A high-energy demo-laden caffeine-laced session that will introduce the student to the techniques needed to remotely detect and validate the presence of common vulnerabilities in web-based applications using Burp Suite, the industries’ most popular toolkit. Testing will be conducted from the perspective of the end user (as opposed to a source code audit).
This is a hands-on session. Attendees are encouraged to bring a PC, Mac, or Linux box running either Oracle VirtualBox or VMware Player (both are free). All of the tools and targets used during the session will be available to the attendees in a single virtual machine file.
To prepare wait until the day before the event then grab the latest version of the Web Security Dojo from here: https://www.mavensecurity.com/web_security_dojo/
NOTE: It’s best to wait a few days prior to the event to be sure you have the latest version of “the Dojo” since that will be used during the session.
Time permitting the following topics will be covered: Web Primer (HTML, HTTP, Cookies; just the basics) Introduction to Burp Suite Threat Classification Systems (OWASP Top Ten & WASC Threat Classes) Vulnerability Category: A3: Cross-Site Scripting (XSS) Vulnerability Category: A4: Insecure Direct Object References Vulnerability Category: A1: Injection (SQL, XML entity, etc.)
NOTE: Since the student will have all of the tools and targets in a single virtual machine, they are free to continue the learning after the session in the privacy of their own localhost. No network required. The Web Security Dojo includes various PDF walk-through guides for some of the targets.