Hack.Sydney 2020

02 - 08 Nov Sydney, Australia
Australia's premium InfoSec Training Event
Offensive and Defensive Cyber Streams
Full Stack Web Attack
by Steven Seeley

Course: Full Stack Web Attack

Trainer: Steven Seeley

Training Duration: 3-days

Audience Level: Advanced

Register Now

Description:
Full Stack Web Attack is not an entry-level course.
It’s designed to push you beyond what you thought was possible and set you on the path to develop your own workflow for offensive zero-day web research. This course is developed for web penetration testers, bug hunters and developers that want to make a switch to server-side web security research or see how serious adversaries will attack their web based code.
Students are expected to know how to use Burp Suite and have a basic understanding of common web attacks as well as perform basic scripting using common languages such as python, PHP and JavaScript.
Each of the vulnerabilities presented have either been mirrored from real zero-day or are n-day bugs that have been discovered by the author with a focus on not just exploitation, but also on the discovery. So if you want to learn how to exploit web technologies without client interaction for maximum impact, that is, remote code execution then this is the course for you. Leave your OWASP Top Ten and CSP bypasses at the door.



Syllabus

* This syllabus is subject to change at the discretion of the instructor.

Day 0x01


Introduction

_PHP & Java language fundamentals
_Debugging PHP & Java applications
_Module overview and required background knowledge
_Auditing for zero-day vulnerabilities

PHP

_Loose typing
_Logic authentication bypasses
_Code injection
_Filter bypass via code reuse
_Patch bypass

Day 0x02


Java

_Java Remote Method Invocation (RMI)
____Java Remote Method Protocol (JRMP)
_Java naming and directory interface (JNDI) injection
____Remote class loading
____Deserialization 101 (using existing gadget chains)

PHP

_Introduction to object instantiation
_Introduction to protocol wrappers
_External entity (XXE) injection
____Regular file disclosure
____Blind out-of-band attacks
_______Error based exfiltration using entity overwrites
_______Exfiltration using protocols

Day 0x03


PHP

_Patch analysis and bypass
_Introduction to object injection
_Magic methods
____Customized serialization
____Phar deserialization
____Property oriented programming (POP)
____Custom gadget chain creation
_Information disclosure
_Phar planting
_Building a 7 stage exploit chain for Remote Code Execution


Additional Material

The madness doesn’t stop. Preconfigured environments will be provided for additional work after class ends for the rediscovery and exploitation of n-day vulnerabilities.

Register Now

Trainer:

My name is Steven Seeley, but I am also known as mr_me.
I’m an information security specialist and I’m originally from Australia. After having worked in the United States for a few years, I now reside in Mexico. I have years of local and international experience in corporate and government penetration tests, source code audits and security research.

This year Chris and I competed in Pwn2Own ICS Miami and we won first place, taking the title as Master of Pwn.
Previously I developed the AWAE course for Offensive Security and taught the class multiple times at Black Hat. Additionally I have been a platinum researcher with the Zero Day Initiative (ZDI) for the last 5 years running and have had over 1000 high impact vulnerabilities published through the ZDI in several major vendors.


@steventseeley
https://srcincite.io/training/

Sponsors & Partners

Want to become a sponsor? Get in touch!