Andres Riancho - Discovery and exploitation of web application vulnerabilities

Date: 13.05.2009


Andres Riancho

Professional Biography:
Andrés Riancho is an information security researcher and founder of Bonsai, where he is mainly involved in Penetration Testing and Vulnerability Research. In the research field, he discovered critical vulnerabilities in IPS appliances from 3com and ISS; and contributed with SAP research performed at his former employer.

His main focus has always been the Web Application Security field, in which he developed w3af a Web Application Attack and Audit Framework used extensively by penetration testers and security consultants. Andrés has spoken and hold trainings at many security conferences around the globe, like OWASP World C0n (USA), CanSecWest (Canada), T2 (Finland) and ekoparty (Buenos Aires).

Andrés founded Bonsai in 2009 in order to further research into automated Web Application Vulnerability detection and exploitation.

Technical References Related to Prior Teaching Experience

  • In-house Web Application security training
  • Two days hands-on Web Application security training
  • More than ten Penetration testing and web application security seminars (one day) around all South America in the last two years.
  • Web application security training – Argentina – HSBC
  • Discovery and exploitation of web application vulnerabilities – Argentina - Ekoparty security conference.
  • Extreme penetration testing – Guatemala – GBM

Course Details

Course Title: Discovery and exploitation of web application vulnerabilities

Course Abstract: This training course focus is on manual and automated, discovery and exploitation of web application vulnerabilities. During this course you are going to go through a series of lectures followed by hands on practice. In each practice you will find vulnerabilities to exploit, each with a different level of complexity, which will defy your understanding of the subject. After the hands on practice, a small lecture on how the vulnerability is fixed is presented, together with common errors introduced by developers in that process.

The training will also teach you how to use the most advanced tools used by professionals in the field, like w3af (developed by the trainer), the burp suite, sqlmap and many others.

Course Syllabus (detailed)

  1. Types of analysis
    • Static code analysis, black box testing and gray box testing:
      • Definitions
      • Vulnerabilities that can be detected
      • Vulnerabilities that CAN’T be detected
      • Recommended tools
  2. Web Application Vulnerabilities
    • Reverse engineering of Java applets y Flash movies
    • Local file read
    • Local file inclusions
    • Path Traversal and Null Bytes
    • Remote file inclusions
    • Cross Site Scripting (XSS)
    • Cross Site Tracing
    • Cross Site Request Forgeries / Session Riding
    • HTTP Response Splitting
    • LDAP Injection
    • OS Commanding
    • PHP preg_replace vulnerabilities
    • SQL Injection:
      • Enumeration of tables and columns
      • Execution of queries and stored procedures
      • Creation of files
      • Execution of OS commands
    • Blind SQL Injection
  3. Uncommon attack vectors
  4. Web application privilege escalation
    • Session handling
    • Business logic vulnerabilities
    • Poor authorization

Course Timeline (how the syllabus will be covered in the allotted timeframe and conform to coffee and meal breaks):

Cofee and meal break hours (subject to change by conference organization):

  • 8:30am Breakfast and course start
  • 10:30am Coffee break
  • 12:30pm Meal

Day one, 13.05.2009

  • 9am to 10:30am: attendee’s laptop setup; Items 1 and 2 of syllabus.
  • 10:50am to 12:30pm: Item 2 of syllabus.
  • 13:30pm to 16:00pm: Items 3 and 4 of syllabus.

Pedagogic Methods Used to Teach Material (lecture, hands-on labs, demonstrations, group exercises, etc.): This one-day course combines lectures with increasingly difficult hands-on exercises designed to teach the attendee different ways to discover and exploit web application vulnerabilities.

Student Requirements, experience/expertise: The course won’t cover an introduction to the HTTP protocol basis nor basic web application development, knowledge on these subjects is desired. The students should have a solid knowledge of general security subjects, and at least one year experience in a technical position related to any of the subjects in the syllabus.

Student Requirements, equipment/software students must furnish (be very specific): One laptop with at least 1GB of RAM, Ethernet card, and a CD reader. The trainer will provide a live CD that will be used to perform all the hands-on exercises, so the laptop needs to be able to boot from the CD.

Minimum Number of Students Required to Delivery Course: 7
Maximum Number of Students That Can be accommodated in Course: 15

workshop cost:

300 EUR Registration on workshops 2009