Realtime website analytics

 

  

QSSE

How to Break & FIX Web Software Security

Hacking Web Software is " King of the Internet"

 In this 5 day class, its all about the web as the internet's killer app. Web servers ARE the target of choice for hackers. 97% of all web applications are vulnerable and better network security isn't the only answer. We will explore a model for web application testing as well as web application concerns including accountability, availability, confidentiality and integrity. We will go well beyond the OWASP 10 to look at 19 specific web application attacks including attacking the client, state, data and the server.

THIS CLASS IS BEST TAKEN in 5 day BOOTCAMP! $2,995
HOW TO BREAK & FIX SOFWARE SECURITY
and HOW TO BREAK & FIX WEB SECURITY
and FUNDAMENTALS OF SECURE SOFWARE PROGRAMMING
and SOFTWARE SECURITY TESTING BEST PRACTICES

Class Fee: $2,995
Time: 8:30am - 5pm
Location: Click here to view the class schedule
Learning Level: Intermediate
CPE Credits: 40
Prerequisites: TCP/IP

Learning Level: Basic Programmer to Intermediate Programmer

Who Should Attend

Software testers, software developers, development and test managers, security auditors and anyone involved in software production for resale or internal use will find it valuable. Information Security and IT managers; Information Assurance Programmers; Information Security Analysts and Consultants; Internal Auditors and Audit Consultants; QA Specialists.
What Is CWE? Want more info on CWE?

Targeted to developers and security practitioners, CWE is a formal list of software weaknesses, idiosyncrasies, faults, and flaws created to:

•  Serve as a common language for describing the source code, software design, or software architecture causes of software security vulnerabilities.
•  Serve as a standard measuring stick for software security tools targeting these issues.
•  Provide a common baseline standard for identification, mitigation, and prevention of these weaknesses.
Click here for: What is CWE? PDF

Class Agenda:

Gathering information on the target

  • How web apps are built
  • Attack 1: Looking for information in HTML comments
  • Attack 2: Guessing filenames and directories
  • Attack 3: Vulnerabilities in example applications

Attacking the client

  • The need for a rich UI
  • Attack 4: Selections outside of ranges
  • Attack 5: Client side validation

A ttacking State

  • Why state is important
  • Attack 6: Hidden fields
  • Attack 7: cgi parameters
  • Attack 8: cookies
  • Attack 8: Forceful browsing
  • Attack 9: session hijacking

Attacking Data

  • Attack 10: Cross-site scripting
  • Attack 11: SQL Injection
  • Attack 12: Directory traversal
  • Attack 13: Buffer overflows
  • Attack 14: Canonicalization
  • Attack 15: Null-string attacks

Attacking the server

  • Attack 17: SQL injection II stored procedures
  • Attack 18: Command injection
  • Attack 19: fingerprinting the server
  • Attack 20: Death by 1,000 cuts (DOS)
  • Attack 19: Fake cryptography
  • Attack 20: Breaking basic authentication
  • Attack 21: Cross Site Tracing

Web Services

  • Moving to web services
  • Common Attacks
  • Constraints on input and output
  • Attack 22: web services specific attacks

Privacy

  • Who you are, where have you been
  • Methods for gathering data

Tool support

  • A review of web security/vulnerability scanning tools
  • Introduction to HolodeckWeb

Hands-on lab attacking a site full of vulnerabilities

*Class fees are subject to change

Top 

View Class Schedules
   
 
Current Schedule
SU Policies Webmaster Contact Us Opt-Out Testimonials Advertise Brochure
Copyright © 2008 Security University, Inc. All rights reserved.
Translate this page to