Training (1 day): Hands-on Website Exploitation with Python

Presented at AppSec USA 2015, Sept. 23, 2015, 3:30 p.m. (90 minutes).

This training will teach students how to conduct website assessments with Python. Students will learn the essentials of the python language and learn to create useful algorithms that perform various exploits through "other" tools like Nmap and through "custom" tools that perform password cracking, DOM modification, injections, and more. The capstone of the class is the development of a python based web application scanner and using it to assess some various broken web applications. Students will perform the following tasks: >>Quickstart basics of Python programming >>Development of various scripts to perform: Network sniffing and exploitation (including one than integrates Nmap functions), DOM modification, Searching an Analysis, plugin grabber which integrates with "Exploit DB" (this includes the ability to store information for future or automated exploitation), Password cracking, SQL Injection, CSRF, XSS (including the automation of XSS identification), root exploitation, porting of various other scripts into Python (focus on ruby scripts) >>Development of a custom Web Application scanner >>Use of these new tools to attack various intentionally broken web apps, including a vulnerable shell-shock server Who Should Take This Course? This class does not require python experience and is encouraged for the un-seasoned pen-testers who want to learn this language and integrate it into their professional security testing. What Should Students Bring? Students should bring a laptop with Oracle virtualbox or VMplayer installed. Lecture material and lab exercises will be provided in electronic form.

Presenters:

  • Michael Born - Senior Security Consultant, Threat Services - NTT Security (US), Inc.
    I enjoy breaking into things more than defending, I love Python, can tolerate Ruby, and am always trying to improve at C and Assembly. My current security testing focus is network penetration testing, application penetration testing, mobile application penetration testing, and social engineering assessments. When not working, I enjoy spending time with my family, serving on the Omaha/Lincoln OWASP chapter board, and mentoring others.
  • Fred Donovan
    Professor and Director of an MSCS program Enjoy discussions on "hacking back" Friend and brother to many

Links:

Similar Presentations: