SEC642: Advanced Web App Penetration Testing, Ethical Hacking, and Exploitation Techniques
Mon, August 3 - Sat, August 8, 2020
Course Syllabus · 36 CPEs · Lab Requirements
Instructor: Adrien de Beaupre
Can Your Web Apps Withstand the Onslaught of Modern Advanced Attack Techniques?
Modern web applications are growing more sophisticated and complex as they utilize exciting new technologies and support ever-more critical operations. Long gone are the days of basic HTML requests and responses. Even in the age of Web 2.0 and AJAX, the complexity of HTTP and modern web applications is progressing at breathtaking speed. With the demands of highly available web clusters and cloud deployments, web applications are looking to deliver more functionality in smaller packets at a decreased strain on backend infrastructure. Welcome to an era that includes tricked-out cryptography, WebSockets, HTTP/2, and a whole lot more. Are your web application assessment and penetration testing skills ready to evaluate these impressive new technologies and make them more secure?
Are You Ready To Put Your Web Apps To the Test with Cutting-Edge Skills?
This pen testing course is designed to teach you the advanced skills and techniques required to test modern web applications and next-generation technologies. The course uses a combination of lecture, real-world experiences, and hands-on exercises to teach you the techniques to test the security of tried-and-true internal enterprise web technologies, as well as cutting-edge Internet-facing applications. The final course day culminates in a Capture the Flag competition where you will apply the knowledge you acquired during the previous five days in a fun environment based on real-world technologies.
Hands-on Learning Of Advanced Web App Exploitation Skills
We begin by exploring advanced techniques and attacks to which all modern-day complex applications may be vulnerable. We'll learn about new web frameworks and web backends, then explore encryption as it relates to web applications, digging deep into practical cryptography used by the web, including techniques to identify the type of encryption in use within the application and methods for exploiting or abusing it. We'll look at alternative front ends to web applications and web services such as mobile applications, and examine new protocols such as HTTP/2 and WebSockets. The final portion of class will focus on how to identify and bypass web application firewalls, filtering, and other protection techniques.
You Will Learn:
- How to discover and exploit vulnerabilities in modern web frameworks, technologies, and backends
- Skills to test and exploit specific technologies such as HTTP/2, Web Sockets, and Node.js
- How to evaluate and find vulnerabilities in the many uses of encryption within modern web applications
- Skills to test and evaluate mobile backends and web services used in an enterprise
- Methods to recognize and bypass custom developer, web framework, and Web Application Firewall defenses
Notice:
SEC642 students will receive licensing information in the SANS portal account that is linked to their registration. Please ensure that you can access the SANS portal account that is linked to your registration at the start of your course.
If you are registering another individual on behalf of your organization, you must register that individual using the email address that is linked to his or her SANS portal account. That will ensure that the individual can receive licensing information in his or her SANS portal account in order to be prepared with the proper equipment to complete the course (SEC642).
Course Syllabus
SEC642.1: Advanced Attacks
Adrien de Beaupre
Mon Aug 3rd, 2020
9:00 AM - 12:15 PM CEST
1:30 PM - 5:00 PM CEST
Overview
As applications and their vulnerabilities become more complex, penetration testers have to be able to handle advanced targets. We'll start the course with a warm-up pen test of a small application. After our review of this exercise, we will explore some of the more advanced techniques for LFI/RFI and SQLi server-based flaws. We will then take a stab at combined XSS and XSRF attacks, where we leverage the two vulnerabilities together for even greater effect. After discovering the flaws, we will then work through various ways to exploit these flaws beyond the typical means exhibited today. These advanced techniques will help penetration testers find ways to demonstrate these vulnerabilities to their organization through advanced and custom exploitation.
