OnDemand Training - Best Special Offers of the Year Ending Soon - Learn More

Network Security 2020

Las Vegas, NV | Sun, Sep 20 - Fri, Sep 25, 2020
Event starts in 42 Days
 

SANS is planning to resume In-Person training at this event. SANS courses will be available to you in Live Online (virtual) and In-Person formats, giving you the ultimate flexibility to choose how YOU train.

  • Select your preferred course delivery method at the time of registration.
  • Should the COVID-19 situation cause changes to your preferred delivery method, SANS will contact you via email.
  • Visit our events page to learn about benefits of In-Person and Live Online training.
  • See our Event Safety tab to view the precautions our venues will implement.

SEC552: Bug Bounties and Responsible Disclosure Beta

Mon, September 21 - Tue, September 22, 2020

Training Options: Live Online

Course Syllabus  ·  12 CPEs  ·   Lab Requirements
Instructor: Staff  ·  Price: 1,400 USD

Because this course is offered as a beta including discounted pricing, seating is limited to a maximum of two seats per organization. No additional discounts apply.

Pen testers and security researchers face the challenge of discovering and weaponizing complicated vulnerabilities in order to properly perform security assessments for applications. Modern applications are enriched with advanced and complex features that increase the attack surface. Every application has its own unique logic that requires the pen tester to deeply understand how the app functions before beginning a security assessment. Discovering and exploiting tricky security bugs in these assessments requires the art of mixing manual and automated techniques.

Bug bounty programs are put in place so that the security community can help vendors discover application security flaws that are difficult to discover and exploit. The scope of such programs includes security bugs for web apps, mobile apps, APIs, and more. Large IT companies, such as Google, Facebook, Twitter, and PayPal, have participated in such programs. Security researchers who follow the responsible disclosure policy of bug bounty programs are rewarded and acknowledged, since such programs improve and secure applications.

SEC552 is inspired from case studies found in various bug bounty programs, drawing on recent real-life examples of web and mobile app attacks. The experiences of different researchers yield ideas for pen testers and developers about unconventional attack techniques and mindsets. Each section of the course is influenced by bug bounty stories that are examined through the following structure:

  • Attack concept: The idea, concept, and root cause of the attack.
  • Test technique: How to test and discover the application security flaw manually and automatically.
  • Attack exercise: This lab uses tools such as Burp Professional to analyze the vulnerable applications.
  • Related bug bounty case study: Analysis of several bug bounty stories that are related to the attack.
  • Defense techniques: The best security practices to defend from the attack and mitigate the application security flaws.

Here are just a few considerations when organizations are implementing bug bounty programs:

  • Regardless of whether a company has a bug bounty program, attackers and researchers are assessing their Internet-facing and cloud applications. Security teams within companies, as well as consulting teams that provide security services for customers, need to understand how to assess Internet-facing applications.
  • Companies rely on single sign-on (SSO) with third parties such as Dropbox. Authentication and session management shared between these sites offer opportunities for attackers.
  • Most companies have cloud applications, many of which have weak APIs, weak single-factor authentication, poor session management, and other issues that can result in data exposure or remote code execution

In SEC552, students will perform labs on real-world applications using professional tools to practice hunting genuine security bugs. We will then examine web application defenses and extra code review exercises to close the loop on the attacks covered. Finally, we'll look at reporting and responsible disclosure, ensuring delivery of quality app security bug reports with proper description, evidence, and recommendations. Bug bounty stories are full of ideas and clever tactics from which much can be learned about mixing manual and automated techniques. This course will teach you how to apply modern attack techniques to discover and disclose tricky, logic-based application flaws that automated scanning tools will not reveal.

Notice:

SEC552 students will receive licensing information in the SANS portal account that is linked to their registration. Please ensure that you can access the SANS portal account that is linked to your registration at the start of your course.

If you are registering another individual on behalf of your organization, you must register that individual using the email address that is linked to his or her SANS portal account. That will ensure that the individual can receive licensing information in his or her SANS portal account in order to be prepared with the proper equipment to complete the course (SEC552).

