Web application security training - Black Hat Europe

Myself and Marcus (my co-author for The Web Application Hacker's Handbook) will be in Amsterdam later this month for Black Hat. As before, we'll be delivering the Web Application (In)security course. This covers practical techniques for attacking web applications, from the most basic hacks through to advanced exploitation methods. It is a roughly equal mix of presentations and hands-on lab sessions. Some highlights include:

• exploiting SQL injection using second-order attacks, filter bypasses, query chaining and fully blind exploitation;

• breaking authentication and access control mechanisms;

• reverse engineering ActiveX and Java applets to bypass client-side controls;

• exploiting cross-site scripting to log keystrokes, port scan the victim’s computer and network, and execute custom payloads;

• exploiting LDAP and command injection; and

• uncovering common logic flaws found in web applications.

Class numbers have just been extended due to popular demand, so sign up quickly if you'd like to attend. If you are in Amsterdam but not on the course, let me know and we can catch up.

Black Hat retrospective

My mind and body are now partly recovered from the madness that is Vegas, and I've pieced together as many recollections as I'm able to.

First off, the webappsec training went really well, with some great feedback from the ~70 participants, and the customary job offer made to the CTF winner. It's pretty hard work standing up and talking for four days, but I met some great people and got lots of good ideas to make the course even better next time.

Once the training and jet lag were out of the way, the partying ratcheted up a few notches, and we saw plenty of the nocturnal delights that Vegas has to offer. As well as Caesars, we spent a fair bit of time at Luxor, Venetian and other hotels.

The WASC/OWASP party in the Shadow Bar was great, with much of the webappsec world in attendance, and an opportunity to meet people face to face whom I'd previously only corresponded with.

The Microsoft party took over the top floor of Pure, and drew a wider crowd, with seemingly half of the con getting an invitation, or maybe I was just seeing double by that point.

I also staggered into the iDefense party, and even blagged a VIP wristband, as did several others to the bemusement of some senior iDefense folks who wanted to talk about our contributions to the vulnerability programme. The Hard Rock cafe is a cool venue, although I don't think the crew of assembled geeks did it full justice.

Unsurprisingly, with all of the opportunities for imbibation, our attendance at the actual conference was patchy during the mornings. I was sorry to miss a few good talks, but I have the slides and was able to catch up with many interesting people during the evenings.

I made it to Billy Hoffman's Ajax talk, which was entertaining as usual but didn't contain anything new for me.

I also caught Joanna's update on virtualisation-based rootkits, and her attempts to avoid detection. Like most of areas security, this is an asymmetric problem - while she is sticking her fingers in as many dykes as she can, people only need to find one hole that can't be plugged. In terms of detection of some kind of unexpected virtualisation at least, it appears that timing attacks in particular aren't going to go away any time soon.

Defcon provided some early excitement with this year's badge. J-Lo and I spent the first few minutes struggling through our hangovers figuring out how to reprogram them to make rude words appear.

The Defcon talks were a bit more offbeat, and I caught ones on malicious toasters, video games and various rants. In general, I thought the more mainstream technical talks were a bit disappointing - fairly introductory with little in terms of new ideas. There is definitely room for some easy talks for people who are unfamiliar with a particular area, but it would be good to know in advance what is "for dummies" and what is more innovative.

All in all, it was a fantastic week, but it's good to be home. Vegas messes you up, physically and mentally. I'm nearly back to normal now. It will be great to go back next year.

Black Hat pre-spective

With less than a week to go, Vegas is beckoning and it's time to stock up on sun screen and pain killers.

My first four days will be mainly taken up presenting the Web Application (In)security course. In a last-minute addition to the line-up, I'll be joined by minor celebrity Wade Alcorn, the king of BeEF and author of various cool techniques for inter-protocol communication and exploitation. It's going to be well-attended - more than 60 delegates have registered so far.

After four days standing up, it's likely that Tuesday won't be the smallest night of the year. Hopefully it won't run all the way into Wednesday, as I'd like to make David Byrne's talk on anti-DNS pinning, followed by Jer and RSnake updating us on intranet hacking via the browser. In the afternoon, I'll try to make the Premature Ajaxulation talk, for the name if nothing else. It clashes with Lindsay's kernel Odays, but I've had a preview of those already.

I'll certainly be near the front of the queue for the WASC/OWASP cocktail party, and then all of the other ones after that.

On Thursday morning, it would be nice to catch John's latest on rootkits, but I might settle for a beer-assisted precis later on. Billy Hoffman's take on web worms should be good, given his past form. Later on, I'll try to make Alex Sotirov's talk on heap feng shui, which I'm afraid was a hangover casualty in Amsterdam.

With so much going on, there will be a major requirement for frequent relaxation, and I'll look forward to catching up with plenty of people for beers, both at BH and Defcon afterwards.

Web application security training - Black Hat USA

After our success in Amsterdam, Marcus and myself are taking the show on the road and will be presenting the Web Application (In)security course at Vegas in July. The course covers practical techniques for attacking web applications, from the most basic hacks through to advanced exploitation methods. It is a roughly equal mix of presentations and hands-on lab sessions. Some highlights include:

• exploiting SQL injection using second-order attacks, filter bypasses, query chaining and fully blind exploitation;

• breaking authentication and access control mechanisms;

• reverse engineering ActiveX and Java applets to bypass client-side controls;

• exploiting cross-site scripting to log keystrokes, port scan the victim’s computer and network, and execute custom payloads;

• exploiting LDAP and command injection; and

• uncovering common logic flaws found in web applications.

We have a pretty large crowd already, but there is still time to register. If you are there but not on the course, let me know and we can catch up for a beer.

Black Hat Europe

I'm going to be co-presenting a training course in Amsterdam next week. Though I say it myself, the course should be pretty fun. As well as all the usual web app stuff, we're going to cover some more entertaining hacks like reversing Java applets and Flash. If you want to know how to cheat at online poker whilst you're supposed to be doing a pen test, this course is perfect for you. Anyone who happens to be there, please do come and say hello.