Web Application Hacking

Part 1: Web application (in)security

• Server OS platforms
• Web servers (apache, nginx, weblogic, IIS etc.)
• Server-side application frameworks and programing languages
• Data-stores; Relational (SQL), non-relational (noSQL) and document-based
• Client-side technologies (Browsers, Browser plugins, HTML, HTML5, CSS, javascript etc.)
• Offensive toolset and practice targets
   
  Part 2: Mapping web applications
• Web spidering (automated and user directed)
• Discovering Hidden Content
• Application Pages Versus Functional Paths
• Discovering Hidden Parameters
• Identifying Entry Points for User Input
• Identifying Server-Side Technologies and Functionality
• Mapping the Attack Surface
• Transmitting Data Via the Client
• Capturing User Data: HTML Forms
• Capturing User Data: Browser Extensions
   
  Part 3: Authentication and session attacks
• Authentication Technologies
• Design Flaws in Authentication Mechanisms
• Brute-forcing logins
• Implementation Flaws in Authentication
• Securing Authentication
• The Need for State
• Weaknesses in Token Generation
• Weaknesses in Session Token Handling
• Securing Session Management
   
  Part 4: Attacking data stores
• Exploiting a Basic Vulnerability
• Injecting into Different Statement Types
• Finding SQL Injection Bugs
• Fingerprinting the Database
• Extracting Data with UNION
• Performing Blind injections
• Automating SQLi testing with sqlmap
• Advanced Exploitation (FS interaction, and code execution)
• Bypassing Filters
• Second-Order SQL Injection
• Beyond SQL Injection: Escalating the Database Attack
• Using SQL Exploitation Tools
• SQL Syntax and Error Reference
• Preventing SQL Injection
   
  Part 5: Attacking Users: Cross-Site Scripting
• Varieties of XSS
• Real-World XSS Attacks
• Payloads for XSS Attacks
• Delivery Mechanisms for XSS Attacks
• Finding and Exploiting XSS Vulnerabilities
• Preventing Reflected and Stored XSS
• Evading security filters and browser checks
   
  Part 6: Attacking Back-End Components and Application Logic
• Injecting OS Commands
• Manipulating File Paths
• Injecting objects and (de)serializers
• The Nature of Logic Flaws
• Real-World Logic Flaws
• Avoiding Logic Flaws
• Hardening OS networking stacks
• Implement host-based firewalls and “good” logging
• Hardening web application servers (Apache, IIS)
   
  Part 7: boot2root attack scenario against a server
• Scanning, enumeration and resource mapping
• Testing for possible injections
• Detect vulnerable parser at other side
• Inject code
• Gather system information
• Establish control connection
• Enumerate attack surface (resources, services, users, permissions, execution paths etc)
• Escalate privileges
• Establish persistence
• Pivot
   
  Part 8: boot2root: now it’s your turn (optional)
• Final CTF
• Students work on their own and submit reports
• Workshop summary