Customizable Inhouse Trainings
Several times a year I enjoy conducting inhouse training courses on topics like web application security (focussing on Java) as well as penetration testing and SecurityDevOps. Aside from the one-day workshops, all trainings include lots of instructor-led exercises (over 75 percent of the time) based on demo applications written specifically for the trainings. Each training includes a digital handout (PDF) of the course contents full of information for the attendees.
Just send me a mail in case you wish to receive more detailed course information. Depending on the audience, the courses will be held in English or German language. The contents of the workshops can be customized to suit your individual needs and system environments as well as software development process model.
Live Hacking & Awareness
This workshop focuses more on the offensive part of application security by demonstrating live hacking against demo applications written specifically for this workshop. Attack scenarios targeting modern web applications are used and optionally enhanced by mobile, wireless and USB attacks. All presented attacks will be fully exploited. Server- and client-side defense strategies are presented and discussed.
Topics covered include:
- Attack scenarios in modern web applications
- Browser protection attempts like same origin policy (SOP) etc. and how attackers try to circumvent them
- Live hacking and full exploitation against the workshop's demo web application using common attack vectors:
- SQL-Injection including blind SQL-Injection
- Cross-Site Scripting (XSS): stored, reflected and DOM-based
- Cross-Site Request Forgery (CSRF)
- Authentication Bypasses and Privilege Escalations
- Session Fixation
- Path Traversal including ClassPath Traversal attacks
- Remote Code Executions (RCE) like Command Injections, Backdoor Uploads, Local or Remote File Inclusions, etc.
- XML attacks like XML eXternal Entities (XXE) and XPath Injection
- Typical Information Disclosures
- Header Injection and Open Redirects
- JSON Hijacking
- Forceful Browsing and Parameter Tampering
- Server-Side Request Forgery (SSRF)
- . . .
- WebService (SOAP and REST) based attacks
- HTML5 attacks and security considerations for WebSockets, Local Storage, etc.
- Other type of backend injections like LDAP Injection
- Defence strategies (server & client)
Due to the limited time (1 day) in this training, it does not include hands-on exercises. All live hacks are presented against the custom written demo application. The course also covers offensive parts of real-world exploitation of the security holes in order to fully understand the individual impact on a complete software system, like stealthy session stealing, user impersonification, sensitive data exfiltration, remote filesystem access, reverse attacker shells, server takeover, etc.
The exploitation tools I will present in attacks against my demo setup include Metasploit, BeEF, sqlmap and SET (Social Engineering Toolkit) to fully demonstrate browser- and server-takeover and their potential post exploitation threats. Optionally the demonstration can be extended to include mobile and wireless hacking techniques as well as USB-stick based attacks to showcase how easy it is for attackers to penetrate the corporate perimeter: With the rise of BYOD in corporate setups attackers have new ways to infiltrate companies and attack them from within.
The main intention behind this course is to raise awareness for the security problems and to start discussing about impacts and defense strategies. Expect this to be an eye-opener for for developers as well as project managers. I also had the chance to present a special extract of it as a public session at the Security Day of the JAX 2014 conference in Mainz as well as the WebTechCon 2014 and WJAX 2014 conferences in Munich.