Introduction to Application Pentesting

Testing applications security has always been a challenge for penetration testers. Every application has different business requirements, different functionality, different workflows and, as a result, different code and attack vectors.

In addition, the increasing variety of technologies (HTML5, JavaScript, API) often require different testing approach and sometimes different tools to achieve the same goal of properly testing, finding vulnerabilities and better secure the application before making it public.

This introductory hands-on session will teach attendees how to approach, plan and conduct an application penetration test against a different type of applications\technologies using commonly available tools and techniques often used by attackers as well.

During the session, participants will be provided with lab exercises to experience and test against vulnerable applications. Labs will include introduction to commonly used tools and testing methodologies, overview of common vulnerabilities based on the OWASP top 10, how to perform automatic and manual discovery, execute fuzzing tests to identify potential weaknesses/entry points, exploitation of vulnerabilities such as cross-site scripting, SQL injections Cross-Site Request Forgery, testing for authentication, authorization and session management issues and more. In addition, testing scenarios will include testing of application leveraging different technologies such as HTML based application, Web Services/APIs and console/smart-client based apps to show the differences and similarities of conducting tests and the vulnerabilities between them.

By the end of the session, attendees will have the foundation required to conduct different aspects of an application security penetration test and learn the different steps from initial discovery, evaluating potential attack vectors to an actual exploitation of the application level vulnerabilities they have found.

Trainer: Chuck Ben-Tzur
Max participants: 40
Cost: $399 (Full Conference Attendee)
/ $499 (Expo Attendee)

Technical Requirements:

Attendees must bring and use their own device. Attendees will be required to install a virtual machine (VM) that will include several tools before the class begins. The VM requires:
Memory: Minimum of 4GB (8GB preferred) RAM to allocate for the virtual machine
Disk Space: 20+ GB available

This session is recommended for:

Software Developers
Penetration Testers
Information Security Students

Attendees should have a basic understanding of web applications including HTML, JavaScript, APIs, HTTP Protocol and be comfortable using a Linux and Windows.

Agenda

10:00 – 10:10	Introductions
10:10 – 10:30	Application Security Testing Methodology Overview (Lab 1 Intro)
10:30 – 10:45	Lab 1: Initial Discovery (Spider)
10:45 – 11:00	Fuzz Testing (Lab 2 Intro)
11:00 – 11:20	Lab 2: Fuzz Testing
11:20 – 11:30	Break
11:30 – 11:45	Client Side Attacks: Script Injections (Lab 3 Intro)
11:45 – 12:30	Lab 3: Cross Site Scripting
12:30 – 13:15	Lunch (Provided)
13:15 – 13:30	Authentication and Session Testing (Lab 4 Intro)
13:30 – 14:00	Lab 4: Authentication Testing
14:00 – 14:15	Authorization Testing (Lab 5 Intro)
14:15 – 14:50	Lab 5: Bypassing Authorization (Lateral and Vertical)
14:50 – 15:00	Break
15:00 – 15:20	Server Side Attacks: SQL Injection (Lab 6 Intro)
15:20 – 16:00	Lab 6: SQL Injection
16:00 – 16:15	Testing API (Lab 7 Intro)
16:15 – 16:45	Lab 7: API Testing
16:45 – 17:00	Recap of Labs and Closing Remarks

*Timing and content subject to change

Meet Your Trainer

Chuck Ben-Tzur

Chuck Ben-Tzur is an IT Security professional with over 15 years of experience as a consultant and a senior manager. Chuck has helped leading Canadian and international organizations to build their corporate security program, assess and implement effective security controls and maintain ongoing compliance. To keep his technical knowledge fresh and up-to-date, Chuck likes to “keep his hands dirty” by researching the security of new technologies and is continuously performing hands-on penetration testing, vulnerability assessments and threat risk analysis.

Chuck has presented at many conferences and in front of professional groups including SecTor, EnrgizeIT, PMI (Project Management Institute), TASK (Toronto’s Security User Group), Federated Press and more.