Full Stack Web Attack
It's days, hours, minutes, and seconds until the training begins!
Full Stack Web Attack is not an entry-level course. It’s designed to push you beyond what you thought was possible and set you on the path to develop your own workflow for offensive zero-day web research.
This course is developed for web penetration testers, bug hunters and developers that want to make a switch to server-side web security research or see how serious adversaries will attack their web based code.
So if you want to learn how to exploit web technologies without client interaction for maximum impact, that is, remote code execution then this is the course for you.
Leave your OWASP Top Ten and CSP bypasses at the door.
The 3 day training course will take place on October the 1st, 2nd and 3rd of 2019 at the room in Polanco, Mexico City.
Av. Homero s/n frente al 1730, entre Jaime Balmes y Luis Vives. Planta baja de Corporativo Polanco. Miguel Hidalgo Los Morales Polanco CP 11510 Ciudad de México.
You can use Google Maps for the exact location of the venue. When coming via an Uber or taxi, just state you would like to go to Avenida Homero numero mil setecientos treinta en polanco, se llama The Room. Don’t worry if you don’t speak a little Spanish, the hotel concierges all speak English.
The two hotels we recommend are approximately 10 minute’s drive with an Uber or taxi. The cost of the ride to and from the venue should be approximately $5 USD. Walking is possible, but it will take approximately 25 - 30 minutes.
javax.servlet.ServletException: java.lang.NullPointerException com.source.incite.FullStackWebAttack.certification(FullStackWebAttack.java:38) org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:425) org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:228) org.apache.struts.action.ActionServlet.process(ActionServlet.java:1913) org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:462)
Tickets can be purchased here. Please note that the course is limited to maximum of 20 seats to ensure a high quality deliverable.
Steven Seeley (@steventseeley) is an internationally recognized security researcher and trainer. For the last three years, Steven has reached platinum status with the ZDI and has literally found over a thousand high impact vulnerabilities, some of which can be found under the advisories section.
- At least basic scripting skills
- At least a basic understanding of various web technologies such as HTTP(S), proxies and browsers
- A 64bit Host operating system
- 16 Gb RAM minimum
- VMWare Workstation/Fusion
- 60 Gb Hard disk free minimum
- Wired and Wireless network support
- USB 3.0 support
- PHP & Java language fundamentals
- Debugging PHP & Java applications
- Module overview and required background knowledge
- Auditing for zero-day vulnerabilities
- Logic authentication bypasses
- Code injection (n-day patch bypass)
- Java naming and directory interface (JNDI) injection
- Remote class loading
- Deserialization 101 (using existing gadget chains)
- Introduction to object instantiation
- External entity (XXE) injection
- File disclosure
- Out-of-band attacks
- Introduction to object injection
- Property oriented programming (POP)
- Custom gadget chain creation
- Information disclosure
- Building a 7 stage exploit chain for remote code execution
- Blacklist bypasses (zero-day vulnerability)
- Bypassing URI filters
- URI forward authentication bypasses (zero-day technique)
- Expression language injection
- Deserialization 102 (custom gadget chains)
- Trampoline gadgets
- Exploiting reflection
* This syllabus is subject to change at the discretion of the instructor
The madness doesn’t stop. Preconfigured environments will be provided for additional work after class ends for the rediscovery and exploitation of n-day vulnerabilities.