lunes, 5 de agosto de 2019

Training: Full Stack Web Attack

Full Stack Web Attack is not an entry-level course. It’s designed to push you beyond what you thought was possible and set you on the path to develop your own workflow for offensive zero-day web research.

This course is developed for web penetration testers, bug hunters and developers that want to make a switch to server-side web security research or see how serious adversaries will attack their web based code.

Students are expected to know how to use Burp Suite and have a basic understanding of common web attacks as well as perform basic scripting using common languages such as python, PHP and JavaScript. Each of the vulnerabilities presented have either been mirrored from real zero-day or are n-day bugs that have been discovered by the author with a focus on not just exploitation, but also on the discovery.

So if you want to learn how to exploit web technologies without client interaction for maximum impact, that is, remote code execution then this is the course for you.
Leave your OWASP Top Ten and CSP bypasses at the door.

Student Requirements
    At least basic scripting skills
   At least a basic understanding of various web technologies such as HTTP(S), proxies and browsers

Hardware Requirements
   A 64bit Host operating system
   16 Gb RAM minimum
   VMWare Workstation/Fusion
   60 Gb Hard disk free minimum
   Wired and Wireless network support
   USB 3.0 support

Agenda
   Introduction
   PHP & Java language fundamentals
   Debugging PHP & Java applications
   Auditing for zero-day vulnerabilities
   PHP logic authentication bypasses (zeroday)
   PHP code injection remote code executon (nday)
   Java naming and directory interface (JNDI) injection (nday)
   Remote class loading
   Java deserialization 101
   PHP object instantiation (nday)
   External entity injection (XXE)
   File disclosure
   Server-side request forgery (SSRF)
   PHP Object Injection
   Property oriented programming (POP)
   PHP custom gadget chain creation

   Blacklist bypasses for remote code execution (zeroday)

Language
The training is it dictated entirely in English, but I have some Spanish that I can fall back on if students are stuck.

Instructor

Steven Seeley













Steven is a full stack hacker and has been a ZDI platinum researcher for the last 4 years running. Previously Steven was the lead developer of the AWAE course held by Offensive Security and has trained students at both Blackhat Asia and USA. When hes not (ab)using code, hes often out riding his Harley Davidison or lifting heavy weights.

Twitter: @steventseeley
 ____________________________________________

To register or receive more information, please mail to: capacitacion@ekoparty.org