Friday, July 11, 2008

Web application security training - Black Hat USA

Well, it's almost time for the mind- and liver-expanding experience that is Black Hat in Las Vegas. As usual, Marcus and myself will be presenting the Web Application (In)security course. The course covers practical techniques for attacking web applications, from the most basic hacks through to advanced exploitation methods. It covers broadly the same subject matter as The Web Application Hacker's Handbook, with a large hands-on practical element.

This year's course brings some significant enhancements to the course labs, with more than 300 brand new exercises, containing virtually every vulnerability that has ever been found in web applications. Even the most capable hackers will be challenged and find plenty to take away. We're very excited about the new labs, and we hope that participants will enjoy them too.

Some highlights of the course content include:

  • exploiting SQL injection using second-order attacks, filter bypasses, query chaining and fully blind exploitation;

  • breaking authentication and access control mechanisms;

  • reverse engineering Java, Flash and Silverlight to bypass client-side controls;

  • exploiting cross-site scripting to log keystrokes, port scan the victim’s computer and network, and execute custom payloads;

  • exploiting LDAP, XPath and command injection; and

  • uncovering common logic flaws found in web applications.

We just filled our initial allocation of seats for the weekday course, and have added a few more, so make your reservation soon if you want to attend. If you are there but not on the course, let me know and we can catch up for a beer.