Exercises
- Getting warmed up
- Exploiting file inclusions
- Exploiting Blind SQLi
- Combined XSS and XSRF
CPE/CMU Credits: 6
Topics
- Review of the testing methodology
- Using Burp Suite in a web penetration test
- Exploiting local and remote file inclusions
- Exploring advanced discovery techniques for SQL injection and other server-based flaws
- Exploring advanced exploitation of XSS and XSRF in a combined attack
- Learning advanced exploitation techniques
SEC642.2: Web Frameworks
Adrien de Beaupre
Tue Aug 4th, 2020
9:00 AM - 12:15 PM CEST
1:30 PM - 5:00 PM CEST
Overview
We'll continue exploring advanced discovery and exploitation techniques for today's complex web applications. We'll look at vulnerabilities that could affect web applications written in any backend language, then examine how logic flaws in applications, especially in Mass Object Assignments, can have devastating effects on security. We'll also dig into assumptions made by core development teams of backend programming languages and learn how even something as simple as handling the data types in variables can be leveraged through the web with Type Juggling and Object Serialization. Next we'll explore various popular applications and frameworks and how they change the discovery techniques within a web penetration test. Part of this discussion will lead us to cutting-edge technologies like the MEAN stack, where JavaScript is leveraged from the browser, web server, and backend NoSQL storage. The final section of the class examines applications in content management systems such as SharePoint and WordPress, which have unique needs and features that make testing them both more complex and more fruitful for the tester.
Exercises
- Mass assignment in CakePHP
- Authentication bypass in PHP
- MEAN stack attack
- SharePoint
- WordPress
CPE/CMU Credits: 6
Topics
- Web architectures
- Web design patterns
- Languages and frameworks
- Java and struts
- PHP type juggling
- Logic flaws
- Attacking object serialization
- The MEAN stack
- Content management systems
- SharePoint
- WordPress
SEC642.3: Web Cryptography
Adrien de Beaupre
Wed Aug 5th, 2020
9:00 AM - 12:15 PM CEST
1:30 PM - 5:00 PM CEST
Overview
Cryptographic weaknesses are a major area of web application vulnerabilities, yet very few penetration testers have the skill to investigate, attack, and exploit these flaws. When we investigate web application crypto attacks, we typically target the implementation and use of cryptography in modern web applications. Many popular web programming languages or development frameworks make encryption services available to the developer. Often they do not protect encrypted data from being attacked, or they permit the developer to use cryptography in a weak manner. These implementation mistakes are going to be our focus in this section, as opposed to the exploitation of deficiencies in the cryptographic algorithms themselves. We will also explore the various ways applications use encryption and hashing insecurely. Students will learn techniques ranging from identifying types of encryption to exploiting various flaws within encryption or hashing techniques.
Exercises
- Analyzing Crypto
- Working through obscurity with data encoding
- Exploiting weak keys chosen by the backend system
- Attacking stream ciphers
- Discovering and exploiting ECB Shuffling in web applications
- Discovering and exploiting CBC Bit Flipping in web applications
- Discovering and exploiting Padding Oracle Attack in web applications
CPE/CMU Credits: 6
Topics
- Identifying the cryptography used in the web application
- Analyzing and attacking the encryption keys
- Exploiting stream cipher IV collisions
- Exploiting Electronic Codebook (ECB) Mode Ciphers with block shuffling
- Exploiting Cipher Block Chaining (CBC) Mode with bit flipping
- Vulnerabilities in PKCS#7 padding implementations
SEC642.4: Alternative Web Interfaces
Adrien de Beaupre
Thu Aug 6th, 2020
9:00 AM - 12:15 PM CEST
1:30 PM - 5:00 PM CEST
Overview
Web applications are no longer limited to the traditional HTML-based interfaces. Web services and mobile applications have become more common and are regularly being used to attack clients and organizations. As such, it has become very important that penetration testers understand how to evaluate the security of these systems. We will examine Flash, Java, Active X, and Silverlight flaws. We will explore various techniques to discover flaws within the applications and backend systems. These techniques will make use of tools such as Burp Suite and other automated toolsets. We'll use lab exercises to explore the newer protocols of HTTP/2 and WebSockets, exploiting flaws exposed within each of them.
