Advanced Web Hacking and Secure Coding
Trainer: Vikram Salunke
Abstract: Tired of alert('xss')? You want to learn advanced web hacking techniques then this training is for you. Training starts with the basic web app hacking and then move into more advanced stuff such as bypassing the XSS filters, HTML5 attacks and recent vulnerabilities such as Shellshock, Heartbleed, POODLE etc. This training is Hands-on training on Web Hacking and Secure coding. This training covers both offensive and defensive approach towards web applications. This training covers how to write secure code in multiple languages such as PHP, Java, C# etc. Lab contains multiple CMS such as Wordpress, Drupal, Joomla and multiple databases such as MySql, SQL Server, MongoDB etc. You will learn how to exploit and attack machines in the internal network using public facing servers. It contains secure coding practices recommended by OWASP. This training contains over 50 labs and 30+ challenges which are inspired by real world vulnerabilities and case studies.
- User Enumeration
- Authentication and Password management
- Information Leakage
- HTTP Verb Tampering
- HTML Injection
- Cross Site Scripting (XSS)
- iFrame Injection
- LDAP Injection
- CSS Injection
- AJAX Security - JSON Injection
- Insecure direct object reference
- Open Redirects
- Broken Access Control
- SSI Injection
- SQL Injection
- JSON Hijacking
- Session Management
- Cookie Stealing
- XML, XPATH and XQUERY language injection
- JSON Web Token
- Insecure System Configuration
- Path traversal
- HTTP Response Splitting
- Shellshock vulnerability
- Heartbleed vulnerability
- OWASP Top 10 Attacks
- OWASP Secure Coding Practices
- Logical Flaws
- and more...
Attendee requirements for this training:
- Modern laptop with wired or wireless networking capabilities
- OS - Mac OS or Windows
- At least 60 GB HD Free
- VMware Workstation / Fusion installed
Attendees will be provided with:
- Multiple vulnerable applications
- Hosted VMs for testing and training labs
- Over 50 labs and 30+ challenges to solve
- Training materials – presentation materials and lab examples.
- Custom tools and scripts
- Additional reading materials
Duration: Full day.
Tickets: Via Eventbrite
Vikram is the Information Security Researcher, Consultant and Founder at Vmaskers. Vmaskers provide network, wireless, web, Android and iOS applications penetration testing services and training for corporates. His main responsibilities are to look after application security, lead security automation and provide training. He has also developed several internal security tools for the organization to handle the security issues. Vmaskers provide training for organisation's internal team that includes developers and penetration testers to improve quality of the applications. He has also discovered serious web application security flaws in many unique product giants all over the world. He researches primarily focused Web App, Android, iOS App Pentesting. Responsible for breaking and fixing business critical Web Applications, Web Services, and client facing applications built with HTML5 and JS. He will be training in LASCON 2016.
Abstract: Do terms like XSS, SQLi, RCE, Buffer Overflow, Rootkit, Trojan, Phishing, DDoS, Malware, Virus, or just the word
Hacker leave you confused? This training is for you. We all had to start somewhere and this is the training for you, the beginner. Dan and Kevin are here to help you into the world of information security. This will be a light hearted, fun and interactive session.
We'll talk through what these terms mean, and try to answer questions as we go. There'll be live examples of the basics, and an opportunity to try these out in a lab (so bring along a laptop). The goal of this session is to come away with some usable knowledge, and an entry level understanding of the information security world.
- What is Hacking? (History, what's legal, ethics)
- Hacking in popular culture versus reality
- Getting started
- Understanding of attacks
- Performing your first attack
- Tools of the trade
- How to carry on beyond this session
- And more…
Duration: Half day (afternoon).
Cost: $0, only available to students.
Tickets: Via Eventbrite
Kevin occasionally helps Dan run the the Christchurch branch of ISIG. He has been programming for a living since 1986 (yes, longer than most of you have been alive) after studying at what is now known as Ara Institute of Canterbury. Now he is the founder and principal consultant at Katipo Information Security.