Course Syllabus


Staff
Mon Sep 21st, 2020
9:00 AM - 12:15 PM
1:30 PM - 5:00 PM

Overview

Day 1 begins by introducing you to setting up a bug bounty program in an organization, and how to get started and manage the process. Understanding an app's functionality can open attack ideas and facilitate catching tricky app security bugs. You will learn and practice mapping the app logic and features into HTTP requests of real-life apps. You will learn different techniques inspired from real-life case studies in order to perform authentication bypass and account takeover. You will discover and exploit real-life bugs manually in an authentication bypass exercise. We'll inspect source code to understand the root cause of the bug, and all exercises will be performed on real-life apps using a trial license for Burp Suite Professional. You'll be hunting security bugs like professionals. Tricky logic bugs are some of the hardest to discover and catch in complex apps. You will learn different tricks to conduct logic and authorization bypass attacks while walking through real-life cases in bug bounty programs. An authorization bypass lab will enable you to practice catching tricky logic bugs. Finally, you will learn about various methods to perform SQL injection attacks in different contexts inspired by real-life bug bounty case studies.

Exercises
  • Exercise 1.1: App mapping
  • Exercise 1.2: Authentication bypass
  • Exercise 1.3: Logic attacks
  • Exercise 1.4: SQL injection
  • Exercise 1.5: SQL injection - Boolean

CPE/CMU Credits: 6

Topics
  • Introduction and HTTP basics
    • Managing bug bounty programs
    • Bug hunting tips
    • HTTP review
  • Understanding the app
    • Identifying app components
    • Translating business into HTTP requests
    • User profiles and mapping execution path
    • Tracing the data flow
    • Bug bounty case studies
    • Defense perspective
  • Hunting for authentication and session flaws
    • Authentication and sessions
    • Parameter identification and session analysis
    • Authentication bypass
      • Parameter manipulation
      • Direct access
      • Bypass multi-factor authentication
    • Bug bounty case studies
    • Defense from authentication and session flaws
  • Logic attacks and authorization bypass
    • Authorization and business rules
    • Breaking the business logic
    • Attack techniques:
      • Manipulating parameters
      • Reordering requests
    • Bug bounty case studies
    • Defending from logic attacks
  • SQL injection
    • SQL attack techniques based on context
    • Boolean-based SQL injection
    • Time-based SQL injection
    • Bug bounty case studies
    • SQL injection defenses

Staff
Tue Sep 22nd, 2020
9:00 AM - 12:15 PM
1:30 PM - 5:00 PM

Overview

Day 2 continues covering various attack techniques for different security bugs such as Open Redirect, Server-Side Request Forgery (SSRF), Cross-Site Scripting (XSS), and Cross-Site Request Forgery (CSRF).The attack techniques covered will draw on real-life bug bounty stories that give different attack ideas for discovery, filter bypass, and exploitation. You will learn attack techniques on modern apps that are rich with client-side code and API calls. You will also learn how to chain different bugs to cause a greater security impact. The day is filled with exercises that will walk you through real-life apps. During the exercises, you'll learn how to discover the bug manually, how to inspect the root cause of the bug from the source code, and how to fix the bug. Finally, you will learn how to deliver quality app security bug reports with proper descriptions and evidence.

Exercises
  • Exercise 2.1: CSRF
  • Exercise 2.2: Discovering stored XSS
  • Exercise 2.3: XSS bypassing filters
  • Exercise 2.4: API attacks
  • Exercise 2.5: Chaining logic attacks

