Exhibitor Center | Media Center | Speaker Center
Register Now




Download Free Cloud Networking Whitepaper

Exhibit at Interop

To learn about sponsorship and exhibiting opportunities, please contact .

Get Updates Via Email


ipv6 ready

Hands-on: Remote Testing for Common Web Application Security Threats

May 7, 2012 8:30am-4:30pm

David Rhoades Instructor:
David Rhoades
Senior Consultant,
Maven Security Consulting, Inc.

Who should attend: People who need to audit web application security, develop web applications, or manage the development of web applications. Some essentials of HTTP will be briefly covered in the course, but it is best if you already have prior experience with HTML and HTTP.

Hands-on Exercises: This one-day workshop will include live demos by the instructor, as well as lab exercises to be performed by the students.

Each student will be given a virtual machine (via CD or USB) containing an open-source OS (Ubuntu), tools, documentation, and web application targets for a fully self-contained web security testing environment. Training will feature the open-source project “Web Application Security Dojo” (http://dojo.mavensecurity.com).

Students are expected to bring a laptop computer so that they can run the virtual machine image supplied by the instructor.
Student system requirements are simple:

  • Any operating system that can run the latest stable version of VirtualBox (free from http://www.virtualbox.org/). Currently supported operating systems included Windows, Mac, and Linux.
  • 5 GB of free HD storage
  • 1 GB of RAM (2 GB or more is better)
  • USB port or DVD drive
  • Wifi networking capability

*** Before the first day of class students must install the latest stable version of VirtualBox. Also install the latest version of “Oracle VM VirtualBox Extension Pack”. Both are free and found here: http://www.virtualbox.org/wiki/Downloads

Course Abstract
The proliferation of web-based applications has increased the enterprise's exposure to a variety of threats. There are overarching steps that can and should be taken at various steps in the application's lifecycle to prevent or mitigate these threats, such as implementing secure design and coding practices, performing source code audits, and maintaining proper audit trails to detect unauthorized use.

This workshop, through hands-on labs and demonstrations, will introduce the student to the tools and techniques needed to remotely detect and validate the presence of common insecurity for web-based applications. Testing will be conducted from the perspective of the end user (as opposed to a source code audit). Security testing helps to fulfill industry best practices and validate implementation. Security testing is especially useful since it can be done at various phases within the application's lifecycle (e.g. during development), or when source code is not available for review.

This workshop will focus on the most popular and critical threats facing web applications, such as cross-site scripting (XSS) and SQL injection, based on the industry standard OWASP "Top Ten". The foundation learned in this class will enable the student to go beyond the top ten via self-directed learning using other industry resources, such as the OWASP Testing Guide (https://www.owasp.org/index.php/OWASP_Testing_Project).

Course Objectives:

  • Understand the most popular security threats facing web applications.
  • Hands-on use of the tools and techniques needed to get the job done.
  • Leveraging man-in-the-middle tools to exploit weaknesses for validation purposes.
  • Understand and work around tool limitations (e.g. how to test a multi-step form).
  • Identify and avoid denial-of-service conditions during testing.
  • Testing for persistent and non-persistent XSS.
  • Safely and effectively testing for back-end XSS (overlooked by most scanners)
  • Enhance secure programming practices by raising awareness and giving developers and auditors the tools & knowledge needed to test their web application’s security from the user's perspective.

Course Topics:
Section – Brief Web Primer (HTML, HTTP, Cookies, the basics)
Section - Tools & Techniques (MITM Proxies, Fuzzing, Browser Extensions)
Threat Classification Systems (OWASP Top Ten & WASC Threat Classes)
Vulnerability Category: A1: Injection
Vulnerability Category: A2: Cross-Site Scripting (XSS)
Vulnerability Category: A3: Broken Authentication and Session Management
Vulnerability Category: A6: Security Misconfiguration
Overall Testing Advice & Strategies – Real-world advice from the trenches