This is an introduction to SANS SEC460, Enterprise Threat and Vulnerability Assessment, focusing on web application testing. It's a story about how a vulnerability in a framework could lead to web application compromise. We will discuss how a remote code execution vulnerability led to the Equifax data breach. If there is an exploitable condition in a component that your application relies on you could be in trouble. A properly performed security assessment can help you identify these issues and describe the risk associated with it. The Struts 2 framework implemented poor input validation in an API call which meant that any and all applications based on that framework were vulnerable. A live demo of identifying the vulnerability will be performed during the session.
Adrien de Beaupre is the co-author of the brand new course, SEC460, Enterprise Threat and Vulnerability Assessment.