LAST CHANCE to Get a MacBook Air with Online Courses

London 2012

London, United Kingdom | Mon Nov 26, 2012 - Mon Dec 3, 2012
 

SEC642: Advanced Web App Penetration Testing and Ethical Hacking

This course is designed to teach you the advanced skills and techniques required to test web applications today. This advanced pen testing course uses a combination of lecture, real-world experiences, and hands-on exercises to educate you in the techniques used to test the security of enterprise applications. The final day of the course culminates in a Capture the Flag event, which tests the knowledge you will have acquired the previous five days.

We will begin by exploring specific techniques and attacks to which applications are vulnerable. These techniques and attacks use advanced ideas and skills to exploit the system through various controls and protections. This learning will be accomplished through lectures and exercises using real-world applications.

We will then explore encryption as it relates to web applications. You will learn how encryption works as well as techniques to identify the type of encryption in use within the application. Additionally, you will learn methods for exploiting or abusing this encryption, again through lecture and labs.

The next day of class will focus on how to identify web application firewalls, filtering, and other protection techniques. You will then learn methods to bypass these controls in order to exploit the system. You'll also gain skills in exploiting the control itself to further the evaluation of the security within the application.

Following these general exploits, you will learn techniques that target specific enterprise applications. You will attack systems such as content management and ticketing systems. We will explore the risks and flaws found within these systems and how to better exploit them. This part of the course will also include web services and mobile applications due to their prevalence within modern organizations.

This information packed advanced pen testing course will wrap up with a full day Capture the Flag (CtF) event. This CtF will target an imaginary organization's web applications and will include both Internet and intranet applications of various technologies. This event is designed to allow you to put the pieces together from the previous five days reinforcing the information and learning you will have gained.

The SANS promise is that you will be able to use these ideas immediately upon returning to the office in order to better perform penetration tests of your web applications and related infrastructure. This course will enhance your exploitation and defense skill sets as well as fulfill a need to teach more advanced techniques than can be covered in the foundational course, Security 542: Web Application Penetration Testing and Ethical Hacking.

Course Syllabus
Course Contents InstructorsSchedule
  SEC642.1: Advanced Discovery and Exploitation Justin Searle Mon Nov 26th, 2012
9:00 AM - 5:00 PM
Overview

As applications and their vulnerabilities become more complex, penetration testers have to be able to handle these targets. We will begin the class by exploring how Burp Suite works and more advanced ways to use it within your penetration-testing processes. The exploration of Burp Suite will focus on its ability to work within the traditional web penetration testing methodology and assist in manually discovering the flaws within the target applications.

Following this discussion, we will move into studying specific vulnerability types. This examination will explore some of the more advanced techniques for finding server-based flaws such as SQL injection. After discovering the flaws, we will then work through various ways to exploit these flaws beyond the typical means exhibited today. These advanced techniques will help penetration testers show the risks the flaws expose an organization to.

CPE/CMU Credits: 6

Topics

  • Review of the testing methodology
  • Using Burp Suite in a web penetration test
  • Examine how to use Burp Intruder to effectively fuzz requests
  • Explore advanced discovery techniques for SQL injection and other server-based flaws
  • Learn advanced exploitation techniques

 
  SEC642.2: Discovery and Exploitation for Specific Applications Justin Searle Tue Nov 27th, 2012
9:00 AM - 5:00 PM
Overview

On day 2 of 642, we will continue the exploration of advanced discovery and exploitation techniques. We'll start by exploring client-side flaws such as cross-site scripting (XSS) and cross-site request forgery (XSRF). We will explore some of the more advanced methods for discovering these issues. After finding the flaws, you will learn some of the more advanced methods of exploitation, such as scriptless attacks and building web-based worms using XSRF and XSS flaws within an application.

During the next part of the day we'll explore various popular applications and frameworks and how they change the discovery techniques within a web penetration test. This section of the class examines applications such as SharePoint and WordPress. These specific targets have unique needs and features that make testing them both more complex and more fruitful for the tester. This section of the class will help you understand these differences and make use of them in your testing.

CPE/CMU Credits: 6

Topics

  • Discovering XSRF flaws within complex applications
  • Learning about DOM-based XSS flaws and how to find them within applications
  • Exploiting XSS using scriptless injections
  • Bypassing anti-XSRF controls using XSS/XSRF worms
  • Attacking SharePoint installations
  • How to modify your test based on the target application

 
  SEC642.3: Web Application Encryption Justin Searle Wed Nov 28th, 2012
9:00 AM - 5:00 PM
Overview

Cryptographic weaknesses are a common area where flaws are present, yet few penetration testers have the skill to investigate, attack and exploit these flaws. When we investigate web application crypto attacks, we typically target the implementation and use of cryptography in modern web applications. Many popular web programming languages or development frameworks make encryption services available to the developer, but do not inherently protect encrypted data from being attacked, or permit the developer to use cryptography in a weak manner. These implementation mistakes are going to be our focus in this section, as opposed to the exploitation of deficiencies in the cryptographic algorithms themselves. We will also explore the various ways applications use encryption and hashing insecurely. Students will learn how techniques such as identifying what the encryption technique is to how to exploit various flaws within the encryption or hashing.

