AppSec California 2019

Course Abstract

With Organizations rapidly moving towards micro-service style architecture for their applications, container and serverless technology seem to be taking over at a rapid rate. Leading container technologies like Docker have risen in popularity and have been widely used because they have helped package and deploy consistent-state applications. Serverless and Orchestration technologies like Kubernetes help scale such deployments to a massive scale which can potentially increase the overall attack-surface to a massive extent, if security is not given the attention required.
Security continues to remain a key challenge that both Organizations and Security practitioners face with containerized and, serverless deployments. While container orchestrated deployments may be vulnerable to security threats that plague any typical application deployments, they face specific security threats related to the containerization daemon, shared kernel, shared resources, secret management, insecure configurations, role management issues and many more! Serverless deployments, on the other hand face risks such as insecure serverless deployment configurations, Inadequate function monitoring and logging, Broken authentication, Function event data injection & Insecure application secrets storage. Attacking an infrastructure or Applications leveraging containers and serverless technology requires specific skill-set and a deep understanding of the underlying architecture.

Training Syllabus

Day 1:

Evolution to Container Technology and Container Tech Deep-Dive

* Introduction to Container Technology
* Namespace
* Cgroups
* Mount
* Hands-on Lab: Setting up a Minimal Container

Introduction to Containerized Deployments: Understanding and getting comfortable using Docker

* An Introduction to containers
* LXC and Linux Containers
* Introducing Docker Images and Containers
* Deep-dive into Docker
* Docker Commands and Cheatsheet
* Hands-on:
* Docker commands
* Dockerfile
* Images
* Docker Compose
* Introduction to docker-compose
* Hands-on:
* Docker-compose commands
* Application Deployment Using docker
* Hands-on
* Containerize the application
* Deploying a containerized application
* Deploy a containerized application using docker-compose

Threat Landscape: An Introduction to possible threats and attack surface when using Containers for Deployments

* Threat Model for Containerized Deployments
* Daemon-related Threats
* Network related Threats
* OS and Kernel Threats
* Threats with Application Libraries
* Threats from Containerized Applications
* Traditional Threat-Modelling for Containers with STRIDE
* Spoofing
* Tampering
* Repudiation
* Information Disclosure
* Denial of Service
* Elevation of privileges

Attacking and Securing Containers

* Attacking Containers and Containerized Deployments
* Hands-on
* Container Breakout
* Exploiting Insecure Configurations
* OS and Kernel level exploits
* Trojanized Docker image
* Container Security Deep-Dive
* Hands-on
* AppArmor/SecComp
* Restricting Capabilities
* Analysing Docker images
* Container Security Mitigations
* Hands-on: Container Vulnerability Assessment
* Clair
* Dagda
* Anchore
* Docker-bench

Introduction to Kubernetes

* Understanding Kubernetes Components and Architecture
* Hands-on:
* Exploring Kubernetes Cluster
* Deploying application to Kubernetes

Day 2:

Attacking Kubernetes Cluster

* Kubernetes Threat Model
* Hands on:
* Attacking application deployed on Kubernetes
* Exploiting a Vulnerable Kubernetes cluster

Kubernetes Security Deep-Dive

* Kubernetes Security Mind-Map
* Hands-on: Ideal Security Journey: Kubernetes
* Pod Security
* Access Control
* Secret Management
* Hands-on: Kubernetes Vulnerability Assessment
* Kube-sec
* Kube-hunter
* Kube-bench
* Hands-on: Logging and Monitoring
* Resource utilization
* Malicious behavioral activity monitor

Serverless Introduction

* Understanding Serverless and FAAS (Function-As-A-Service)
* Introduction to AWS Lambda and other Serverless options
* Hands-on: Deploying a Serverless application

Attacking Serverless applications

* OWASP-Top 10 for Serverless Applications
* Hands-on: Attacking Serverless applications
* Injection based attacks
* Broken authentication attack
* Deserialization attacks
* Securing Serverless applications
* Identity and Access Management
* Secret management
* Logging and Monitoring Functions
* Hands-on: Serverless Vulnerability Assessment
* Static Code Analysis [SCA]
* Static Application Security Testing [SAST]
* Dynamic Analysis Security Testing [DAST]

Upon completion of this training, attendees will know:

* Attacking and Securing Applications leveraging containers and, serverless technology requires specific skill set with a deep understanding of their underlying architecture that attendees will be able to understand.
* This course is aimed at Developers, DevOps Engineers, Penetration Testers and Security practitioners who plan to use container or serverless technology as part of their product deployments and want to get a good understanding on how to secure their services and deployments.
* Training will be extremely hands-on with exercises that are similar to real-world threat scenarios that the attendees will understand and take part in. This will help them understand all there is to attack and secure containerized and, serverless applications.
* On completion, attendees will also understand ways attack and securely deploy on Container Orchestration technology like Kubernetes and on Serverless.

