Sunday, June 17, 2007

Web application security training - Black Hat USA

After our success in Amsterdam, Marcus and myself are taking the show on the road and will be presenting the Web Application (In)security course at Vegas in July. The course covers practical techniques for attacking web applications, from the most basic hacks through to advanced exploitation methods. It is a roughly equal mix of presentations and hands-on lab sessions. Some highlights include:

  • exploiting SQL injection using second-order attacks, filter bypasses, query chaining and fully blind exploitation;

  • breaking authentication and access control mechanisms;

  • reverse engineering ActiveX and Java applets to bypass client-side controls;

  • exploiting cross-site scripting to log keystrokes, port scan the victim’s computer and network, and execute custom payloads;

  • exploiting LDAP and command injection; and

  • uncovering common logic flaws found in web applications.

We have a pretty large crowd already, but there is still time to register. If you are there but not on the course, let me know and we can catch up for a beer.