Training
Table of Content
1.Jump into the hacking right away (45 min)
Is your environment ready to hack?
- Tools check: Burp suite , JWT Tool
- Admin access?
- Do you have a VPS to catch the reverse shell? If not, may be create one or join someone who has
Let’s catch up on some basics:
- User input
- HTTP/HTTPS
- TLS/SSL
- Encoding | Encryption | Hashing
- JSON, JWT, XML JWS etc.
- Reverse shells & why they are awesome
- Recon(Subdomain enumeration,port scanning the right away)
- Common web application vulnerabilities and attack vectors
2.Hacking JSON Web Tokens
- Basics of JSON Web Tokens & authorisation with
- Analyzing the token
- Let’s hack the JWT
- Discussing some case studies from our pentests
3. Insecure Direct Object Reference
- Hunting for IDOR
- Account Takeover via Insecure Direct Object Reference
- Chaining IDOR & XSS
- Can you take over the account?
4. Server-Side Request Forgery
- Basics of SSRF
- Exploiting SSRF vulnerability in the application
- Getting more evil with SSRF
6. Remote file inclusion
- Understanding RFI
- RFI to Reverse shell
7. Hacking Jenkins
- Discovering a vulnerable software
- Server compromise with reverse shell
8. Local privilege escalation on Linux
- From a limited shell to root
9. Q&A and Closing Remarks
- Addressing participant queries and concerns
- Recapitulating key takeaways from the training session
- Resources for further learning and self-improvement
What to bring?
- Laptop with good configuration and admin privilege preferably a Kali VM
- Burp Suite Community or Pro
(https://portswigger.net/burp/communitydownload) - Optional: It would be great if you have a VPS setup of yourself, to catch the reverse shells
Training prerequisites
- Basic knowledge of web application penetration testing
- Basic knowledge of burp suite
- For example, using burp suite, basics of linux, using a VPS for hacking
What to expect?
- Meet awesome trainers
- Get some sticker & swag (if you can answer complex questions)
- Maybe win some prizes
- Ohh yeah, learn some web hacking
Speakers Profile
Akarsh Singh
Vikas Yadav
Venue & Time
Hall Name: Hall 4Time: 8 HourWorkshop Goal
In this advanced web hacking training session, participants will immerse themselves in
the realm of web application security. Through immersive hands-on demonstrations and
practical exercises, attendees will gain expertise in cutting-edge techniques used by
ethical hackers to identify & exploit vulnerabilities in web applications.
Note that basic level knowledge of web application hacking is mandatory.
About Speakers
I’m Vikas Yadav, presently employed as a Cybersecurity Analyst with Enciphers. My
professional competence in the field of cybersecurity is wide-ranging, including Red
Teaming, adversarial tactics, conducting phishing evaluations, penetration testing of
both web applications and networks, along with Android penetration testing. I possess a
passion for exploring different aspects of cybersecurity, which fuels my interests in
threat intelligence, digital forensics, and advanced persistent threats
Akarsh Singh With the onset of my professional journey in 2020, I embarked on a rewarding path as an Information Security intern at Enciphers. This enriching opportunity not only honed my skills but also exposed me to a diverse array of technologies, encompassing web application penetration testing, mobile application penetration testing, network pentesting, and API penetration testing. Since then, my dedication and passion for the field have propelled me to the esteemed role of Tech Lead – Security Team at Enciphers, where I continually strive to augment my expertise and stay abreast of the ever-evolving technological landscape.I take immense pleasure in imparting the pentesting knowledge acquired through real-world application assessments. This passion for sharing my expertise has granted me invaluable opportunities to conduct training sessions and deliver insightful talks at prestigious conferences, including Bsides Delhi and Seasides Goa. It brings me great joy to contribute to the cybersecurity community and inspire others through my experiences in the field of pentesting.