SECURITY TESTING WEB APPLICATIONS
(SyScan_08_01)

NGS performs penetration tests against some of the most high-profile sites on the internet, and has published the seminal papers in SQL Injection, Oracle Application Server, and many advisories on Web Application Software. This course will demonstrate the full NGS methodology for finding vulnerabilities in web applications, sharing techniques, tools, tips and tricks, and revealing the breakdown of vulnerabilities found on assessment by NGS.
With much of Web Application security now common knowledge, NGS pushes this subject to its new limits, sharing the techniques which make the difference between most methodologies and a deep hack. As well as the conventional attacks covered in this field, delegates will be able to try their hand at some more unique, in-depth attacks:

• Exploiting Cross Site Scripting to log keystrokes, port scan the victim’s computer and network, and execute custom payloads
• Exploiting SQL Injection by bypassing filters, using second-order attacks, chaining queries and fully blind exploitation, using techniques from NGS’ papers as well as some newer ones from the NGS research labs.
• Exploiting LDAP Injection and Command Injection.
• Reverse engineering AcitveX and Java applets to bypass client controls (similar to those currently found in online games)
• See how Authentication and Authorisation are commonly broken
• View the common logic flaws found in web applications, and how these can be exploited with examples.

The course is backed up by a comprehensive manual covering vulnerabilities, hacking methodology, and corresponding security advice. NGS will provide a toolset for delegates in all of the demonstrations, and move on from labs to a final web application where delegates participate in a “capture the flag” contest.

Pre-requisite:
The ideal delegate will have some familiarity with web application security, being familiar with terms such as Cross Site Scripting and SQL Injection even if they haven’t had the chance to exploit these fully.
This course has a heavy lab content, so familiarity with common web application tools and vulnerabilities is required for full appreciation of the course.
Understanding of programming languages (especially PHP, ASP and ASP.NET) preferred.

Class Outline:

COURSE INTRODUCTION
• Course Abstract
• Course Objectives
• Course Instructors
• Course Delegates
• Course Domestics & Timetable

AN INTRODUCTION TO WEB APPLICATIONS
• The Advantages of a Web Application
• Common Uses and Configurations
• The Core Security Issue

APPLICATION STRUCTURE
• Sample Application Overview
• Input Validation
• Authentication
• Session Checking
• Privilege Management
• Administration
• Auditing and Logging
• Error Handling

TECHNOLOGIES
• J2EE
• ASP.Net
• PHP

MAPPING THE APPLICATION
• Profiling
• Determining Technologies in Use
• Dissecting a Request
• Learning the Behaviour of the Application
• Content discovery

BYPASSING CLIENT CONTROLS
• Bypassing HTML Controls
• JavaScript and VbScript
• Java
• ActiveX
• Securing Client-Side Content

AUTHENTICATION VULNERABILITIES
• Design flaws in authentication mechanisms
• Implementation flaws in authentication
• Securing authentication

VULNERABLE SESSION MANAGEMENT
• Background to session management
• Weaknesses in session token generation
• Weaknesses in session token handling
• Securing session management

BROKEN ACCESS CONTROLS
• Common vulnerabilities
• Attacking access controls
• Attacking access controls
• Securing access controls

VULNERABILITIES - INJECTION
• Interpreted Languages
• SQL Injection
• LDAP Injection
• Command Injection
• XML Injection

VULNERABILITIES - LOGIC FLAWS
• Forced Browsing
• Case Study 1: Registration Bug
• Case Study 2: AOL Password Handling
• Case Study 3: Multi-Stage Login
• Case Study 4: The Memorable Word Bypass
• Case Study 5: Text Searches
• Case Study 6: Race Condition During Authentication
• Beating a Business Limit

PATH TRAVERSAL
• Common vulnerabilities
• Detecting and exploiting path traversal vulnerabilities
• Avoiding path traversal vulnerabilities

INFORMATION DISCLOSURE
• Common vulnerabilities
• Preventing information leakage
• Google Hacking

ATTACKING OTHER USERS
• Cross-Site Scripting
• Redirection attacks
• HTTP header injection
• Frame injection
Cross-site request forgery (XSRF)
• Session fixation
• Attacking ActiveX controls
• Advanced exploitation techniques

CLASSIC VULNERABILITIES
• Classic vulnerabilities in web applications
• Buffer overflows
• Integer vulnerabilities
• Format String Bugs

FLAWS IN WEB APPLICATION ARCHITECTURE
• The Tiered Architecture
• Shared Hosting Environments
• Application Service Providers (ASPs)
• Third Party Systems

WEB SERVER FLAWS
• (Mis)Configuration
• Web Server Vulnerabilities
• Oracle Application Server

A WEB APPLICATION ASSESSMENT TOOLKIT
• Web Browsers
• Site Spiders
• Vulnerability Scanners
• Local Proxies
• Brute Forcing Tools
• Custom Toolkits
• Programming for Pentesters

BRUTE FORCING TECHNIQUES
• Targets for Brute Forcing
• Performing a brute force attack

SECURITY DEVICES
• Module Overview
• Intrusion Detection
• Application Firewalls

IDENTIFYING VULNERABILITIES IN SOURCE CODE
• Approaches to code review
• Signatures of common vulnerabilities
• Java
• ASP.NET
• PHP
• Perl
• SQL

Marcus is the author of The Web Application Hackers Handbook: Discovering and Exploiting Security Flaws" <http://www.amazon.com/Web-Application-Hackers-Handbook-Discovering/dp/0470170778/ref=sr_1_1/002-9138979-0048858?ie=UTF8&s=books&qid=1182438884&s> published in October 2007, co-authored with Dafydd Stuttard.

Marcus has over 5 years’ experience in providing technical, hands-on security consultancy to a diverse range of high-profile clients' web applications such as the British Ministry of Defence, High Street Banks, Financial Institutions, Telecommunications and the British National Critical Infrastructure.

In his current employment he is heavily involved with NGS’ financial sector clients. This involvement requires a strong focus on web application vulnerabilities from architectural and penetration testing approaches. This also demands an understanding of the specific vulnerabilities arising from complex, large-scale J2EE and .Net deployments to which many assessment teams are not exposed.

Marcus has experience in web application development, and has spoken at many conferences, as well as providing the original delivery and co-production of NGS’ Black Hat Database Assessment course and Web Application Course.

Before joining NGS, Marcus worked as an advisor to a Vulnerability Assessment Team in the British MoD.