SEARCH
TOOLBOX
LANGUAGES
Difference between revisions of "Spring Training 2016 - Hacking web applications – case studies of award-winning bugs in Google, Yahoo, Mozilla and more"

Difference between revisions of "Spring Training 2016 - Hacking web applications – case studies of award-winning bugs in Google, Yahoo, Mozilla and more"

From BruCON 2016

Jump to: navigation, search
(Course Description)
(Trainers Biography)
 
(6 intermediate revisions by the same user not shown)
Line 1: Line 1:
 
=Hacking web applications – case studies of award-winning bugs in Google, Yahoo, Mozilla and more=
 
=Hacking web applications – case studies of award-winning bugs in Google, Yahoo, Mozilla and more=
 +
Have you ever thought of hacking web applications for fun and profit? How about playing with authentic, award-winning security bugs identified in some of the greatest companies? If that sounds interesting, join this unique two-day hands-on training!
  
 
===Course Description===
 
===Course Description===
Have you ever thought of hacking web applications for fun and profit? How about playing with authentic, award-winning security bugs identified in some of the greatest companies? If that sounds interesting, join this unique hands-on training!
+
Dawid will discuss security bugs that he has found together with Michał Bentkowski in a number of bug bounty programs (including Google, Yahoo, Mozilla, Twitter and others). You will learn how bug hunters think and how to hunt for security bugs effectively.
 
 
I will discuss security bugs that I have found together with Michał Bentkowski in a number of bug bounty programs (including Google, Yahoo, Mozilla, Twitter and others). You will learn how bug hunters think and how to hunt for security bugs effectively.
 
  
 
To be successful in bug hunting, you need to go beyond automated scanners. If you are not afraid of going into detail and doing manual/semi-automated analysis, then this hands-on training is for you.
 
To be successful in bug hunting, you need to go beyond automated scanners. If you are not afraid of going into detail and doing manual/semi-automated analysis, then this hands-on training is for you.
Line 34: Line 33:
  
 
This hands-on training was attended by security specialists from Oracle, Adobe, ESET, ING, Red Hat, Trend Micro, Philips, government sector and it was very well-received. Recommendations can be found [https://silesiasecuritylab.com/services/training/#opinions here]
 
This hands-on training was attended by security specialists from Oracle, Adobe, ESET, ING, Red Hat, Trend Micro, Philips, government sector and it was very well-received. Recommendations can be found [https://silesiasecuritylab.com/services/training/#opinions here]
 +
 +
Students will be handed in a VMware image with a specially prepared testing environment to play with the bugs. What's more, this environment is self-contained and when the training is over, students can take it home (after signing a non-disclosure agreement) to hack again at their own pace.
 +
 +
= Target audience =
 +
 +
Pentesters, bug hunters, security researchers/consultants
  
 
= Requirements =  
 
= Requirements =  
Line 44: Line 49:
 
=Trainers Biography=
 
=Trainers Biography=
 
[[File:Dawid_Czagan.jpeg|thumb|125px]]  
 
[[File:Dawid_Czagan.jpeg|thumb|125px]]  
Dawid Czagan has found security vulnerabilities in Google, Yahoo, Mozilla, Microsoft, Twitter, BlackBerry and other companies. Due to the severity of many bugs, he received numerous awards for his findings.  
+
Dawid Czagan (@dawidczagan) is an internationally recognized security researcher and trainer. He is listed among Top 10 Hackers (HackerOne). Dawid Czagan has found security vulnerabilities in Google, Yahoo, Mozilla, Microsoft, Twitter and other companies. Due to the severity of many bugs, he received numerous awards for his findings.
 +
 
 +
Dawid Czagan shares his security bug hunting experience in his very well-received hands-on training "Hacking web applications - case studies of award-winning bugs in Google, Yahoo, Mozilla and more". He delivered security training courses at key industry conferences such as Hack In The Box (Amsterdam), CanSecWest (Vancouver), Hack In Paris (Paris), DeepSec (Vienna), HITB GSEC (Singapore), BruCON (Ghent) and for many corporate clients. His students include security specialists from Oracle, Adobe, ESET, ING, Red Hat, Trend Micro, Philips and government sector.
  
Dawid is founder and CEO at Silesia Security Lab, which delivers specialized security auditing and training services. He also works as Security Architect at Future Processing.  
+
He presented his research at Security Seminar Series (University of Cambridge), HITB GSEC (Singapore), DeepSec (Vienna) and published over 20 security articles (InfoSec Institute).
  
Dawid shares his security bug hunting experience in his hands-on training "Hacking web applications - case studies of award-winning bugs in Google, Yahoo, Mozilla and more". He delivered security trainings/workshops at Hack In The Box (Amsterdam), CanSecWest (Vancouver), DeepSec (Vienna), Hack In Paris (Paris) and for many private companies. He also spoke at Security Seminar Series (University of Cambridge) and published over 20 security articles
+
Dawid Czagan is founder and CEO at Silesia Security Lab, which delivers specialized security auditing and training services. He is also Security Advisor at Future Processing.
(InfoSec Institute).
 