Laptop Requirements
 * Intel i5 and above preferred, 64bit Operating System (32 bit will NOT work), 8GB+ RAM preferred. Netbooks WON’T work.
* Working WiFi adapter with ability to connect to third party wireless networks

Lab Requirements
* We have created cloud labs for all the exercises and labs of the program to work. You will need a terminal program to SSH into the remote lab environments. These programs should work fine: Mac OSX => ITerm2 or Terminal (no need to install), Windows => Putty or Cygwin, Linux => Terminal (no need to install anything else)

* Since AppSecCali doesn't provide wifi, we are carrying our WiFi for the labs. Nevertheless, as a backup, we are still carrying VMs for the lab environments that we will be running. Please download and install the latest version of Oracle VM VirtualBox (https://www.virtualbox.org/). We have prepped the images to run in VirtualBox 6.0 (latest).
* In the event the wifi is unreliable, we will be carrying USB flash drives with the VMs which you can use to run the labs. You will need to have cables/adapters to copy from USB flash drives to your laptop. You will also need the requisite permissions and privileges to copy and install software on your laptop. Please be sure of this before you come in for the class, as we will not be able to help you with this in class.
* If you are running VMs on a Mac, it's typically problem-free. However, if you are running Windows Host OS, you will need to check the following:
* Enable Virtualization in the BIOS => https://bit.ly/2oygJ1H * Disable Hyper-V => https://bit.ly/2ABwrxL * 50GB free space on HDD for VM(s)

Course Abstract

The major cause of webservice and web application insecurity is insecure software development practices. This highly intensive and interactive 2-day course provides essential application security training for web application and webservice developers and architects. The class is a combination of lecture, security testing demonstration and code review. Students will learn the most common threats against applications. More importantly, students will learn how to code secure web solutions via defense-based code samples. As part of this course, we will explore the use of third-party security libraries and frameworks to speed and standardize secure development. We will highlight production quality and scalable controls from various languages and frameworks. This course will include secure coding information for Java, PHP, Python, Javascript and .NET programmers, but any software developer building web applications and webservices will benefit.

Training Syllabus

Day 1 of the course will focus on web application basics

- Introduction to Application Security
- HTTP Security Basics
- CORS and HTML5 Considerations
- XSS Defense
- SQL and other Injection
- Cross Site Request Forgery
- Deserialization Security

Day 2 of the course will focus on API secure coding, Identity and other advanced topics

- Webservice, Microservice and REST Security
- Authentication and Session Management
- Access Control Design
- OAuth Security
- 3rd Party Library Security Management
- Application Layer Intrusion Detection
- OWASP Top Ten
- OWASP ASVS

We end day 2 with a competitive hacking lab. It's a very fun and informative way to end the course.

Upon Completion of this training, attendees will know:

This course will teach software developers the details of approximately 200 various web security requirements needed to build secure software. Please review the syllabus to review the many topics this course will cover.

Attendees should bring:

Any laptop that can run an updated web browser and "Burp Community Edition".

Pre-requisites for attendees:

Familiarity with the technical details of building web applications and web services from a
software engineering point of view.

Course Abstract

The days of exploiting MS08-067, encoding with Shikata Ga Nai, and blindly scanning are gone. Both Blackhat hackers and pentesters alike have shifted to using more advanced techniques to bypass AV, implement a smaller footprint to evade SIEM detection, and continually stay persistent to devastate enterprise networks. If you are looking to take your craft to the next level, this is the primer course for you.

This training course was custom developed to put you right in the action and simulate real world red team attacks. You'll take the approach as a red teamer to social engineer your way into a company, gain information about the network, pivot to valuable resources, and gain access to all the company's secrets.

This isn't your average pentest course! We built the labs around what we are seeing as red teamers.

