12-28, 15:30–17:30 (Europe/Berlin), Haecksen Nice Mary
The security level of web applications is often assessed through penetration tests (or pentest for short), which consist in adopting a stance and methodology close to that of an actual attacker or hostile user to try to find security flaws in the targeted application.
This workshop aims to provide basic knowledge about how to practically tackle that process.
The aim of this workshop is to provide practical elements as to how to identify security flaws in web applications.
After an introductory description of a possible methodology for that kind of assessment, we will see how some of the related tasks can be automated or made easier by using appropriate software. In particular, we will cover several key features of Burp Suite, a tool that can be seen as a Swiss army knife for web pentesting.
Throughout the workshop, we will use these features against test applications to get a better grasp of how and when to use them.
We will work in a virtual machine containing the necessary elements.
To be able to use that VM, install VirtualBox from https://www.virtualbox.org/wiki/Downloads, and get the VM itself from http://rc3.j0w.co:8080/pentest_101.ova.
More detailed instructions are also available at http://rc3.j0w.co:8080/instructions.txt.
Lena David is a security researcher at Synacktiv, where she carries out security assessments on various kinds of targets.