  
 
To find out about the latest in Dawid’s work, you are invited to visit his blog and follow him on Twitter (see below).
 
To find out about the latest in Dawid’s work, you are invited to visit his blog and follow him on Twitter (see below).
Line 59: Line 65:
 
* [https://silesiasecuritylab.com/services/training/#opinions What students say about this training]
 
* [https://silesiasecuritylab.com/services/training/#opinions What students say about this training]
  
''Mon. 20 - 21 October 2015 (09:00 - 17:00) (2-day)''
+
''Wed. 20 - 21 April 2016 (09:00 - 17:00) (2-day)''
  
 
[[File:Register.jpg||link=https://registration.brucon.org/training-registration/]]
 
[[File:Register.jpg||link=https://registration.brucon.org/training-registration/]]
  
 
[[Training|Back to Training Overview]]
 
[[Training|Back to Training Overview]]

Latest revision as of 22:35, 16 December 2015

Hacking web applications – case studies of award-winning bugs in Google, Yahoo, Mozilla and more

Have you ever thought of hacking web applications for fun and profit? How about playing with authentic, award-winning security bugs identified in some of the greatest companies? If that sounds interesting, join this unique two-day hands-on training!

Course Description

Dawid will discuss security bugs that he has found together with Michał Bentkowski in a number of bug bounty programs (including Google, Yahoo, Mozilla, Twitter and others). You will learn how bug hunters think and how to hunt for security bugs effectively.

To be successful in bug hunting, you need to go beyond automated scanners. If you are not afraid of going into detail and doing manual/semi-automated analysis, then this hands-on training is for you.

Course contents

After completing this training, you will have learned about:

  • tools/techniques for effective hacking of web applications
  • non-standard XSS, SQLi, CSRF
  • RCE via serialization/deserialization
  • bypassing password verification
  • remote cookie tampering
  • tricky user impersonation
  • serious information leaks
  • browser/environment dependent attacks
  • XXE attack
  • insecure cookie processing
  • session related vulnerabilities
  • mixed content vulnerability
  • SSL strip attack
  • path traversal
  • response splitting
  • bypassing authorization
  • file upload vulnerabilities
  • caching problems
  • clickjacking attacks
  • logical flaws
  • and more…

This hands-on training was attended by security specialists from Oracle, Adobe, ESET, ING, Red Hat, Trend Micro, Philips, government sector and it was very well-received. Recommendations can be found here

Students will be handed in a VMware image with a specially prepared testing environment to play with the bugs. What's more, this environment is self-contained and when the training is over, students can take it home (after signing a non-disclosure agreement) to hack again at their own pace.

Target audience

Pentesters, bug hunters, security researchers/consultants

Requirements

To get the most of this training basic knowledge of web application security is needed. Students should have some experience in using a proxy, such as Burp, or similar, to analyze or modify the traffic.

Hardware/software Requirements

Students will need a laptop with 64-bit operating system, at least 4 GB RAM (8 GB preferred), 35 GB free hard drive space, USB port (2.0 or 3.0), wireless network adapter, administrative access, ability to turn off AV/firewall and VMware Player installed (64-bit version). Prior to the training, make sure there are no problems with booting 64-bit VMs (BIOS settings changes may be needed)

Trainers Biography

Dawid Czagan.jpeg

Dawid Czagan (@dawidczagan) is an internationally recognized security researcher and trainer. He is listed among Top 10 Hackers (HackerOne). Dawid Czagan has found security vulnerabilities in Google, Yahoo, Mozilla, Microsoft, Twitter and other companies. Due to the severity of many bugs, he received numerous awards for his findings.

Dawid Czagan shares his security bug hunting experience in his very well-received hands-on training "Hacking web applications - case studies of award-winning bugs in Google, Yahoo, Mozilla and more". He delivered security training courses at key industry conferences such as Hack In The Box (Amsterdam), CanSecWest (Vancouver), Hack In Paris (Paris), DeepSec (Vienna), HITB GSEC (Singapore), BruCON (Ghent) and for many corporate clients. His students include security specialists from Oracle, Adobe, ESET, ING, Red Hat, Trend Micro, Philips and government sector.

He presented his research at Security Seminar Series (University of Cambridge), HITB GSEC (Singapore), DeepSec (Vienna) and published over 20 security articles (InfoSec Institute).

Dawid Czagan is founder and CEO at Silesia Security Lab, which delivers specialized security auditing and training services. He is also Security Advisor at Future Processing.

To find out about the latest in Dawid’s work, you are invited to visit his blog and follow him on Twitter (see below).


300px-twitter-icon.jpg @dawidczagan

Links :

Wed. 20 - 21 April 2016 (09:00 - 17:00) (2-day)

Register.jpg

Back to Training Overview