Contact Us Privacy Policy
SC_06: Exploiting Web Applications
Length of Class 5 days
Audience

Security Administrators, Security Auditors, Security Consultants, Helpdesk and Support Personnel
Objective

This course aims to teach students how to gather information and attack a web-based application using a variety of tools using the same methodology as an external hacker.
Summary

This course focuses on security issues involved with web applications and e-commerce implementations. It teaches students how to secure distributed applications by walking through actual vulnerable application exploitations. Students use hands-on examples of hacking tools to exploit vulnerabilities in networks as well as web applications. The course covers major security principles; general programming vulnerabilities; and ASP, ASP.NET, and J2EE specific security issues in web applications.
Description

For many years, information security has focused its effort on securing the network from attackers. The current situation is that the vast majority of attacks now occur at the application layer, many passing over port 80 as legitimate HTTP data.

Security staff, auditors, and support/helpdesk personnel must now effectively understand the threat to applications in order to fulfill their job responsibilities. While students learn the basics on how to defend applications properly, the focus of this class is on how to successfully execute attacks. Armed with this knowledge, students are able to effectively assess the security of their organizations' applications. Much like our secure coding classes, Security Compass instructors have taught the Exploiting Web Application class for several years and we constantly receive positive feedback from former students.

The first section of the course is a comprehensive review of infrastructure basics; this review ensures that the entire class has the requisite background knowledge to use the tools and techniques performed throughout the rest of the class. Students then learn topics in the same order as an attack: gather information, break into servers, and then break into the application.

Instructors present a variety of tools to gather information, including fingerprinting, mirroring, host scanning, vulnerability scanning, and web search engine attacks (a.k.a. "Google Hacking"). Using this information, students perform hands on exercises to break into a server and prepare for the next phase of an attack.

The next few sections cover how to expose vulnerabilities in the major sections of application security: authentication, authorization & access control, session management, cryptography, logging/monitoring & error handling, input validation, buffer overflow, C & C++ issues, and xml & web services. Each section includes hands-on labs so that students practice performing the attacks first hand.

Next students learn basics of reverse engineering - the powerful tool attackers use to understand an application's logic. Finally, the class covers the hacker tools of backdoors and root kits. Each section includes a quiz so that students have a chance to review the material and clarify and misunderstandings.
Requisite Knowledge Basic knowledge of networking and web applications
Curriculum Part 1: Infrastructure basics
  • TCP/IP
  • HTTP
  • Static vs. dynamic web pages
  • Web clients components
  • Web server components
  • HTTP methods
  • HTTP response codes
  • SSL
Part 2: Exploiting web servers
  • Fingerprinting the environment
  • Mirroring the server
  • Network scanning
  • Vulnerability scanning
Part 3: Application Architecture & Security Principles
  • Application components
  • Application architecture
  • Principles of security (the good)
  • Principles of security (the bad)
  • Secure SDLC
  • Data classification
Part 4: Authentication
  • Authentication basics
  • Authentication mechanisms
  • Network monitoring/sniffing
  • Exploiting authentication
  • User enumeration
Part 5: Authorization and Access Control
  • Authorization basics
  • Access control: page, functional and data levels
  • J2EE authorization
  • .Net authorization
Part 6: Cookie and Session Management
  • Cookie basics
  • Session IDs basics
  • State vs. session
  • Exploiting session IDs
  • Defending session IDs
Part 7: Cryptography
  • Crypto basics
  • Random numbers
  • Hashing
  • Symmetric key encryption
  • Asymmetric key encryption
Part 8: Input Validation
  • Parameter manipulation
  • GET vs. POST
  • OS interaction
  • HTTP response splitting
  • Cross site scripting
  • SQL injection
  • Advanced SQL injection
  • Defending input validation
  • Encrypting data in transit
  • Encrypting data at rest
Part 9: Error Handling, Canonicalization and Race Conditions
  • Error handling
  • Canonicalization
  • Race conditions
Part 10: Buffer Overflows C/C++
  • Buffer overflow basics
  • Termination issues
  • Validation issues
  • Calculation issues
Part 11: XML Security
  • XML basics
  • XML parsing
  • XML validation (DTD and XSD schema)
  • Attacking XML parsers
  • Attacking XML validation
Part 12: Web Services Security
  • SOAP protocol
  • Security standards
  • Attacks
  • Tools
Part 13: Reversing Basics
  • Ollydbg debugger basics
  • Reversing basics (C/C++)
  • Reversing .NET managed code
  • Reversing Java byte code
Part 14: Tips and Tricks (Root kits and backdoors)
  • Port redirection
  • Backdoors
  • Root kits & covert channels
Copyright © 2007-2008 Security Compass. All Rights Reserved.