Thursday, July 14, 2016
SANS @Night
I presented at an @Night talk this evening at SANS Rocky Mountain 2016, the topic: Implementing Secure HTTP Headers. Thanks to everyone that showed up, as usual the slides tell only a portion of the story. I did use evilsite.info to demo XFS and show some X-Frame-Options outcomes as well as X-XSS-Protection in action; which was interesting. Unfortunately the primary Banking site I had been using for clickjacking demonstrations is no longer servicing requests - so I will need to update that at some point. At any rate, the slides are here: Presentation
Wednesday, June 29, 2016
Security Headers Part 1
Part one is XFS and what is trying to be conveyed is one silly risk and one real risk of not setting the X-Frame-Options header correctly on pages where sensitive transactions take place. The example referenced below is just that, an example (hence the .info domain); no malicious intent and there is no actual compromise of any of the sites used in the examples. One big TODO is to get the pages to dynamically resize based on browser size so the UI elements in the parent frame are smoother. Time is short and what should have taken weeks to fit into the schedule took months so here it is:
evilsite.info
evilsite.info
Sunday, May 22, 2016
SANS SEC542 August 2016 - Denver, CO
Denver Colorado!
Join me the week of August 8th, 2016 (Monday through Saturday) to learn all about web app pen testing with SEC542 and also prepare for the GIAC GWAPT (Web Application Penetration Tester) certification exam.
This is a six day Community SANS event, complete with an attack/lab VM, books, all class materials and a full day of Capture the Flag (CTF) on day six to really solidify all of the concepts and tools.
One of my favorite things about this class is the quality and quantity of the hands-on labs; we cover everything from Burp Suite and Command Injection to XSRF and Zap! You keep the tools, you keep the custom VM, you keep the labs and you gain great experience... more details are below.
SECURITY 542: Web App Penetration Testing and Ethical Hacking: www.sans.org
We will be covering all of these topics and more:
Join me the week of August 8th, 2016 (Monday through Saturday) to learn all about web app pen testing with SEC542 and also prepare for the GIAC GWAPT (Web Application Penetration Tester) certification exam.
This is a six day Community SANS event, complete with an attack/lab VM, books, all class materials and a full day of Capture the Flag (CTF) on day six to really solidify all of the concepts and tools.
One of my favorite things about this class is the quality and quantity of the hands-on labs; we cover everything from Burp Suite and Command Injection to XSRF and Zap! You keep the tools, you keep the custom VM, you keep the labs and you gain great experience... more details are below.
SECURITY 542: Web App Penetration Testing and Ethical Hacking: www.sans.org
We will be covering all of these topics and more:
- Interception Proxies
- ZAP (Zed Attack Proxy)
- Burp Suite
- SQL Injection
- Logic Attacks
- Metasploit
- Reflected Cross-Site Scripting (XSS)
- Stored Cross-Site Scripting (XSS)
- Local File Inclusion (LFI)
- Command Injection
- Remote File Inclusion (RFI)
- Cross-Site Request Forgery (XSRF)
- Command scanning tools
- Manual scanning techniques
If your job description falls under one of these categories
and you have an affinity towards information security or a desire to
learn how attackers are able to compromise web applications, then this
class is for you:
- General security practitioners
- Penetration testers
- Ethical hackers
- Web application developers
- Website designers and architects
Thursday, April 28, 2016
SANS SEC542 May 2016 - Columbus, OH
Columbus Ohio! Seats are still available for more students, please use the link to register below.
This one week class starts Monday May 16th, 2016 and runs through Saturday May 21st and prepares students for the GIAC GWAPT (Web Application Penetration Tester) certification exam.
SECURITY 542: Web App Penetration Testing and Ethical Hacking: www.sans.org/
We will be covering all of these topics and more:
This one week class starts Monday May 16th, 2016 and runs through Saturday May 21st and prepares students for the GIAC GWAPT (Web Application Penetration Tester) certification exam.
