Trooper!
You passed Hacking 1on1 with flying colors?
You evade web application firewalls as they would be opened doors?
You have successfully exploitated CVE-2015-8769?
Then it’s time for the next challenge! Follow us down the rabbit hole to the not so well known attacks against modern web applications.
At Troopers16 we will be presenting the second iteration of our WebHackingSpecialOps workshop in which more advanced techniques to break current web application technologies will be explained. On the first day there will be an introduction that gives a quick overview on the well-known attacks like SQLi, XSS and XSRF. Then attacks will be shown that build upon these “old” vectors including blind/clientside SQLi, NoSQLi and some specialties on NodeJS, the javascript based server-side runtime. Next to these technical topics several formal subjects like 3rd library handling and a guideline on how to deploy TLS in a secure way will be given. Especially the 3rd party library chapter since they have become more and more relevant, as in the near past several major vulnerabilities in such libraries were found which gave attackers the chance to break web applications that were based on these. This shows that even though developers do a great job and developer companies get familiar with secure development lifecycles, there are still problems depending on the used technologies that cannot be addressed easily. One example of such a vulnerability is the object deserialization flaw in the Apache Commons Collections library, which was discovered at the beginning of 2015 and got attention in November, when two researchers presented their talk on AppSecCali2015 and showed how easy remote code execution can be done through this kind of flaw. The details of all kind of object deserialization (as almost all current scripting/high level programming languages support this feature) will be part of our course. Next to these topics a deep-dive into current crypto algorithms, their usecases concerning webapplications and their flaws will be given. Within every part of this course several demos and hands-on exercises will be done, so every attendee will be able to apply new knowledge directly. Don’t miss this chance to improve, Trooper!
Click here for more information.