Training Syllabus

Day 1:

- Red Team Mindset
- Recon
- Creating Malware For Your Campaigns
- Setting Up C2 Servers
- Social Engineering
- Compromise Your Victims
- Living Off The Land
- Moving Laterally In Windows/Active Directory

Day 2:

- Pivoting/Lateral Movement in Linux
- Compromising Common Applications for Post Exploitation
- DNS C2 And Network Limitations
- Local Linux Privilege Escalation
- Creating Valuable Reports
- CTF

Upon Completion of this training, attendees will know:

How to think like the bad guys do
How to evade AV and network detection tools
How to get around Windows protections
How to live off the land
How to write valuable reports to improve security

System Requirements:

• Download the Custom Virtual Image prior to class: dl1.thehackerplaybook.com/THP-vm-class.zip
• Must have Administrator Access (to disable host firewall)
• Disable any 3rd party firewall/AV 
• Bring all network connectivity dongles
• Have capacity to run two virtual machines simultaneously using either VMware Workstation or Player or Fusion (for OS X).
• 30GB of free disk spaces
• And, a passion to learn!

Pre-check Guidelines

• Install VMware Workstation or VMware Fusion
• Unzip the Custom Virtual Image and double click on the .vmx file
• Make sure the Custom Virtual Machine’s Network Adaptor is configured on Bridged Mode
• Plug in an ethernet cable (disable wireless) and make sure the VMware image can get an IP (This is where most people have problems).  If you have problems:
  • Mac: go to settings on your image, Network Adapter, and change it from autodetect to your network adapter.
  • Windows: go to Edit -> Virtual Network Editor -> Change Settings -> and change the Bridge To to your network adapter.
• Try to nmap your local network with the VMware image and make sure you get results (username root and password toor).

Additional Questions

• Can I use Virtual Box?  Sure, people have used it in the class, but we don’t support Virtual Box.  We highly recommend VMware.  If you do use Virtual Box, please make sure you test prior to coming onsite and that your network adapter is in Bridged Mode.
• Should I update the Virtual Image?  No, please do NOT update the image.  Everything has been tested and validated with the current version of the Virtual Image.
• What should I prepare for the class?  Other than the pre-check guidelines, there isn’t anything else to prepare.  If you aren’t comfortable with basic Linux Commands or never used VMware, it would be a good time to brush up on it.

Pre-requisites for attendees:

Familiarity with Metasploit and similar tools
Basic understanding of penetration testing methodology and tools
Basic GNU/Linux command line
Basic understanding of Active Directory

Course Abstract

Have you ever been tasked with reviewing 3.2 million lines of code manually for SQL Injection, XSS, and Access Control flaws? Have you been asked to review a new framework on short notice? Does the idea of reviewing Ruby, Go, or Node code leave you with heartburn? This course addresses all of these common challenges in modern code review. We have concentrated on taking our past adventures in code review, the lessons we’ve learned along the way way, and made them applicable for others who perform code reviews. We will share our methodology to perform analysis of any source code and suss out security flaws, no matter the size of the code base, or the framework, or the language. You as a student will learn the methodology, techniques, approach, and tools used by Seth Law and Ken Johnson to understand code flows, trace user input, identify vulnerabilities, and effectively secure an application code base.

Training Syllabus

Day 1:

● Overview
● Introductions
● Philosophy
● What to Expect
● Tools/Lab Setup
● OWASP Top 10
● Code Review Methodology
● Overview
■ Introduction to Methodology/Philosophy
■ Documentation
● What/When/Where
■ Automated Tools
■ Manual Analysis
● Information Gathering
■ Profiling
■ Mapping
■ Threat Modeling
■ Enumeration
■ AAA (Authentication/Authorization/Auditing)
■ Other interesting finds
● Comments
● Keys
● 3rd-party libraries
● Authentication
■ User Enumeration
■ Timing Attacks
■ Password Complexity
■ Typical Logic Flaws
■ Insecure Password Resets
■ Insecure Forgot Password Functionality
■ Password Storage
● Authorization
■ Broken Access Control
● Insecure Direct Object Reference
● Forced Browsing
● Missing Function Level Access Control
● Auditing
■ Sensitive Data Exposure
■ Logging Vulnerabilities
● Injection
■ Input Validation
■ SQL Injection
● ORM and ActiveRecord Patterns/Flaws
● Examples from previous assessments
■ XXE
■ Server-Side Request Forgery
■ HTML/Content Injection
● Cryptographic Analysis
■ Encoding vs. Encryption
■ Hashing
■ Stored Secrets
● Configuration Review
■ Framework gotchas
■ Configuration files
■ Dependency Analysis

Day 2:

● Technical Hands-On Review
● Java
● .Net
● Ruby On Rails
● Node.js
● Django

Upon Completion of this training, attendees will know:

Students will take away knowledge and experience in approaching numerous code languages and frameworks to complete a security source code review. In addition, the learned methodology can be customized by the attendee to fit into any organization’s security SDLC. Finally, the attendee will have the tools to review source code for any web, mobile, or modern application, whether or not the targeted language is specifically covered during the course.

