Web Application
Security Training
Dr.Ing. Mario Heiderich, Cure53 Germany
17th to 19th March, 2020 | Bengaluru, India
About Mario
Dr.-Ing. Mario Heiderich, handsome heartbreaker, Bon-Vivant and (as he loves to call himself) “security researcher” is from Berlin, likes everything between lesser- and greater-than and leads a small yet exquisite pen-test company. He commonly pesters peaceful attendees on various capitalist conferences with powerpoint slides and profanities. Wherever Mario goes, bad weather and thunderstorms follow him. Doctors worldwide are clueless about this extraordinary condition of his.
"Exploit the seemingly unexploitable"
SecureLayer7 is coming up with a training program in Bengaluru, India, specially crafted for IT professionals to secure their applications. This program is designed for developers, defenders, and security consultants to equip them with all the latest advancements in Web Application Security Testing.
More and more web applications delegate business logic to the client. HTML.next, JavaScript, SVG, Canvas, ES2017 & AngularJS are just some terms that describe the contents of the modern web stack. But how does the attack surface look for those? What if there is no GET parameter and our scanner scans cannot tampers with them? Classic web-pentests are “so nineties” in this realm. And keeping up the pace with progress is getting harder and harder. But there is hope. We’ll learn how to attack any web-application with either unknown legacy features – or the half-baked results coming to your browser from the labs of W3C, WHATWG and the ES2016 mailing lists. Whether you want to attack modern web applications or shiny browser extensions – we have that covered. HTML is a living standard. And so is this workshop. The course material will be provided on-site and via access to a private Github repository so all attendees will be receive updated material even months after the actual training.
KEY TAKE-AWAYS OF TRAINING
The training session will present you an opportunity to have hands-on experience with countless tricks and techniques of exploiting the (seemingly) unexploitable! We will cover a great range of modern website bugs and teach you how to make sure that these issues get fixed properly and smoothly.
Security Consultants will get hands on experience on latest techniques and methodologies to exploit any web-application with unknown legacy features or the half-baked results coming to your browser.
Developers will gain knowledge and understanding of the concepts, standards and precautionary measures for developing a highly secure web application.
The top management will be able to understand the risks in Business continuity with a vulnerable application in order to take well informed decisions".
Glimpses of past event
Conference Talk
Tracks at a Glance
Motivation
"Why we are here today? Let's learn why client-side security is in a close relation with websecurity challenges for many and blessing for few - and what the foundation of this claim might be."
The Very Basics
"Time to learn about the absolute basics of web security and the web itself and see how even they contribute to the complexity and diversity of this topic. Learn about client and server side security."
Various Attacks
"Let's now have a look at attack techniques that are useful but didn't really fit into any of the chapters we covered before. Stuff, that few people know, things that will help you pop an alert where others fail."
Defence 101
"We will now have a look at the basic defense techniques – and see which attacks will be covered by them and why it sometimes works and sometimes won't. Let's start about defence"
Cross Site-Scripting
"Cross-Site Scripting has been around for 15 years – and is still not solved. We'll see why, how it affects us and will focus on how we can at least solve it for our web-applications"
The DOM
"The place where no one hears you scream. Literally. This place has everything a classic Hall of Mirrors offers – and that's often great for us. The attackers."
HTML5+
"HTML5 makes the browser become the new OS. Step by step. How is this important for us and what should we know about the resulting threats?"
SVG
"Mixing two unrelated standards and hoping nothing goes wrong is one thing. That we all have to deal with it now is another. Say hello to SVG."
Browsers
"Let's now cover the browser itself and the remaining slices of the attack-surface cake. Let's also see how we can use the browser to protect our apps a bit better!"
Non-Browsers
"Not only browsers are capable of using and producing markup. Other applications like OpenOffice and Word use XSL too and the Acrobat Reader can even script quite well!"
Conclusion and Outlook
"This final chapter will cover issues, expect to see within the next session. Knowing the attacks and help us understand future attack surface and deliver better pentests"
Sample Slides
Download Application security training sample slides to know more about the training content
Download