Modern Webapp Pentesting II: Webapp Internals w/ BB King
March 14 @ 9:00 am – March 15 @ 6:00 pm EDT
Course Length: 16 Hours
Tuition: $575 per person
Includes: Twelve months of complimentary access to the Antisyphon Cyber Range, certificate of participation, six months access to class recordings.
|Thursday, March 14, 2024:
|9:00 AM – 5:00 PM*
|Friday, March 15, 2024:
|9:00 AM – 5:00 PM
All times are Eastern.
This class is part of the The Most Offensive Con that Ever Offensived March 2024 Summit. Registration for any The Most Offensive Con that Ever Offensived March 2024 Summit class includes registration for the summit and all of its presentations, talks, and streams.
Clicking on the button above will take you
to our registration form.
Modern Webapp Pentesting II: Webapp Internals is written as a followup to Modern Webapp Pentesting.
This course builds on the fundamentals and gives you experience with how they apply to current problems in web applications. A very hands-on course, the material is organized around key technologies and concepts like authentication and authorization, understanding in-browser defenses so you can devise ways to bypass them, and learning just enough about web development to see where real developers are likely to make mistakes or rely too much on unstated assumptions.
This course doesn’t worry about where a student falls on the imaginary scale of beginner to expert but instead focuses on finding and exploiting the kinds of issues found in real webapps today.
- Hands-on experience with the kinds of defects that modern webapps actually have.
- Better understanding of how Burp Suite extensions can help your testing.
- Just Enough Scripting: a basis for using scripts in your testing to automate things to save time and test more deeply
Who Should Take This Course
Practicing or Aspiring Webapp Testers: This course looks at vulnerabilities and exploits that are less
commonly talked about, and more fun to discover. It will help you become a more well-rounded tester,
able to find, exploit, and discuss problems related to authentication and authorization, injection attacks
like XXE, SSTI, RFI & LFI, and SSRF. You will understand how cookies actually work in current
browsers and how they can interfere with working exploits even when an application is vulnerable. You’ll
spend time digging into the Same Origin Policy and CORS, and learning how a Content Security Policy
can protect a webapp that’s otherwise vulnerable, and some ways to get around such a policy.
Web Developers: come see how your applications look to an attacker, and learn enough about how they
think so that you can do some of your own testing and write more resilient code.
Audience Skill Level
Motivated Beginners: the course begins with a brief review of protocols and tools, but assumes that
students are conversant with Burp Suite, HTTP, and HTML.
Experienced Testers: If you’re comfortable exploiting things like XSS, SQL injection, CSRF, and IDOR,
you’ll see how to use those skills for more attacks that are less straightforward, such as SSTI, SSRF,
XXE, LFI/RFI and type juggling. You’ll also get some time and practice automating some of the more
tedious parts of your tests so you can focus on what’s more fun and still get good coverage.
- Curiosity and tenacity
- Computer with at least 8GB RAM and 50GB free disk space
- VMWare (Workstation, Fusion, or Player)
What Each Student Should Bring
- A laptop that can run VMWare and one virtual machine (8GM RAM, 50GB free disk).
What Students Will Be Provided With
- Slide deck and links to all the material and tools needed with instructions.
- Virtual machine with all the necessary tools and targets for the course.
- Contact information for the instructor and a 6-week window of direct one-on-one access in case you have questions after the class is over.
Trainer & Author
BB King has been pentesting webapps since 2008. He was the second hire into his employer’s application security team at a time when “PCI” was brand new and long before bug bounty programs – when experienced webapp pentesters had to be made, not found. His internal training and coaching efforts built a successful team of 30 testers, few of whom had significant experience pentesting before joining the team.
BB believes that webapps are the best targets for pentesting because although they all look familiar on the surface, they’re all different, often in surprising ways. Each webapp is a collection of puzzles for a pentester and the first puzzle is figuring out where the other puzzles are! Once you get started, each test can be an engaging chance to practice your problem-solving skills and dive into new technologies.