Exercises
- Wireshark stream extraction to custom pentester requests
- Decompiling Flash objects
- Exploiting a SOAP-based web service
- Playing with WebSockets in SocketToMe
- Discovering weaknesses in H2O's HTTP/2 implementation
CPE/CMU Credits: 6
Topics
- Intercepting traffic to web services and from mobile applications
- Flash, Java, ActiveX, and Silverlight vulnerabilities
- SOAP and REST web services
- Penetration testing of web services
- WebSocket protocol issues and vulnerabilities
- New HTTP/2 protocol issues and penetration testing
SEC642.5: Web Application Firewall and Filter Bypass
Adrien de Beaupre
Fri Aug 7th, 2020
9:00 AM - 12:15 PM CEST
1:30 PM - 5:00 PM CEST
Overview
Applications today are using more security controls to help prevent attacks. These controls, such as Web Application Firewalls and filtering techniques, make it more difficult for penetration testers during their testing. The controls block many of the automated tools and simple techniques used to discover flaws. On this day we'll explore techniques used to map the control and how that control is configured to block attacks. You'll be able to map out the rule sets and determine the specifics of how the Web Application Firewall detects attacks. This mapping will then be used to determine attacks that will bypass the control. You'll use HTML5, UNICODE, and other encodings that will enable your discovery techniques to work within the protected application.
Exercises
- Comparing the differences between .NET framework and ModSecurity Web Application Firewall defenses
- ModSecurity rule analysis and intentionally triggering its rules
- Testing and fingerprinting defense based on difficult-to-defend web vulnerabilities
- Working through XSS defenses compound data URIs
- Bypassing SQL Injection defense with custom tamper scripts in sqlmap
CPE/CMU Credits: 6
Topics
- Understanding of Web Application Firewalling and filtering techniques
- Determining the rule sets protecting the application
- Fingerprinting the defense techniques used
- Learning how HTML5 injections work
- Using UNICODE, CTYPEs, and Data URIs to bypass restrictions
- Bypassing a Web Application Firewall's best-defended vulnerabilities, XSS and SQLi
SEC642.6: Capture the Flag
Adrien de Beaupre
Sat Aug 8th, 2020
9:00 AM - 12:15 PM CEST
1:30 PM - 5:00 PM CEST
Overview
On this final course day you will be placed on a network and given the opportunity to complete an entire penetration test. The goal of this exercise is for you to explore the techniques, tools, and methodology you will have learned over the last five days. You'll be able to use these skills against a realistic extranet and intranet. At the end of the day, you will provide a verbal report of the findings and methodology you followed to complete the test. Students will be provided with a virtual machine that contains the Samurai Web Testing Framework (SamuraiWTF). You will be able to use this both in the class and after leaving and returning to your jobs.
CPE/CMU Credits: 6
Additional Information
Lab Requirements
Laptop Requirements:
- x64-compatible 2.0 GHz CPU minimum or higher
- At least 20 GB of hard drive space
- At least 4 GB of RAM, preferably 8 GB of RAM
- An Ethernet port or Ethernet adapter to plug into a private, in-class network.
VMware: One of the following versions of VMware or newer pre-installed before class begins: VMware Workstation Player 12, VMware Workstation Pro 12, VMware Fusion 8, or VMware Fusion Pro 8. You can download a free 30-day trial of any of these here. Other virtualization software such as Parallels or VirtualBox may work if attendees are capable of supporting it themselves. However, VMware should be installed as a backup just in case
IMPORTANT NOTE: While not usually necessary for this class, you may be required to disable your anti-virus tools temporarily for some exercises, so make sure you have the anti-virus administrator permissions to do so. DO NOT plan on just killing your anti-virus service or processes, because most anti-virus tools still function, even when their associated services and processes have been terminated. For many enterprise-managed clients, disabling your anti-virus tool may require a different password than the Administrator account password. Please bring that administrator password for your anti-virus tool.
