The Introduction to XSS section is now the entire first day. We’ve expanded the content to include exploiting XSS issues via Flash as well as touching on some client-side template injections. We look at practical exploitation scenarios for poorly constructed crossdomain.xml files, permissive Access-Control-Allow-Origin headers and more.
The XXE/XSLT section is now 3-4 hours which is double the amount of time previously allotted. The big new feature is exploiting sighted and out-of-band XXE attacks as well as XSLT injection over an XMLRPC pseudo service. This provides the students an extra level of challenge to adapt to a real world scenario.
We’re allocating an entire day for SQL Injection which will give students more time to complete the final exercise. Thus far we’ve only had one student solve it so it stands as a formidable challenge. Finally the sites for the Web Crypto section have been cleaned up to make a more uniform style and fix some clarity issues, the content takes up the entire last day of the course.
The finalized WebHacking schedule (PDF) for Infiltrate 2016 is:
April 3rd: Introduction to XSS
April 4th: Command Injection, eXternal XML Entities (XXE) and XSLT injection
April 5th: SQL Injection
April 6th: Web Crypto