Special Notices

NotSoSecure part of claranet cyber security

QA is proud to be an official partner with NotSoSecure.

Overview

This class teaches the audience a wealth of hacking techniques to compromise modern-day web applications, APIs and associated end-points. This class focuses on specific areas of appsec and on advanced vulnerability identification and exploitation techniques. The class allows attendees to learn and practice some neat, new and ridiculous hacks which affected real-life products and have found a mention in real bug-bounty programs. The vulnerabilities selected for the class either typically go undetected by modern scanners or the exploitation techniques are not so well known.

Attendees will also benefit from a state-of-art Hacklab during the course.

Some of the highlights of the class include:

  • Modern JWT, SAML, OAuth bugs
  • Core business logic issues
  • Practical cryptographic flaws.
  • RCE via Serialization, Object, OGNL and template injection.
  • Exploitation over DNS channels
  • Advanced SSRF, HPP, XXE and SQLi topics.
  • Serverless exploits
  • Web Caching issues
  • Attack chaining and real life examples.

Target Audience

  • Web developers
  • Intermediate level penetration testers
  • DevOps engineers, network engineers
  • Security researchers / analysts
  • Security architects
  • Security professionals & enthusiasts
  • Anyone who wants to take their skills to the next level

Users are also encouraged to familiarize themselves with Burp Suite https://portswigger.net/burp/communitydownload to gain maximum out of the class.

About the Course Author

Dhruv Shah Principal Security Consultant and Trainer


Role

Dhruv has been with NotSoSecure since 2017 and has worked on security issues with a broad range of clients, including major banking, finance and media companies. This work involves web and application penetration testing and network assessments. He is also involved in Red Team assessments appraising system and network vulnerabilities with little or no prior knowledge of them. His trainer work has involved running courses at BlackHat Chicago and researching and updating the NotSoSecure Advanced Web Hacking training course. His trainer work has involved running courses at Black Hat Chicago in 2018 and Black Hat USA 2019.

Background

Dhruv holds a Master’s degree in IT and has seven years’ specialist experience in Information Security. He started off as a trainer sensitising staff in private sector organisations about security issues and what hackers look for when they launch attacks on networks. He then moved employers where he carried out penetration testing work in Indian government agencies and then at banking clients in the Middle East. He now has extensive penetration testing experience for Fortune 500 companies involving web and mobile applications, networks, Infra and Red Team work. In his spare time, he co-authored the book “Kali Linux Intrusion and Exploitation” and is an active member and moderator of one of the Null chapters in India.

Passion

From an early age, Dhruv was fascinated by the inner working of things, taking them apart and finding out how they really worked. This passion directly led to his work in later years in Information Security. He derives huge professional satisfaction by helping companies make their systems and networks more secure by sharing the results of his penetrating testing and providing concrete preventative solutions. By showing them how malicious hackers can exploit flaws and vulnerabilities, he knows he is enabling them to go about their everyday business in the most secure way possible. When not engaged in client work, he maintains his skills and knowledge by carrying out interesting and unusual types of penetration testing and researching new methods to break into applications and systems.

Learning Outcomes

  • The latest hacks in the world of web hacking. The class content has been carefully handpicked to focus on some neat, new and ridiculous attacks.
  • We provide a custom kali image for this class. The custom kali image has been loaded with a number of plugins and tools (some public and some NotSoPublic) and these aid in quickly identifying and exploiting vulnerabilities discussed during the class.
  • The class is taught by a real pentester and the real-world stories shared during the class help attendees in putting things into perspective.
  • Access to a hacking lab during the course and numerous scripts and tools will also be provided during the training, along with student handouts.
  • Our courses also come with detailed answer sheets. That is a step by step walkthrough of how every exercise within the class needs to be solved. These answer sheets are also provided to students at the end of the class.

Course Outline

Lab Setup and architecture overview

Introduction to Burp Features

Attacking Authentication and SSO

  • Token Hijacking attacks
  • Logical Bypass / Boundary Conditions
  • Bypassing 2 Factor Authentication
  • Authentication Bypass using Subdomain Takeover
  • JWT/JWS Token attacks
  • SAML Authorization Bypass
  • OAuth Issues

Password Reset Attacks

  • Session Poisoning
  • Host Header Validation Bypass
  • Case study of popular password reset fails

Business Logic Flaws / Authorization flaws

  • Mass Assignment
  • Invite/Promo Code Bypass
  • Replay Attack
  • API Authorisation Bypass
  • HTTP Parameter Pollution (HPP)

XML External Entity (XXE) Attack

  • XXE Basics
  • Advanced XXE Exploitation over OOB channels
  • XXE through SAML
  • XXE in File Parsing

Breaking Crypto

  • Known Plaintext Attack (Faulty Password Reset)
  • Padding Oracle Attack
  • Hash length extension attacks
  • Auth bypass using .NET Machine Key
  • Exploiting padding oracles with fixed IVs

Remote Code Execution (RCE)

  • Java Serialization Attack
  • .Net Serialization Attack
  • PHP Serialization Attack
  • Python serialization attack
  • Server Side Template Injection
  • Exploiting code injection over OOB channel

SQL Injection Masterclass

  • 2nd order injection
  • Out-of-Band exploitation
  • SQLi through crypto
  • OS code exec via PowerShell
  • Advanced topics in SQli
  • Advanced SQLMap Usage and WAF bypass
  • Pentesting GraphQL

Tricky File Upload

  • Malicious File Extensions
  • Circumventing File validation checks
  • Exploiting hardened web servers
  • SQL injection via File Metadata

Server-Side Request Forgery (SSRF)

  • SSRF to query internal network
  • SSRF to exploit templates and extensions
  • SSRF filter bypass techniques
  • Various Case studies

Attacking the Cloud

  • SSRF Exploitation
  • Serverless exploitation
  • Google Dorking in the Cloud Era
  • Cognito misconfiguration to data exfiltration
  • Post Exploitation techniques on Cloud-hosted applications
  • Various Case Studies

Attacking Hardened CMS

  • Identifying and attacking various CMS
  • Attacking Hardened Wordpress, Joomla, and Sharepoint

Web Caching Attacks

Miscellaneous Vulnerabilities

  • Unicode Normalization attacks
  • Second order IDOR attack
  • Exploiting misconfigured code control systems
  • HTTP Desync attack

Attack Chaining N tier vulnerability Chaining leading to RCE

Various Case Studies

  • A Collection of weird and wonderful XSS and CSRF attacks

B33r-101

Cyber Security Learning Paths

Want to boost your career in Cyber Security? Click on the roles below to see QA‘s learning pathways, specially designed to give you the skills to succeed.

= Required
= Certification
Cyber Management
Cyber Tech
Privacy
AppSec
Security Auditor
Intrusion Analyst
CompTIA Security Includes Security+, CySA+ and CASP
Industrial Control Systems & Operational Technology Technical
Industrial Control Systems & Operational Technology Management