During the hands-on exercises, you will be connecting to the classroom network. While contrary to exercise rules and SANS ethics policy, your laptop might be attacked. Do not have any sensitive data stored on the system. SANS is not responsible for your system if someone in the class attacks it in the workshop.
By bringing the right equipment and preparing in advance, you can maximize what you will see and learn, as well as have a lot of fun.
If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.
Who Should Attend
- Web penetration testers
- Red team members
- Vulnerability assessment personnel
- Network penetration testers
- Security consultants
- Developers
- QA testers
- System administrators
- IT managers
- System architects
Prerequisites
This course assumes that you have a solid understanding of web penetration techniques and methodologies. You should be familiar with the HTTP protocol, HTML, and web applications. A minimum or one to two years of web penetration testing experience, successful completion of the GWAPT certification, or having attended the SEC542 course would fulfill these prerequisites.
Other Courses People Have Taken
Related Courses:
- Courses that lead in to SEC642:
- SEC542: Web App Penetration Testing and Ethical Hacking
- DEV522: Defending Web Applications Security Essentials
- SEC560: Network Penetration Testing and Ethical Hacking
- Courses or equivalent experiences that are prerequisites for SEC642:
- Courses that are good follow-ups to SEC642:
What You Will Receive
- A copy of the Samurai Web Testing Framework (SamuraiWTF), which includes some of the latest and greatest open-source penetration testing tools for web application testing
- A six-course session booklet that includes course slides, student notes, and multiple hands-on exercises for each day
You Will Be Able To
- Perform advanced Local File Include (LFI) / Remote File Include (RFI), Blind SQL injection (SQLi), and Cross-Site Scripting (XSS) combined with Cross-Site Request Forger (XSRF) discovery and exploitation
- Exploit advanced vulnerabilities common to most backend language like Mass Assignments, Type Juggling, and Object Serialization
- Perform JavaScript-based injection against ExpressJS, Node.js, and NoSQL
- Understand the special testing methods for content management systems such as SharePoint and WordPress
- Identify and exploit encryption implementations within web applications and frameworks
- Discover XML Entity and XPath vulnerabilities in SOAP or REST web services and other datastores
- Use tools and techniques to work with and exploit HTTP/2 and Web Sockets
- Identify and bypass Web Application Firewalls and application filtering techniques to exploit the system
Press & Reviews
"Best web app class ever!" - John Cartrett, Torchmark Corporations
"SEC642 helps sharpen the pen testing mindset and to be more creative when performing pen tests." - Jesper Pettersson, Klarna
"SEC642 is the perfect course for someone who has a background in web app pen testing, but wants to really gain advanced skills." - Matthew Sullivan, Webfilings
"I like this training because it is very hands on and not just focused on slides. Very helpful for the real world." - Zach Moreno, Chico Security
Author Statement
"As web applications and their mobile counterparts become more complex and hardened against attack, penetration testers need to continually update the techniques and tools they use to evaluate the security of these systems. This includes understanding how the various new technologies work, which tools work with cutting-edge technologies like HTTP/2 and NoSQL, how to perform special penetration tests like Web Application Firewall inspections, and how to perform custom exploitation to demonstrate maximum impact for the applications you test. This course is designed to expand past the methodology and the 'how' when we are presented with the challenges of web penetration testing, and dig into the more esoteric 'why' these techniques and tools work, so that you can adapt as needed in your assessments."
- Justin Searle
"SANS SEC642: the Advanced Web App Penetration Testing, Ethical Hacking, and Exploitation Techniques course picks up where others end. We explore modern applications, modern protocols, and modern attacks. We examine in detail the tools and techniques used to identify and exploit vulnerabilities in new ways. We truly take penetration testing of web applications to a whole new and more advanced level in this class. I have always found that giving back to the information security community has benefited my career more than anything else has. This is how we pay it forward. We hope that you enjoy this course as much as we did writing it!"
- Adrien de Beaupre
