Andres Riancho - w3af ninja

Date: 12.05.2009


Andres Riancho

Professional Biography:
Andrés Riancho is an information security researcher and founder of Bonsai, where he is mainly involved in Penetration Testing and Vulnerability Research. In the research field, he discovered critical vulnerabilities in IPS appliances from 3com and ISS; and contributed with SAP research performed at his former employer.

His main focus has always been the Web Application Security field, in which he developed w3af a Web Application Attack and Audit Framework used extensively by penetration testers and security consultants. Andrés has spoken and hold trainings at many security conferences around the globe, like OWASP World C0n (USA), CanSecWest (Canada), T2 (Finland) and ekoparty (Buenos Aires).

Andrés founded Bonsai in 2009 in order to further research into automated Web Application Vulnerability detection and exploitation.

Technical References Related to Prior Teaching Experience

  • In-house Web Application security training
  • Two days hands-on Web Application security training
  • More than ten Penetration testing and web application security seminars (one day) around all South America in the last two years.
  • Web application security training – Argentina – HSBC
  • Discovery and exploitation of web application vulnerabilities – Argentina - Ekoparty security conference.
  • Extreme penetration testing – Guatemala – GBM

Course Details

Course Title: w3af ninja

Course Abstract: The w3af ninja training course is focused on manual and automated discovery and exploitation of web application vulnerabilities using w3af. During this course you’ll also learn how to write your own exploits, web application payloads and customized plugins in order to achieve your goals during a web application penetration test.

This course is an intense hands-on class in which you won’t stop learning for a minute. In each practice you will find vulnerabilities to discover and exploit, interesting plugin code snippets to analyze and modify and framework features that will help you automate your penetration testing work.

Course Syllabus (detailed)

  1. Introduction
    • w3af architecture
    • Plugin types
    • Framework features
    • Embedded tools
    • Exploitation phase
    • User interfaces
  2. Plugins
    • Site crawling
    • Tactical exploitation
    • Vulnerability discovery
    • Anomaly detection
    • Creating new plugins
  3. Scanning Web2.0 applications
    • Ajax
    • Flash
  4. Exploitation phase
    • Shell objects
    • Exploiting SQL injection, cross site scripting, etc.
    • Extending the exploitation phase with web application payloads
    • Advanced exploitation features:
      • w3afAgent
      • virtual daemon

Course Timeline (how the syllabus will be covered in the allotted timeframe and conform to coffee and meal breaks):

Cofee and meal break hours (subject to change by conference organization):

  • 8:30am Breakfast and course start
  • 10:30am Coffee break
  • 12:30pm Meal

Day one, 12.05.2009

  • 9am to 10:30am: attendee’s laptop setup; Items 1 and 2 of syllabus.
  • 10:50am to 12:30pm: Item 2 of syllabus.
  • 13:30pm to 16:00pm: Items 3 and 4 of syllabus.

Pedagogic Methods Used to Teach Material (lecture, hands-on labs, demonstrations, group exercises, etc.): This one-day course combines lectures with increasingly difficult hands-on exercises designed to teach the attendee different ways to discover and exploit web application vulnerabilities. In the sections in which the attendee will create new exploits and plugins, the teaching methodology is “learn by example”, in which the trainer will show them how previous exploits work so they can write their own.

Student Requirements, experience/expertise: The course WON’T cover any introduction to the HTTP protocol, web application development nor web application vulnerabilities. The students MUST have a solid knowledge of web application security. Previous experience with w3af is desired but not required.

Student Requirements, equipment/software students must furnish (be very specific): One laptop with at least 1GB of RAM, Ethernet card, and a CD reader. The trainer will provide a live CD that will be used to perform all the hands-on exercises, so the laptop needs to be able to boot from the CD.

workshop cost:

300 EUR Registration on workshops 2009