TT1 – Web Application Security – Threats & Countermeasures

Trainer: Shreeraj Shah (Founder, BlueInfy) and Vimal Patel (Founder/Director, BlueInfy)
Capacity: 15 pax
Seats left: 8
Duration: 2 days
Cost: (per pax) USD1499 (early bird) / USD1899 (non early-bird)



Introduction and adaptation of new technologies like Ajax, Rich Internet Applications and Web Services has changed the dimension of Application Hacking. We are witnessing new ways of hacking web based applications and it needs better understanding of technologies to secure applications. The only constant in this space is change. In this dynamically changing scenario in the era of Web 2.0 it is important to understand new threats that emerge in order to build constructive strategies to protect corporate application assets. Application layers are evolving and lot of client side attack vectors are on the rise like Ajax based XSS, CSRF, Widget injections, RSS exploits, Mashup manipulations and client side logic exploitations. At the same time various new attack vectors are evolving around SOA by attacking SOAP, XML-RPC and REST. It is time to understand these advanced attack vectors and defense strategies.

The course is designed by the author of “Web Hacking: Attacks and Defense”, “Hacking Web Services” and “Web 2.0 Security – Defending Ajax, RIA and SOA” bringing his experience in application security and research as part of curriculum to address new challenges. Application Security is hands-on class. The class features real life cases, hands one exercises, new scanning tools and defense mechanisms. Participants would be methodically exposed to various different attack vectors and exploits. In the class instructor will explain new tools like wsScanner, scanweb2.0, AppMap, AppCodeScan etc. for better pen-testing and application audits.

Target Audience

Security Managers, Security Consultants and Auditors, Administrators, Developers, QA team and Code reviewers

All concepts taught in this class are punctuated with hands-on exercises based on situations observed in real life. The class ends with a challenge exercise. Working within a limited time period, participants are expected to analyze the code, identify loopholes, exploit vulnerabilities present in the applications and suggest appropriate defense strategies.

Course Agenda

• Application Security Fundamentals and Principles – The evolution of applications, threats to an application, application security trends, the spectrum of application security attacks

• Application Components and Protocols – Understanding multi-layered application architecture, programming languages used in applications – J2EE, .NET, PHP, etc., inside HTTP, HTML forms and browser interaction, introduction to tools useful for testing applications, Web Server configuration, web server vulnerabilities, fingerprinting web servers and application servers, security controls pertaining to web servers and their deployment

• Application Footprinting, discovery and profiling applications – Host and Domain discovery, discovering web applications and interfaces, discovering the functional structure of applications – the hacker’s viewpoint, Advanced techniques, Discovering Web services and Web applications, Profiling Web services and applications, Ajax fingerprinting, Profiling Ajax applications and Server-side entry point detection

• Application Attack Vectors – Mapping assets to attacks, sifting through HTML source, forcing application layer errors, information leakage through error messages, source code disclosure, input tampering and input validation attacks, SQL injection and attacks on the database, injecting malicious code and remote command exec, accessing the underlying file system, brute forcing HTTP authentication, Brute Forcing HTML form authentication, Session Hijacking, Cross Site Scripting (XSS) attacks, Cross Site Request Forgery (XSRF) attacks

• Threat Modeling – Threat analysis, Architecture review, Technologies and Source Code, Threat matrix, Security controls for code, Design analysis and review

• Assessment methods –Blackbox, Whitebox, analyzing configuration and deployment issues, Reconnaissance and Vulnerability Assessment, Fingerprinting Web servers and Architectures, Defense strategies – Minimizing the window of opportunity, Leveraging Web mashups and search APIs

• Application Attack countermeasures – Security by design, The importance of application security controls in the software development life cycle, Secure coding practices, Protecting data at rest and data in transit, Client side security

• An Introduction to Advanced Application Architectures – Refreshing classic application security threats and vulnerabilities, Evolution of application architectures, Web services, SOAP and AJAX, Security model for next generation application architectures, Web Services and SOAP, XML-RPC, AJAX enriched clients, New tools and techniques for attacking advanced application architectures

• Advanced Web attacks – XPATH injection, XML and Schema poisoning, Blind SQL injection, XSS proxy attacks, Browser hijacking, Intranet scanning, Javascript exploitation

• Whitebox Analysis – Entry points detection, Tracing and Digging, Function and Component dissecting, Threat and Impact analysis

• Securing Code & Defense – Fundamentals, Controls and Strategies, Input validations, Error handling, Session hardening, Logs and Tracing, Traps for hackers, Assembly hardening, Guarding application code, Fundamentals, Controls and Strategies

• XML and Web Services – SOAP, XML-RPC and REST base attacks and security.

• Web Fuzzing & Exploits – Web application entry points, the art of fault injection, Exploit framework – Metasploit, Exploiting SQL injection points, Building exploits and launching them effectively

• Client side coding – Ajax and JavaScript analysis, Flash based application reviews and Browser security.

About the trainers
Shreeraj Shah

Shreeraj Shah, B.E., MSCS, MBA, is the founder of Blueinfy, a company that provides application security services. Prior to founding Blueinfy, he was founder and board member at Net Square. He also worked with Foundstone (McAfee), Chase Manhattan Bank and IBM in security space. He is also the author of popular books like Web 2.0 Security (Thomson 07), Hacking Web Services (Thomson 06) and Web Hacking: Attacks and Defense (Addison-Wesley 03). In addition, he has published several advisories, tools, and whitepapers, and has presented at numerous conferences including RSA, AusCERT, InfosecWorld (Misti), HackInTheBox, Blackhat, OSCON, Bellua, Syscan, ISACA etc. His articles are regularly published on Securityfocus, InformIT, DevX, O’reilly, HNS. His work has been quoted on BBC, Dark Reading, Bank Technology as an expert.

Blog: http://shreeraj.blogspot.com
Email: shreeraj@blueinfy.com

Vimal Patel (Founder and Director)

Vimal Patel is founder of Blueinfy, a company that provides products and services for application security. Vimal leads research and product development efforts at Blueinfy. He is instrumental in conducting trainings and large application testing assignments. He conducted several assessment, code reviews, application architecture reviews and threat modeling. He has conducted trainings at conferences like DeepSec, HITB, Syscan etc. He wrote tools and contributed papers as part of Blueinfy research initiative.

Prior to founding Blueinfy, he held position of Vice President at Citigroup where he led architecture, design and development of various financial applications. Vimal holds Masters in Computer Science. Vimal has over a decade of experience and expertise in many technologies. His experience ranges from design of complex digital circuits and microcontroller based products to enterprise applications.