A high-energy demo-laden caffeine-laced session that will introduce the student to the techniques needed to remotely detect and validate the presence of common vulnerabilities in web-based applications using Burp Suite, the industries’ most popular toolkit. Testing will be conducted from the perspective of the end user (as opposed to a source code audit).
This is a hands-on session. Attendees are encouraged to bring a PC, Mac, or Linux box running either Oracle VirtualBox or VMware Player (both are free). All of the tools and targets used during the session will be available to the attendees in a single virtual machine file.
To prepare wait until the day before the event then grab the latest version of the Web Security Dojo from here: https://www.mavensecurity.com/web_security_dojo/
NOTE: It’s best to wait a few days prior to the event to be sure you have the latest version of “the Dojo” since that will be used during the session.
Time permitting the following topics will be covered: Web Primer (HTML, HTTP, Cookies; just the basics) Introduction to Burp Suite Threat Classification Systems (OWASP Top Ten & WASC Threat Classes) Vulnerability Category: A3: Cross-Site Scripting (XSS) Vulnerability Category: A4: Insecure Direct Object References Vulnerability Category: A1: Injection (SQL, XML entity, etc.)
NOTE: Since the student will have all of the tools and targets in a single virtual machine, they are free to continue the learning after the session in the privacy of their own localhost. No network required. The Web Security Dojo includes various PDF walk-through guides for some of the targets.
David Rhoades is the founder & CEO of Maven Security Consulting Inc. (www.mavensecurity.com). Maven Security is a Delaware corporation that provides information security assessments and custom services to a global clientele. David’s expertise includes web application security and vulnerability assessments. David has been active in information security consulting since 1996, when he began his career with the computer security and telephony fraud group at Bell Communications Research (Bellcore). David has taught at various security conferences around the globe (Interop, OWASP, USENIX, ISACA, SANS, DefCon, Black Hat). David has a Bachelor of Science degree in Computer Engineering from the Pennsylvania State University (psu.edu).