In the past a lot of different attacks on web applications were used, and until now, attackers developed more and more intelligent ways to reach their goals. These attacks are more or less known by all researchers nowadays. The majority of webhacking workshops and trainings cover standard methods like xss, sql injections, xsrf, etc. This workshop focuses on more advanced web application hacking techniques, such as object deserialization flaws next to attacks on state-of-the-art crypto and SSL/TLS attacks. Thereby not only servers, but also clients, are in the focus of the attacks. Every chapter of this workshop includes exercises for an easier understanding of the presented attacking techniques as well as mitigating controls of them.
Basic knowledge in webdevelopment/webhacking due to the contents of this workshop are mainly advanced.
Laptop with an arbitrary operating system and VirtualBox installed.
Kevin Schaller is an IT Security Consultant for ERNW with comprehensive experience in large company environments. He is working for the security provider ERNW, where his daily tasks concentrate on security evaluations and the associated quality assurance of applications and infrastructures. He regularly teaches trainings and courses and holds talks where he likes to share his knowledge with the audience. His research focus lies on the field of webapplication, webservice security and biometric authentication mechanisms. The following topics were already covered by Kevin within workshops or talks in different locations world wide: Advanced Network Security, Advanced Hacking Techniques, Webhacking, Security within IP Networks, Secure Webapplication Development, Secure Thick Client Development, Java Secure Coding, Code Reviews and Old Attacks meet Modern Technologies.
Timo Schmid is a pentester and researcher at ERNW with extensive experience in corporate environments. His daily work enfolds security evaluations, code reviews and penetration testings of (web-) applications and infrastructures. Besides of giving trainings in web application security, secure coding and general computer security, he is doing research and developments in web-technology and -security areas. In addition, he continuously develops and maintains different tools to improve testing methodologies and results.