Web Application Security 101
Abstract
This workshop is an introduction into attacking Web applications. The attendees will be placed into the position of an attacker and guided through an attack chain in order to break into a targeted web application. The goal of this Workshop is to make first experiences from an attacker's perspective, understand the security implications of bad design decisions and develop ideas on how to subvert security and access controls.
Target Audience
This workshop is especially suited for IT professionals, who are already familiar with the tech-stack of web applications, such as web or mobile developers, and want to learn more about an attacker's view on web applications and the way common vulnerabilities can be used to take control over an application. There are no hard knowledge requirements, it is however beneficial to know the basic web terminology and technical components, such as HTML, JavaScript, HTTP Requests and HTTP Responses.
Details
This workshop is meant to be an introduction into attacking web applications and no knowledge requirements exists to get into the shoes of an attacker with this course. Therefore a common base to start from is layed out in the form of a short introduction of basic terms and technology components, that are important when dealing with web application. Afterwards the target application is introduced and all attendees will be guided through an attack-chain in order to compromise the target application. By the end of this course all attendees will have made hands-on experience with attacking a web application, identified vulnerabilities and exploited those to gain privileged access to the target application.
Agenda
- Introduction and Goals
- Web Application Attack Surface
- Attack scenario and preparation
- Start of the attack: Information Gathering
- Understanding the target: Identification of Weaknesses
- Getting Access: Exploitation
- Analysis of found and exploited vulnerabilities
- Outro, Recap and Q&A