Attendees should bring:

Laptop with wireless and virtual machine (VMWare/Virtual Box) capabilities.
Preferred IDE

Pre-requisites for attendees: 

Attendees should be familiar with the development process (SDLC) and where security code reviews fit into the process. Attendees must have experience using an IDE, running command-line tools, and be able to read application source code. Attendee must have knowledge of the OWASP Top 10 and other common vulnerabilities.

Course Abstract

The Bug Hunter's Methodology is a comprehensive two day training on offensive web security testing. It is primarily focused for web application security testers and bug bounty hunters. TBHM focuses on the newest tools and techniques for web application testers. The class goes over such topics as:

• Advents in web recon
• Prioritizing target testing areas by technology and features
• Crash course on Burp Suite
• Blind XSS
• Server-side template injection
• Server-side request forgery
• Code injection (SQLi, PHP, ++)
• XXE
• Robbing misconfigured infrastructure (AWS)
• git pillaging
• Github robbing
• CI/Code repositories exploitation
• Subdomain takeover
• and more!

Training Syllabus

Day 1:

Emergent web recon (Large Module, LIVE labs)
- IP enumeration (ASNs and Cloud)
- Brand Enumeration (Acquisitions, RevWHOIS, Reverse tracker Analysis)
- Subdomain Enumeration (Scraping and Bruteforcing)
- Effective Port Scanning
- Version based vulnerability analysis
- Directory Bruteforcing / Content Discovery best practices
- Prioritizing target testing areas by technology and features

Crash course on Burp Suite
- Burp Setup and helpers
- Burp proxy and scope
- Burp Intruder
- Burp Repeater and configuration setting
- Getting to know Burp through use-cases: LABS

Blind XSS
- An introduction to BXSS
- Available BXXS frameworks
- LABS

Server-side template injection
- An introduction to SSTI
- SSTI Identification
- SSTI Tooling
- SSTI LABS

Day 2:

Server-side request forgery
- An introduction to SSRF
- SSRF Identification
- SSRF Tooling
- SSRF LABS

Code injection (SQLi, ++)
- Common (still available today) types of code injection
- SQLmap crash course
- SQLi common areas
- LABS

XML External Entity Injection
- An introduction to XXE
- XXE Identification
- XXE Tooling / payloads
- XXE LABS

Access Control Testing
- The ever-giving IDOR and MFLAC
- Examples
- LABS

Robbing misconfigured infrastructure
- introduction to AWS s3 Permissions
-- Labs
- git pillaging
-- Labs
- Github robbing
-- Live exercise
- CI/Code repositories exploitation (no lab)
- Subdomain takeover
-- Labs

Upon Completion of this training, attendees will know:

At the end of this course, students should have some solid fundamentals in web testing for vulnerabilities that are more likely to show up in the wild TODAY. Not only does the course aim to arm the student with the technique, tools, and labs, but also a contextual and data-driven methodology on where and how to look for each vulnerability.

Attendees should bring:

Laptop, Burp Suite (PRO preferably), VM or equivalent access to *nix command line.

Pre-requisites for attendees:

General Web application security testing knowledge required.
Some topics will assume some knowledge of OWASP Top Ten type vulnerabilities.

Course Abstract

In this completely hands-on workshop, you will get to understand the techniques and methodologies that could be applied when performing a web application penetration testing. Throughout this workshop, you will use the Burp Suite tool, which is a conglomerate of distinct tools with powerful features. Apart from gaining familiarity with the tools and the techniques involved in application security testing, you will also get an opportunity to understand some of the common vulnerabilities from the OWASP Top 10 list. We will provide you with a vulnerable website, and you will uncover security issues in it even if you have never done this before!

Training Syllabus

● Opening

○ About the class
○ About OWASP

● Introduction

○ Security Awareness/hacker mindset
○ Introduction to the training environment and tools

● Reconnaissance

○ Web application Reconnaissance
○ HTTP / HTTPS basics
○ Web application and Web server fingerprinting

● Most common vulnerabilities, detection, and exploitation

○ XSS (HTML, Attribute, DOM)
○ SQLi
○ IDOR Vulnerabilities
○ XXE
○ File Upload Vulnerabilities
○ Insecure API
○ OWASP TOP 10

Upon Completion of this training, attendees will know:

● Scope a security review and prioritise the work
● Understand manual and automated tools and techniques available and when to apply them
● Understanding of DevSecOps including Agile Framework
● Gain confidence in customizing your Web Application Security Testing approach to suit application-specific pentesting needs, by gaining clarity on the powerful features provided by the Burp Suite tool.
● A Lots of hands-on web application hacking labs and exercises along with core concepts of web application security.

