The access to this course is restricted to PenTest Premium or IT Pack Premium Subscription.

How to detect and exploit the vulnerabilities behind this kind of attacks and how to make a Proof of Concept that can make your customers understand the risks they are exposed to. During the workshop we will show how to use the burp suite and other tools in order to detect and exploit the vulnerabilities?
How to detect and exploit the vulnerabilities behind this kind of attack over protocols different from HTTP?
How to use the network protocol analyzer and the packet manipulation software in order to detect and exploit the vulnerabilities?
And more…

 Learn the mechanics behind Cross-Site Scripting vulnerabilities and attacks.


4CPE CREDICTS


The access to this course is restricted to PenTest Premium or IT Pack Premium Subscription


Web application security is a really wide topic that spread from technologies related issues to processes related issues. In brief, web application security consists of a series of procedures, good practices and effective countermeasures, adopted by organizations, programmers and sysadmins in order to prevent a loss of Confidentiality, Integrity and Availability of a web application and of the information it manages. Nowadays is fundamental to take care about web application security because web applications became mission critical: from 70s to late 90s companies ran their business on dedicated machines located inside the corporate network and accessed only through specialized client software and\or hardware, now they expose their critical system through a web interface accessible by standard protocols (HTTP/HTTPS) and common clients (web browsers). In a typical multi tier application the attack surface could be represented as the following:

  • Presentation tier: this tier represents the set of functionalities used to present the information to the end-user. Elements of the attack surface for this layer are for example the HTML, the Javascript code, the Java applet, the Flash applications, etc. Usually an attack to this layer targets the end user and exploit the trust relationship among user and web application components. The classical attack carried out through this layer is the Cross Site Scripting and the workshop will cover this particular kind of attack;
  • Logic tier: this tier implements the business logic of the web application. Elements of the attack surface for this layer are for example the functionalities that accepts user input that are poorly implemented. The attacks to this layer targets the web application itself or the user data managed by the web application through the vulnerable functionalities;
  • Data Tier: this tier often is the most important one because it keeps the data valuable for the business. Elements of the attack surface for this layer are for example store procedures and generally the functionalities implemented to store and retrieve the information. The attacks to this layer targets the information managed by the web application.

Threat agents caught this opportunity moving their way to attack a company from sophisticated network attacks to more reliable web attacks. One of the reasons that leads a threat agent to attack a web application, is that it offers multiple layers susceptible to several classes of attack.


 

After completing this course you will be able to: 

  • Detect and exploit XSS vulnerability.
  • Understand the real risk behind this kind of of vulnerability.
  • Impress your customers with awesome Proof of Concept far beyond the classic pop-up.

COURSE SYLLABUS

What will you learn in this workshop


 



WEEK 1



– Introduction to web application security

– Introduction to XSS Attacks

– Types of XSS

– Causes of XSS

– Risks that result from XSS attacks

– Useful Javascript functions to exploit XSS

– Test




WEEK 2



– Detect the vulnerabilities that allow you to perform XSS attacks

– XSS Attack Vectors (HTTPWEB Based)

– XSS Reflected VS Stored

– DOM based XSS

– How to trick users

– Write your first XSS exploit

– Test




WEEK 3



– Introduction to XPS Attacks (Cross Protocol Scripting)

– XPS Attack Vectors

– Introduction to scapy

– Network Packet manipulation with scapy

– Detect the vulnerabilities that allow you to perform XPS attacks

– XPS practical example: linksys 0day introduction

– Test




WEEK 4



– Introduction to XSS Filter evasion

– Filter evasion via “unusual” attack vector

– Filter evasion via character encoding

– Example of filter evasion

– Common tools useful during a pentest to perform XSS attacks

– Test


Your instructor: Francesco Perna
w4 instructor

Course Reviews

N.A

ratings
  • 5 stars0
  • 4 stars0
  • 3 stars0
  • 2 stars0
  • 1 stars0

No Reviews found for this course.

TAKE THIS COURSE
  • Premium Subscription Only
  • UNLIMITED ACCESS
  • Course Certificate
701 STUDENTS ENROLLED

Certificate Code

© HAKIN9 MEDIA SP. Z O.O. SP. K. 2013