WAHH Live Training

MDSec’s Web Application Hacker’s Handbook Live training

MDSec works at the forefront of Application Security. Our latest edition of the Web Application Hacker’s Handbook [Wiley, 2011] spans 870 pages, and we run numerous global training courses on web application security for development teams, and professional testers alike. The course follows the chapters of the Second Edition of The Web Application Hacker’s Handbook, with strong focus on practical attacks (there are only 140 slides in either of the 2 or 3 day courses).

Our WAHH Live Course has been delivered at BlackHat, HiTB, Syscan, Countermeasure and 44con, and has been recently reinforced with the 2nd Edition of the Web Application Hacker’s Handbook, bringing you right up to date.

The course is highly practical. There are only 140 slides in the course, which relies primarily on 400+ vulnerable examples from all of the chapters of the book, and a Capture the Flag exercise. We have made one of the main servers we use available online; if you want to see inside the labs you can view the demo.

Burp Suite Training, at your level.

Our course features Burp Suite at its heart. Whilst many experienced Web Application testers may be currently using Burp, there are often many options and extended capabilities that users do not have time to investigate on time-limited assessments.

If requested, MDSec’s training can be adapted and extended to help you learn more about Burp suite, including:

  • Understanding how to push the Burp Intruder capabilities to meet non-standard application behaviour
  • Using Burp Extensions to extend Burp’s capabilities, e.g. to test Web Services or add scanner checks
  • Writing Burp Extensions to enable testing against serialised or encapsulated data
  • Using Macros to enable automated testing against modern frameworks that enforce CSRF tokens or auto-logout

Meanwhile, if the above is unfamiliar territory, you can be reassured that if you want a full “zero to hero” approach, we can take you through from the basics of the HTTP Protocol, setting up the tool for optimal use, the capabilities and use of each of the key portions of Burp Suite, and get you performing both automated and manual web application tests. QA Teams love it!

Course Syllabus

After a short introduction to the subject we delve into common insecurities in logical order:

  • Introduction to Web Application Security Assessment (Chapters 1-3)
  • Automating Bespoke Attacks: Practical hands-on experience with Burp Suite (Chapter 13)
  • Application mapping and bypassing client-side controls (Chapters 4-5)
  • Failures in Core Defense Mechanisms: Authentication, Session Management, Access Control, Input Validation (Chapters 6-8)
  • Injection and API flaws: (Chapters 9-10)
  • User-to-User Attacks (Chapters 12-13)

Attendees will gain theoretical and practical experience of:

  • How to quickly and efficiently pinpoint and exploit vulnerabilities in web applications
  • How to hack using LDAP, XPath, SOAP, HTTP Parameter Pollution (HPP), and HPI
  • Real-world, 2015 techniques in SQL Injection against Oracle, MySQL and MSSQL
  • The real risk: how to turn XSS/CSRF vulnerabilities into full account compromise
  • Harnessing new technologies such as HTML5, NoSQL, and Ajax
  • New attack types and techniques: Bit Flipping, Padding Oracle, Automated Access Control checking
  • How to immediately recognise and exploit Logic Flaws

For more detailed information about the course’s practical structure, see the Web Application Hacker’s Methodology chapter from the original version of the book.
To see the practical exercises, in action, please visit our demo.

Related services include:

Ready to start testing your applications?

Speak to one of our industry experts and find out how MDSec can help your business.

+44 (0) 1625 263 503