Attendees should bring:

1. Laptop with administrator access (mandatory)
2. Minimum 4 GB RAM
3. At least 10 GB of free hard disk space
4. Oracle VirtualBox 5.x or later installed.
5. Burp Suite Community Edition installed (https://portswigger.net/burp/communitydownload)

Prerequisites for attendees:

This is an introductory training for web application developers, students, including those new to application security. The course has been developed to train learners at all levels.

Course Abstract

With Organizations rapidly moving towards micro-service style architecture for their applications, container and serverless technology seem to be taking over at a rapid rate. Leading container technologies like Docker have risen in popularity and have been widely used because they have helped package and deploy consistent-state applications. Serverless and Orchestration technologies like Kubernetes help scale such deployments to a massive scale which can potentially increase the overall attack-surface to a massive extent, if security is not given the attention required.
Security continues to remain a key challenge that both Organizations and Security practitioners face with containerized and, serverless deployments. While container orchestrated deployments may be vulnerable to security threats that plague any typical application deployments, they face specific security threats related to the containerization daemon, shared kernel, shared resources, secret management, insecure configurations, role management issues and many more! Serverless deployments, on the other hand face risks such as insecure serverless deployment configurations, Inadequate function monitoring and logging, Broken authentication, Function event data injection & Insecure application secrets storage. Attacking an infrastructure or Applications leveraging containers and serverless technology requires specific skill-set and a deep understanding of the underlying architecture.

Training Syllabus

Day 1:

Evolution to Container Technology and Container Tech Deep-Dive

* Introduction to Container Technology
* Namespace
* Cgroups
* Mount
* Hands-on Lab: Setting up a Minimal Container

Introduction to Containerized Deployments: Understanding and getting comfortable using Docker

* An Introduction to containers
* LXC and Linux Containers
* Introducing Docker Images and Containers
* Deep-dive into Docker
* Docker Commands and Cheatsheet
* Hands-on:
* Docker commands
* Dockerfile
* Images
* Docker Compose
* Introduction to docker-compose
* Hands-on:
* Docker-compose commands
* Application Deployment Using docker
* Hands-on
* Containerize the application
* Deploying a containerized application
* Deploy a containerized application using docker-compose

Threat Landscape: An Introduction to possible threats and attack surface when using Containers for Deployments

* Threat Model for Containerized Deployments
* Daemon-related Threats
* Network related Threats
* OS and Kernel Threats
* Threats with Application Libraries
* Threats from Containerized Applications
* Traditional Threat-Modelling for Containers with STRIDE
* Spoofing
* Tampering
* Repudiation
* Information Disclosure
* Denial of Service
* Elevation of privileges

Attacking and Securing Containers

* Attacking Containers and Containerized Deployments
* Hands-on
* Container Breakout
* Exploiting Insecure Configurations
* OS and Kernel level exploits
* Trojanized Docker image
* Container Security Deep-Dive
* Hands-on
* AppArmor/SecComp
* Restricting Capabilities
* Analysing Docker images
* Container Security Mitigations
* Hands-on: Container Vulnerability Assessment
* Clair
* Dagda
* Anchore
* Docker-bench

Introduction to Kubernetes

* Understanding Kubernetes Components and Architecture
* Hands-on:
* Exploring Kubernetes Cluster
* Deploying application to Kubernetes

Day 2:

Attacking Kubernetes Cluster

* Kubernetes Threat Model
* Hands on:
* Attacking application deployed on Kubernetes
* Exploiting a Vulnerable Kubernetes cluster

Kubernetes Security Deep-Dive

* Kubernetes Security Mind-Map
* Hands-on: Ideal Security Journey: Kubernetes
* Pod Security
* Access Control
* Secret Management
* Hands-on: Kubernetes Vulnerability Assessment
* Kube-sec
* Kube-hunter
* Kube-bench
* Hands-on: Logging and Monitoring
* Resource utilization
* Malicious behavioral activity monitor

Serverless Introduction

* Understanding Serverless and FAAS (Function-As-A-Service)
* Introduction to AWS Lambda and other Serverless options
* Hands-on: Deploying a Serverless application

Attacking Serverless applications

* OWASP-Top 10 for Serverless Applications
* Hands-on: Attacking Serverless applications
* Injection based attacks
* Broken authentication attack
* Deserialization attacks
* Securing Serverless applications
* Identity and Access Management
* Secret management
* Logging and Monitoring Functions
* Hands-on: Serverless Vulnerability Assessment
* Static Code Analysis [SCA]
* Static Application Security Testing [SAST]
* Dynamic Analysis Security Testing [DAST]