CPE/CMU Credits: 6

Topics

  • Explore how to identify the cryptography in use
  • Discover how to attack the encryption keys
  • Learn how to attack Electronic Codebook (ECB) Mode Ciphers
  • Exploit Padding Oracles and Cipher Block Chaining (CBC) Bit Flipping

 
  SEC642.4: Web Application Firewall and Filter Bypass Justin Searle Thu Nov 29th, 2012
9:00 AM - 5:00 PM
Overview

Today, applications are using more security controls to help prevent attacks. These controls, such as Web Application Firewalls and filtering techniques, make it more difficult for penetration testers during their testing. These controls block many of the automated tools and simple techniques used to discover flaws today. On day 4 you will explore techniques used to map the control and how it is configured to block attacks. You'll be able to map out the rule sets and determine the specifics of how it detects attacks. This mapping will then be used to determine attacks that will bypass the control. You'll use HTML5, UNICODE and other encodings that will enable your discovery techniques to work within the protected application.

CPE/CMU Credits: 6

Topics

  • Understanding of web application firewalling and filtering techniques
  • Explore how to determine the rule sets protecting the application
  • Learn how HTML5 injections work
  • Discover the use of UNICODE and other encodings

 
  SEC642.5: Mobile Applications and Web Services Justin Searle Fri Nov 30th, 2012
9:00 AM - 5:00 PM
Overview

Web applications are no longer limited to the traditional HTML based interface. Web services and mobile applications have become more common and are regularly being used to attack client and organizations. As such, it has become very important that penetration testers understand how to evaluate the security of these systems.

During day 5, you will learn how to build a test environment for mobile applications and web services. We will also explore various techniques to discover flaws within the applications and backend systems. These techniques will make use of tools such as Burp Suite and other automated toolsets.

CPE/CMU Credits: 6

Topics

  • Understanding the mobile platforms and architecture
  • Intercepting traffic to web services and from mobile applications
  • Building a test environment
  • Injecting malicious traffic into web services

 
  SEC642.6: Capture the Flag Justin Searle Sat Dec 1st, 2012
9:00 AM - 5:00 PM
Overview

During day six of the class you will be placed on a network and given the opportunity to complete an entire penetration test. The goal of this capture the flag event is for you to explore the techniques, tools, and methodology you will have learned over the last five days. You'll be able to use these ideas and methods against a realistic extranet and intranet. At the end of the day, you will provide a verbal report of the findings and methodology you followed to complete the test. Students will be provided with a virtual machine that contains the Samurai Web Testing Framework web penetration-testing environment. You will be able to use this both in the class and after leaving and returning to your jobs.

CPE/CMU Credits: 6

 
Additional Information
 
  Laptop Required

You will need to bring a laptop capable of running VMware workstation, player or fusion. It would need at least 4GB of RAM and 25GB of free hard drive space.

If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.

 
  Who Should Attend

  • Web penetration testers
  • Security consultants
  • Developers
  • QA testers
  • System administrators
  • IT managers
  • System architects

 
  Prerequisites

This course assumes that you have a solid understanding of web penetration techniques and methodologies. You should be familiar with the HTTP protocol, HTML, web applications, and a scripting language such as Python. Successful completion of the GWAPT certification or having attended the SEC542 class would fulfill these prerequisites.

 
  What You Will Receive

  • An understanding of advanced web penetration techniques
  • Skills to test and exploit specific target environments such as content management systems and infrastructure applications
  • Understanding of encryption and its usage within web applications
  • Ability to recognize filtering and WAF techniques and bypass them
  • Skills to test and evaluate web services used in an enterprise
  • Understanding of mobile application testing

 
  You Will Be Able To
  • Assess and attack complex modern applications
  • Understand the special testing and exploits available against content management systems such as SharePoint and WordPress
  • Use techniques to identify and attack encryption within applications
  • Identify and bypass web application firewalls and application filtering techniques to exploit the system
  • Use exploitation techniques learned in class to perform advanced attacks against web application flaws such as XSS, SQL injection and CSRF

 
  What To Take Next?

 

Author Statement

As web applications and their mobile counterparts become more complex and hardened against attack, penetration testers need to adjust the techniques they use to evaluate the security of these systems. This includes understanding how the various targets work, their usage of encryption and web application firewalling, and how to perform vulnerability discovery and exploitation against these items. This course is designed to expand past the methodology and focus on the "how" when we are presented with the challenges of web penetration testing.

- Kevin Johnson