LASCON X has ended
Back To Schedule
Tuesday, October 22 • 9:00am - 5:00pm
Training: Cramming it all in! - Fundamentals of Comprehensive Web Application Testing (Day 1) LIMITED

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Limited Capacity seats available

(Paid Course)  - Ticket can be purchased at https://lascon-x-training.eventbrite.com

This course provides a balance of practical theory and hands-on testing experience related to the assessment of web applications from the perspective of an offensive security consultant. The main goal is to impart an efficiency-focused mindset along with a framework of techniques a professional penetration tester would leverage to evaluate an application's security posture during a time-compressed client engagement. Students will be guided through a consistent, repeatable, and defined approach towards examining an application's attack-surface given a finite amount of resources. An emphasis will be placed on the efficient identification & verification of common web application vulnerabilities and the subsequent communication of remediation recommendations to clients.

Among the main topics discussed will be automated and manual testing techniques related to initial reconnaissance, resource enumeration, session-handling, vulnerability discovery, authentication mechanisms, access controls, and business logic. This course will also review how the Same-Origin-Policy (SOP) and Cross-Origin Resource Sharing (CORS) mechanisms affect cross-site attacks, highlight various advanced Burp Suite techniques, and pass on strategies designed to help students become better, more capable application-focused security professionals. The OWASP Top 10 will be utilized by this course to frame discussions regarding web application security best practices and the avoidance/remediation of common, high-severity vulnerabilities.

Hands-on labs will accompany each lecture component as the class works through an example of a real-world application assessment workflow. Students will get to work with vulnerable applications carrying common vulnerabilities inspired by ones discovered during real engagements. Once completed, students will possess the skills required to deftly navigate time-limited professional web application assessments and feel confident in their delivery of high-quality consultations their clients will benefit from and employers will reward.

This class will make heavy use of the Burp Suite web proxy testing and scanning tool. A trial license for the professional version of Burp Suite will be provided to students at no cost.

Target Audience: This course is geared towards information security professionals (aspiring or gainfully employed) looking to garner a deeper understanding of how to efficiently conduct consultative web application penetration testing engagements.
Course Outline

Day 1
 - Introduction
 - Consultant Considerations
 - Initial Application Reconnaissance
 - Session Handling
 - Application Enumeration
 - Vulnerability Scanning
 - Response Review
 - Security Headers
 - Cookie Security

Day 2
 - XSS, CSRF, & Same Origin Policy
 - Access Controls
 - Authentication Mechanisms
 - File Upload Tests
 - Business Logic
 - Client-side controls
 - Cryptographic Evaluation
 - Vulnerability Remediations
 - Things we left out (further considerations)

Minimum course requirements:
 - Firm understanding of the HTTP protocol.
 - Familiarity with basic web application attack vectors, theory, and practice.
 - Familiarity with web proxies (preferably Burp Suite) and similar tools.
Students are expected to bring a laptop with the following requirements:
 - USB Port - Minimum of 8GB RAM
 - At least 10GB of free storage space
 - VMWare Player or VMWare Fusion installed

avatar for Ryan Wendel

Ryan Wendel

Senior Application Consultant
Ryan Wendel currently operates as a penetration testing consultant working for the Dell Secureworks Adversary Group. His primary interests and areas of expertise encompass simulating real-world attacks on web applications and external/internal networks & infrastructure. Ryan's technology... Read More →

Tuesday October 22, 2019 9:00am - 5:00pm CDT