Upon completion of this training, attendees will know:

* Attacking and Securing Applications leveraging containers and, serverless technology requires specific skill set with a deep understanding of their underlying architecture that attendees will be able to understand.
* This course is aimed at Developers, DevOps Engineers, Penetration Testers and Security practitioners who plan to use container or serverless technology as part of their product deployments and want to get a good understanding on how to secure their services and deployments.
* Training will be extremely hands-on with exercises that are similar to real-world threat scenarios that the attendees will understand and take part in. This will help them understand all there is to attack and secure containerized and, serverless applications.
* On completion, attendees will also understand ways attack and securely deploy on Container Orchestration technology like Kubernetes and on Serverless.

Laptop Requirements
* Intel i5 and above preferred, 64bit Operating System (32 bit will NOT work), 8GB+ RAM preferred. Netbooks WON’T work.
* Working WiFi adapter with ability to connect to third party wireless networks

Lab Requirements
 * We have created cloud labs for all the exercises and labs of the program to work. You will need a terminal program to SSH into the remote lab environments. These programs should work fine: Mac OSX => ITerm2 or Terminal (no need to install), Windows => Putty or Cygwin, Linux => Terminal (no need to install anything else)

* Since AppSecCali doesn't provide wifi, we are carrying our WiFi for the labs. Nevertheless, as a backup, we are still carrying VMs for the lab environments that we will be running. Please download and install the latest version of Oracle VM VirtualBox (https://www.virtualbox.org/). We have prepped the images to run in VirtualBox 6.0 (latest).
* In the event the wifi is unreliable, we will be carrying USB flash drives with the VMs which you can use to run the labs. You will need to have cables/adapters to copy from USB flash drives to your laptop. You will also need the requisite permissions and privileges to copy and install software on your laptop. Please be sure of this before you come in for the class, as we will not be able to help you with this in class.
* If you are running VMs on a Mac, it's typically problem-free. However, if you are running Windows Host OS, you will need to check the following:
* Enable Virtualization in the BIOS => https://bit.ly/2oygJ1H * Disable Hyper-V => https://bit.ly/2ABwrxL * 50GB free space on HDD for VM(s)

Course Abstract

Learn how to secure your AWS environment.

Areas within AWS that will be covered:

1. The 3 Layers in AWS
2. Security Constructs in AWS
3. What does an ideal architecture look like
4. How do I build it
5. How do I maintain/monitor it
6. How do I break it

The first part of each topic will bring the students up to speed followed by hands on exercises to put their knowledge to the test. Each area covered focuses on core resources within AWS that need to be understood in order to successfully secure your AWS cloud environment. In the end, students will walk away with hands-on experience and ready to implement solutions in their corporate environment.

Upon Completion of this training, attendees will know:

The AWS security gotchas, basics, and ways to monitor their environment.

Attendees should bring:

Laptop with power supply.

Pre-requisites for attendees:

A thirst for knowledge on AWS and what they hope to learn.

Course Abstract

The major cause of webservice and web application insecurity is insecure software development practices. This highly intensive and interactive 2-day course provides essential application security training for web application and webservice developers and architects. The class is a combination of lecture, security testing demonstration and code review. Students will learn the most common threats against applications. More importantly, students will learn how to code secure web solutions via defense-based code samples. As part of this course, we will explore the use of third-party security libraries and frameworks to speed and standardize secure development. We will highlight production quality and scalable controls from various languages and frameworks. This course will include secure coding information for Java, PHP, Python, Javascript and .NET programmers, but any software developer building web applications and webservices will benefit.

Training Syllabus

Day 1 of the course will focus on web application basics

- Introduction to Application Security
- HTTP Security Basics
- CORS and HTML5 Considerations
- XSS Defense
- SQL and other Injection
- Cross Site Request Forgery
- Deserialization Security

Day 2 of the course will focus on API secure coding, Identity and other advanced topics

- Webservice, Microservice and REST Security
- Authentication and Session Management
- Access Control Design
- OAuth Security
- 3rd Party Library Security Management
- Application Layer Intrusion Detection
- OWASP Top Ten
- OWASP ASVS

We end day 2 with a competitive hacking lab. It's a very fun and informative way to end the course.

Upon Completion of this training, attendees will know:

This course will teach software developers the details of approximately 200 various web security requirements needed to build secure software. Please review the syllabus to review the many topics this course will cover.

