In a “guest post” Dawid Czagan explains a little more about what attendees can expect from his training…
My hands-on training Hacking web applications – case studies of award-winning bugs in Google, Yahoo, Mozilla and more is unique, because it is based on real, award-winning bugs found in famous companies like Google, Yahoo, Mozilla, Twitter,… Students will learn how bug hunters think and how to hunt for security bugs effectively. To be successful in bug hunting, you need to go beyond automated scanners. If you are not afraid of going into detail and doing manual/semi-automated analysis, then this hands-on training is for you.
It will be the second edition of this training at BruCON. The first one (BruCON 2015) was sold out.
After completing this training, students will have learned about:
- tools/techniques for effective hacking of web applications
- non-standard XSS, SQLi, CSRF
- RCE via serialization/deserialization
- bypassing password verification
- remote cookie tampering
- tricky user impersonation
- serious information leaks
- browser/environment dependent attacks
- XXE attack
- insecure cookie processing
- session related vulnerabilities
- mixed content vulnerability
- SSL strip attack
- path traversal
- response splitting
- bypassing authorization
- file upload vulnerabilities
- caching problems
- clickjacking attacks
- logical flaws
- and more…
This hands-on training was attended by security specialists from big companies like Oracle, Adobe, ESET, ING, Red Hat, Trend Micro, Philips, government sector and it was very well-received (recommendations here: https://silesiasecuritylab.com/services/training/#opinions ).
Students will be handed in a VMware image with a specially prepared testing environment to play with the bugs. What’s more, this environment is self-contained and when the training is over, students can take it home (after signing a non-disclosure agreement) to hack again at their own pace.