Wednesday, March 2, 2016

What's New in Immunity's WebHacking Course

We’ve continued to streamline the course since the last InfiltrateCon based on student feedback. Since Infiltrate 2015 we’ve had the opportunity to give the class twice so these changes have been put to the practical test. As always students are required to solve the exercises without the assistance of automated tools (proxies like burp are allowed but only for their interception/rewrite capabilities). As a result you will be doing coding in JavaScript, Python, MySQL and optionally a tiny bit of PowerShell. If you'd like a refresher on these languages check out our Web Hacking Language Review course on March 22nd, being offered remotely for the first time!

The Introduction to XSS section is now the entire first day. We’ve expanded the content to include exploiting XSS issues via Flash as well as touching on some client-side template injections. We look at practical exploitation scenarios for poorly constructed crossdomain.xml files, permissive Access-Control-Allow-Origin headers and more.

The XXE/XSLT section is now 3-4 hours which is double the amount of time previously allotted. The big new feature is exploiting sighted and out-of-band XXE attacks as well as XSLT injection over an XMLRPC pseudo service. This provides the students an extra level of challenge to adapt to a real world scenario.

We’re allocating an entire day for SQL Injection which will give students more time to complete the final exercise. Thus far we’ve only had one student solve it so it stands as a formidable challenge. Finally the sites for the Web Crypto section have been cleaned up to make a more uniform style and fix some clarity issues, the content takes up the entire last day of the course.

The finalized WebHacking schedule (PDF) for Infiltrate 2016 is:

April 3rd: Introduction to XSS
April 4th: Command Injection, eXternal XML Entities (XXE) and XSLT injection
April 5th: SQL Injection
April 6th: Web Crypto