expected to analyze the code, identify loopholes, exploit vulnerabilities present in the applications and suggest appropriate defense strategies.

ABOUT THE TRAINERS

Shreeraj Shah (Founder/Director, Blueinfy)

Shreeraj Shah, B.E., MSCS, MBA, is the founder of Blueinfy, a company that provides application security services. Prior to founding Blueinfy, he was founder and board member at Net Square. He also worked with Foundstone (McAfee), Chase Manhattan Bank and IBM in security space. He is also the author of popular books like Hacking Web Services (Thomson 06) and Web Hacking: Attacks and Defense (Addison-Wesley 03). In addition, he has published several advisories, tools, and whitepapers, and has presented at numerous conferences including RSA, AusCERT, InfosecWorld (Misti), HackInTheBox, Blackhat, OSCON, Bellua, Syscan, ISACA etc. His articles are regularly published on Securityfocus, InformIT, DevX, O’reilly, HNS. His work has been quoted on BBC, Dark Reading, Bank Technology as an expert.

Vimal Patel (Founder/Director, Blueinfy)

Vimal Patel is founder of Blueinfy, a company that provides products and services for application security. Vimal leads research and product development efforts at Blueinfy. Prior to founding Blueinfy, he held position of Vice President at Citigroup where he led architecture, design and development of various financial applications. Vimal holds Masters in Computer Science. Vimal has over a decade of experience and expertise in many technologies. His experience ranges from design of complex digital circuits and microcontroller based products to enterprise applications.

EVENT ORGANIZER

SUPPORTED AND ENDORSED BY

GOLD SPONSORS

SILVER SPONSOR

HACKWEEKDAY SPONSOR

TITANIUM SPONSOR (POST CONFERENCE RECEPTION + SPEAKER RECEPTION)

ALCO_PWN SPONSOR (POST CONFERENCE RECEPTION)

CTF SPONSOR

CTF PRIZE SPONSOR

CTF MANAGED BY

VIDEO RECORDING SPONSOR

NETWORK EQUIPMENT SPONSOR

INTERNET CONNECTIVITY SPONSOR

ADDITIONAL SUPPORT BY

SUPPORTING MEDIA

FRIENDS OF HITB

Copyright © 2012 Hack In The Box | http://www.hackinthebox.org