CPE/CMU Credits: 6

Topics
  • Open redirect
    • Open redirect basics
    • Open redirect risk
    • Bug bounty case studies
  • Server-side request forgery
    • SSRF basics
    • Discovering SSRF
    • Bug bounty case studies
    • SSRF defenses
  • Cross-site request forgery
    • CSRF basics
    • Discovering CSRF
    • Bug bounty case studies
    • CSRF defenses
  • Cross-site scripting
    • XSS basics: Reflected, stored, and DOM-based XSS
    • Discovering XSS flaws
    • Tracing the data flow and the context
    • Bug bounty case studies: Tricky stored XSS
    • Filtering detection and bypass
    • Bug bounty case studies: Filter bypass
    • XSS defenses: Input validation and output encoding
  • Client-Side code and APIs
    • Client-side code analysis
    • Finding the API URIs
    • Attacking APIs
    • Bug bounty case studies
    • API defenses: Input validation and authorization
  • Combining web attacks
    • Successful attack scenarios
    • The art of combining web attacks
    • Open redirect and SSRF
    • Command Injection and CSRF
    • Logic and XSS
    • Bug bounty case studies
  • Reporting and responsible disclosure
    • Evidence and proof-of-concept
    • Responsible disclosure
    • Future and practice

Additional Information

A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will likely leave the course unsatisfied because you will not be able to participate in essential hands-on exercises. Therefore, we strongly urge you to arrive with a system meeting all the requirements specified for the course.

It is critical that you back up your system before class. It is also strongly advised that you not bring a system storing any sensitive data.

Baseline Hardware Requirements

  • CPU: 64-bit Intel i5/i7 2.0+ GHz processor
  • BIOS: Enabled "Intel-VT"
  • USB: 3.0 type-A port
  • RAM: 8GB RAM (4GB minimum)
  • Hard-drive free space: 30 GB free space
  • Operating System: Windows, macOS, or Linux

Additional Requirements

These requirements are in addition to baseline requirements provided above. Prior to the start of class, you must install virtualization software and meet additional hardware and software requirements as described below. If you do not carefully read and follow these instructions, you will leave the class unsatisfied because you will not be able to participate in hands-on exercises that are essential to this course.

Additional Hardware Requirements

  • Network, Wireless Connection: A wireless 82.11 B, G, N or AC network adapter is required.

Additional Software Requirements

  • Install VMWare Workstation Player 15, VMware Fusion 11.x, or VMware Workstation 15
  • Have the ability to disable Windows Credential Guard

If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.

  • Penetration testers: The course will enrich the skills of pen testers through real-life stories and practical labs covering the most popular web and mobile app attacks.
  • Software developers and architects: The course will help developers link attack and defense techniques while discovering security bugs in the source code before making the app public.
  • Security engineers: The course will help attendees who are managing a bug bounty program or planning to implement one by enabling them to practice the techniques used by security researchers to report security bugs, and to verify if the bugs are valid or false positives.
  • Network/system engineers: The course will help attendees fill the gap of application security and get started in the field.

SEC552 is designed for those students who have completed SEC542 or already have equivalent experience. SEC642 students will also benefit from the course.

Course media that include both Burp Suite Pro as well as some vulnerable real-life web applications for testing and training within the classroom and beyond.

  • Learn the art of translating app features to attack vectors
  • Find complex and tricky security bugs in real-life apps
  • Draw on real-life bug bounty stories discovered by talented researchers
  • Gain a deep understanding of the root cause of security bugs in modern apps
  • Correlate security bugs with defenses and understand how to bypass weak app defense controls by participating in labs based on real-life applications and using professional tools (Burp Suite Professional)
  • Properly modify insecure defenses

Hands-on labs employed throughout SEC552 will strengthen the ability of students to catch and fix tricky app security bugs. The labs cover:

  • App mapping
  • Authentication bypass
  • Logic attacks
  • SQL injection - Boolean
  • XSS bypassing filters
  • API attacks
  • Chaining logic attacks
  • Reporting
  • Extensive use of Burp Suite Pro

Author Statement

"During my journey working in bug bounty programs, it was always challenging to catch security bugs. The bugs had to be risky, unique, and tricky so that they wouldn't be considered duplicate by other researchers. This course is inspired by real-life case studies and is designed to help you catch and fix tricky security bugs using logic techniques and professional tools."

- Hassan El Hadary