Attendees should bring:

Any laptop that can run an updated web browser and "Burp Community Edition".

Pre-requisites for attendees:

Familiarity with the technical details of building web applications and web services from a
software engineering point of view.

Course Abstract

The days of exploiting MS08-067, encoding with Shikata Ga Nai, and blindly scanning are gone. Both Blackhat hackers and pentesters alike have shifted to using more advanced techniques to bypass AV, implement a smaller footprint to evade SIEM detection, and continually stay persistent to devastate enterprise networks. If you are looking to take your craft to the next level, this is the primer course for you.

This training course was custom developed to put you right in the action and simulate real world red team attacks. You'll take the approach as a red teamer to social engineer your way into a company, gain information about the network, pivot to valuable resources, and gain access to all the company's secrets.

This isn't your average pentest course! We built the labs around what we are seeing as red teamers.

Training Syllabus

Day 1:

- Red Team Mindset
- Recon
- Creating Malware For Your Campaigns
- Setting Up C2 Servers
- Social Engineering
- Compromise Your Victims
- Living Off The Land
- Moving Laterally In Windows/Active Directory

Day 2:

- Pivoting/Lateral Movement in Linux
- Compromising Common Applications for Post Exploitation
- DNS C2 And Network Limitations
- Local Linux Privilege Escalation
- Creating Valuable Reports
- CTF

Upon Completion of this training, attendees will know:

How to think like the bad guys do
How to evade AV and network detection tools
How to get around Windows protections
How to live off the land
How to write valuable reports to improve security

System Requirements:

• Download the Custom Virtual Image prior to class: dl1.thehackerplaybook.com/THP-vm-class.zip
• Must have Administrator Access (to disable host firewall)
• Disable any 3rd party firewall/AV 
• Bring all network connectivity dongles
• Have capacity to run two virtual machines simultaneously using either VMware Workstation or Player or Fusion (for OS X).
• 30GB of free disk spaces
• And, a passion to learn!

Pre-check Guidelines

• Install VMware Workstation or VMware Fusion
• Unzip the Custom Virtual Image and double click on the .vmx file
• Make sure the Custom Virtual Machine’s Network Adaptor is configured on Bridged Mode
• Plug in an ethernet cable (disable wireless) and make sure the VMware image can get an IP (This is where most people have problems).  If you have problems:
  • Mac: go to settings on your image, Network Adapter, and change it from autodetect to your network adapter.
  • Windows: go to Edit -> Virtual Network Editor -> Change Settings -> and change the Bridge To to your network adapter.
• Try to nmap your local network with the VMware image and make sure you get results (username root and password toor).

Additional Questions

• Can I use Virtual Box?  Sure, people have used it in the class, but we don’t support Virtual Box.  We highly recommend VMware.  If you do use Virtual Box, please make sure you test prior to coming onsite and that your network adapter is in Bridged Mode.
• Should I update the Virtual Image?  No, please do NOT update the image.  Everything has been tested and validated with the current version of the Virtual Image.
• What should I prepare for the class?  Other than the pre-check guidelines, there isn’t anything else to prepare.  If you aren’t comfortable with basic Linux Commands or never used VMware, it would be a good time to brush up on it.

Pre-requisites for attendees:

Familiarity with Metasploit and similar tools
Basic understanding of penetration testing methodology and tools
Basic GNU/Linux command line
Basic understanding of Active Directory

Course Abstract

Have you ever been tasked with reviewing 3.2 million lines of code manually for SQL Injection, XSS, and Access Control flaws? Have you been asked to review a new framework on short notice? Does the idea of reviewing Ruby, Go, or Node code leave you with heartburn? This course addresses all of these common challenges in modern code review. We have concentrated on taking our past adventures in code review, the lessons we’ve learned along the way way, and made them applicable for others who perform code reviews. We will share our methodology to perform analysis of any source code and suss out security flaws, no matter the size of the code base, or the framework, or the language. You as a student will learn the methodology, techniques, approach, and tools used by Seth Law and Ken Johnson to understand code flows, trace user input, identify vulnerabilities, and effectively secure an application code base.

