Follow Us
Akash Mahajan and
Riyaz Walikar
Xtreme Web Hacking
Trainer Name : Akash Mahajan
Title : Xtreme Web Hacking
Duration : One Day
Date : 28th February 2013
Trainer Name : Riyaz Walikar
Title : Xtreme Web Hacking
Duration : One Day
Date : 28th February
Objective
The objective of this training is to provide an in-depth approach to Web Application hacking and is meant to create an environment for participants to create, test and verify exploits for various web application vulnerabilities in multiple simulated application settings. This course is meant for people who have a basic web programming background and are keen to get started on hacking, testing, defending and building web applications.
The training is meant to be fast paced, intensive and result oriented mixture of a lot of practical hands-on and a little bit of theory thrown in for good measure.
The training will focus on hacking three distinct parts of any web application:
- Web Server Security / Infrastructure Security
- Web Application Security / Code Security
- Web Data Security / Database Security
Course Content
- Web Application Security Basics
- Web Application Infrastructure Design Fundamentals
- Hacking and Protecting Web Application Servers
- Infrastructure Security 101
- Web Server common misconfigurations
- Port scanning, service discovery
- Vulnerability Assessment, reducing the attack surface
- Auditing users, file permissions
- Sandboxing, securing processes from running wild
- Application Security
- OWASP Top 10
- Clickjacking and UI Redressing
- HTTP Parameter Pollution & HTTP Response Splitting
- Side Channel Attacks in SSL
- Attacking User Data
- Common Database mis-configurations
- Secure hashing and encryption
- Rainbow tables
What will you get?
The following items will be provided to each participant, which will aid in excelling at the course and will allow them to continue learning beyond the classroom environment:
- Custom scripts, web shells and documents for further reading
- Customized Virtual Machine to run vulnerable web applications for training and testing
- A complete web application with OWASP TOP 10 vulnerabilities with documentation will be provided.
- 3. Full course content slides and cheat sheets.
Who should attend?
- Web Application Developers
- Web Application Security Consultants
- Penetration Testers
- QA Professionals
- System Administrators with basic scripting knowledge
Why attend?
You should attend if you want to learn :
- How to test for and compromise web servers
- How to detect vulnerabilities and compromise web applications
- How hackers steal user data for profit
- All of the above to create, maintain, secure web servers and web applications
Prerequisites
- Basic knowledge of HTTP.
- Understand terms like GET, POST, HEAD
- Understand what is a cookie, interception proxy, web server document root, port number
- Basic knowledge of at least in PHP/.net/JSP/Java Servlets
- Basic comfort level in using the command line on Windows and Linux
- Basic idea of SQL and working knowledge of databases like MySQL and MSSQL
What to bring
- Bring your own Laptop
- The laptop should have 20 GB of HDD space free
- The laptop should have a working wireless connection
- Install Windows/Linux capable of running VirtualBox/VMware as Host OS
What to expect
- Fundamental understanding of what is web application security and how web servers and websites get hacked
- The idea of the training is to teach you offensive techniques which will then allow you to secure and defend web servers and web applications
What not to expect
- This not a demo/pitch/how-to for using your favourite tool. Therefore don’t expect us to do walkthroughs of such tools
- The trainers are practicing consultants and work on a lot of web assessments using a multitude of tools mostly open source or reasonably priced. We will not be covering any of the expensive scanner tools available in the market
- Post-exploitation techniques will not be covered
- To become hacker in a day
About Akash Mahajan
Akash is “That Web Application Security Guy”. A Certified Ethical Hacker with more than 8 years of experience in Application and Network Security. Before becoming an expert security consultant he was a technical lead for one of the leading American commercial security software companies specialising in end point security. He started in security working on web infrastructure for the government of India.
Along with his day job Akash is heavily involved in the wider global security community, ranging from his work with OWASP, to being one of the founders of null The Open Security Group, India’s foremost non-profit computer security organisations. He used to be actively involved with the Bangalore Barcamp Planners group, has done events like AppJam and MobileCamps all over India where he evangelized security to Small and Medium Enterprises. He is also the co-founder of Headstart Network Foundation a Section 25 Non-Profit company.
Akash is currently one of the two OWASP chapter leads for Bangalore and the Community Manager for null at India level.
When not working or advising you’ll find Akash speaking at industry conferences on all things computer security related.
About Riyaz Walikar
For food, shelter and fun, Riyaz is employed as a Senior Engineer at the world's largest auditing firm with the Core Security Group. He is a Certified Ethical Hacker (CEH) and has been active in the security community for the better part of the last 6 years. He has been an active member of the null Security Community for the last 3 years and is the moderator for the Bangalore Chapter.
He is actively involved with Vulnerability Research in popular Web Applications and Network aware services and has disclosed several security issues in popular software and websites over the over the past few years. He is on the Hall of Fame of Twitter and Facebook for disclosing security vulnerabilities that would have compromised user data and server integrity. He has also delivered trainings and seminars on Web Application Security and Hacking in general at several conferences and events.
His interests lie in breaking web applications, playing CTF events, malware analysis, reading, sleeping, fishing and writing code.