SECURITY 542: Web App Penetration Testing and Ethical Hacking: www.sans.org/
We will be covering all of these topics and more:
- Interception Proxies
- ZAP (Zed Attack Proxy)
- Burp Suite
- SQL Injection
- Blind SQL Injection
- Reflected Cross-Site Scripting (XSS)
- Stored Cross-Site Scripting (XSS)
- Local File Inclusion (LFI)
- Remote File Inclusion (RFI)
- Cross-Site Request Forgery (CSRF/XSRF)
If your job description falls under one of these categories and you have an affinity towards information security, or a desire to learn how attackers are able to compromise web applications, then this class is for you:
- General security practitioners
- Penetration testers
- Ethical hackers
- Web application developers
- Website designers and architects
Thursday, March 31, 2016
Security Headers Part 0
I am starting a series of postings that will focus on common security related HTTP headers such as:
- Strict-Transport-Security
- Content-Security-Policy
- X-Frame-Options
- And several others...
Wednesday, January 6, 2016
SANS SEC 542 Mentor Class March 2016 - Denver Metro
Seats are still available for more students!
This 10 week class starts Tuesday March 8th, 2016 and runs once per week for two hours each Tuesday night. This class will prepare students for the GIAC GWAPT (Web Application Penetration Tester) certification exam.
SECURITY 542: Web App Penetration Testing and Ethical Hacking: www.sans.org/
Meeting once a week after work, you'll learn many facets of Web App Penetration Testing and Ethical Hacking in this popular Mentor multi-week format, with time between classes to absorb and master the material. You also receive downloadable MP3 files of the full class being taught to enhance your studies.
Course Details:
Class Title: SEC 542: Web App Penetration Testing and Ethical Hacking
Start Date: Tuesday March 8th, 6:00-8:00pm
Location: Aurora Colorado
Instructor: Mentor Serge Borso
Registration details: www.sans.org/register
Each week your local Mentor, Serge Borso, will highlight the key concepts you need to know and assist you with hands on labs and exercises. From attack methodology to server-side discovery, you'll be learning the exploits and tools needed to protect your systems from attack. The class wraps up with a Capture the Flag event where the students will be able to use the methodology and techniques explored during class to find and exploit the vulnerabilities within an intranet site. Each week you will be able to show off your knowledge the next day at the office!
The SANS Mentor Program is HERE! Starting soon in the Denver metro area, conveniently located in Aurora near I-225 and Parker Road. Train Local and Save on the same material taught at SANS six-day conferences.
This 10 week class starts Tuesday March 8th, 2016 and runs once per week for two hours each Tuesday night. This class will prepare students for the GIAC GWAPT (Web Application Penetration Tester) certification exam.
SECURITY 542: Web App Penetration Testing and Ethical Hacking: www.sans.org/
Meeting once a week after work, you'll learn many facets of Web App Penetration Testing and Ethical Hacking in this popular Mentor multi-week format, with time between classes to absorb and master the material. You also receive downloadable MP3 files of the full class being taught to enhance your studies.
Course Details:
Class Title: SEC 542: Web App Penetration Testing and Ethical Hacking
Start Date: Tuesday March 8th, 6:00-8:00pm
Location: Aurora Colorado
Instructor: Mentor Serge Borso
Registration details: www.sans.org/register
Each week your local Mentor, Serge Borso, will highlight the key concepts you need to know and assist you with hands on labs and exercises. From attack methodology to server-side discovery, you'll be learning the exploits and tools needed to protect your systems from attack. The class wraps up with a Capture the Flag event where the students will be able to use the methodology and techniques explored during class to find and exploit the vulnerabilities within an intranet site. Each week you will be able to show off your knowledge the next day at the office!
The SANS Mentor Program is HERE! Starting soon in the Denver metro area, conveniently located in Aurora near I-225 and Parker Road. Train Local and Save on the same material taught at SANS six-day conferences.
Monday, December 21, 2015
SecureSet
Last week I presented at a SecureSet War Games event - "Web Security & Countermeasures". The focus of the talk was kept in line with the title and explored a Red and Blue Team's perspective of how to both attack and defend web applications. I wanted to specifically thank the folks at SecureSet for running the event and recognize the achievement of what they have already accomplished.
For anyone that hasn't heard: https://www.secureset.com/
You guys rock! Looking forward to 2016!
Subscribe to:
Comments (Atom)