Training Syllabus

Day 1:

● Overview
● Introductions
● Philosophy
● What to Expect
● Tools/Lab Setup
● OWASP Top 10
● Code Review Methodology
● Overview
■ Introduction to Methodology/Philosophy
■ Documentation
● What/When/Where
■ Automated Tools
■ Manual Analysis
● Information Gathering
■ Profiling
■ Mapping
■ Threat Modeling
■ Enumeration
■ AAA (Authentication/Authorization/Auditing)
■ Other interesting finds
● Comments
● Keys
● 3rd-party libraries
● Authentication
■ User Enumeration
■ Timing Attacks
■ Password Complexity
■ Typical Logic Flaws
■ Insecure Password Resets
■ Insecure Forgot Password Functionality
■ Password Storage
● Authorization
■ Broken Access Control
● Insecure Direct Object Reference
● Forced Browsing
● Missing Function Level Access Control
● Auditing
■ Sensitive Data Exposure
■ Logging Vulnerabilities
● Injection
■ Input Validation
■ SQL Injection
● ORM and ActiveRecord Patterns/Flaws
● Examples from previous assessments
■ XXE
■ Server-Side Request Forgery
■ HTML/Content Injection
● Cryptographic Analysis
■ Encoding vs. Encryption
■ Hashing
■ Stored Secrets
● Configuration Review
■ Framework gotchas
■ Configuration files
■ Dependency Analysis

Day 2:

● Technical Hands-On Review
● Java
● .Net
● Ruby On Rails
● Node.js
● Django

Upon Completion of this training, attendees will know:

Students will take away knowledge and experience in approaching numerous code languages and frameworks to complete a security source code review. In addition, the learned methodology can be customized by the attendee to fit into any organization’s security SDLC. Finally, the attendee will have the tools to review source code for any web, mobile, or modern application, whether or not the targeted language is specifically covered during the course.

Attendees should bring: 

Laptop with wireless and virtual machine (VMWare/Virtual Box) capabilities.
Preferred IDE

Pre-requisites for attendees: 

Attendees should be familiar with the development process (SDLC) and where security code reviews fit into the process. Attendees must have experience using an IDE, running command-line tools, and be able to read application source code. Attendee must have knowledge of the OWASP Top 10 and other common vulnerabilities.

Course Abstract

The Bug Hunter's Methodology is a comprehensive two day training on offensive web security testing. It is primarily focused for web application security testers and bug bounty hunters. TBHM focuses on the newest tools and techniques for web application testers. The class goes over such topics as:

• Advents in web recon
• Prioritizing target testing areas by technology and features
• Crash course on Burp Suite
• Blind XSS
• Server-side template injection
• Server-side request forgery
• Code injection (SQLi, PHP, ++)
• XXE
• Robbing misconfigured infrastructure (AWS)
• git pillaging
• Github robbing
• CI/Code repositories exploitation
• Subdomain takeover
• and more!

Training Syllabus

Day 1:

Emergent web recon (Large Module, LIVE labs)
- IP enumeration (ASNs and Cloud)
- Brand Enumeration (Acquisitions, RevWHOIS, Reverse tracker Analysis)
- Subdomain Enumeration (Scraping and Bruteforcing)
- Effective Port Scanning
- Version based vulnerability analysis
- Directory Bruteforcing / Content Discovery best practices
- Prioritizing target testing areas by technology and features

Crash course on Burp Suite
- Burp Setup and helpers
- Burp proxy and scope
- Burp Intruder
- Burp Repeater and configuration setting
- Getting to know Burp through use-cases: LABS

Blind XSS
- An introduction to BXSS
- Available BXXS frameworks
- LABS

Server-side template injection
- An introduction to SSTI
- SSTI Identification
- SSTI Tooling
- SSTI LABS

Day 2:

Server-side request forgery
- An introduction to SSRF
- SSRF Identification
- SSRF Tooling
- SSRF LABS

Code injection (SQLi, ++)
- Common (still available today) types of code injection
- SQLmap crash course
- SQLi common areas
- LABS

XML External Entity Injection
- An introduction to XXE
- XXE Identification
- XXE Tooling / payloads
- XXE LABS

Access Control Testing
- The ever-giving IDOR and MFLAC
- Examples
- LABS

Robbing misconfigured infrastructure
- introduction to AWS s3 Permissions
-- Labs
- git pillaging
-- Labs
- Github robbing
-- Live exercise
- CI/Code repositories exploitation (no lab)
- Subdomain takeover
-- Labs

Upon Completion of this training, attendees will know:

At the end of this course, students should have some solid fundamentals in web testing for vulnerabilities that are more likely to show up in the wild TODAY. Not only does the course aim to arm the student with the technique, tools, and labs, but also a contextual and data-driven methodology on where and how to look for each vulnerability.

Attendees should bring:

Laptop, Burp Suite (PRO preferably), VM or equivalent access to *nix command line.

Pre-requisites for attendees:

General Web application security testing knowledge required.
Some topics will assume some knowledge of OWASP Top Ten type vulnerabilities.