NOTE: This is a half-day hands-on training course. Let me know if this is something you can offer your attendees. If not perhaps we can just offer a normal sized talk on a sub-topic. A high-energy demo-laden caffeine-laced session that will introduce the student to the techniques needed to remotely detect and validate the presence of common vulnerabilities in web-based applications using Burp Suite, the industries, most popular toolkit. Testing will be conducted from the perspective of the end user (as opposed to a source code audit). This is a hands-on session. Attendees are REQUIRED to bring a PC, Mac, or Linux box running either Oracle VirtualBox or VMware Player (both are free). All of the tools and targets used during the session will be available to the attendees in a single virtual machine file. To prepare: wait until the day before the event then grab the latest version of the Web Security Dojo from here: https://www.mavensecurity.com/web_security_dojo/ NOTE: It,s best to wait until the day prior to the event to be sure you have the latest version of "the Dojo" since that is the version we will use during the session. Time permitting the following topics will be covered: Web Primer (HTML, HTTP, Cookies; just the basics) Introduction to Burp Suite Threat Classification Systems (OWASP Top Ten & WASC Threat Classes) Vulnerability Category: A1 - Injection (SQL, XML entity, etc.) Vulnerability Category: A3- Cross-Site Scripting (XSS) Vulnerability Category: A8 - Cross-Site Request Forgery (CSRF) NOTE: Since the student will have all of the tools and targets in a single virtual machine, they are free to continue the learning after the session in the privacy of their own localhost. No network required. The Web Security Dojo includes various PDF walk-through guides for some of the targets.

David Rhoades is the founder & CEO of Maven Security Consulting Inc. (www.mavensecurity.com), established in 2001. Maven Security is a Delaware corporation that provides information security assessments and custom services to a global clientele. David,s expertise includes web application security and vulnerability assessments. David has been active in information security consulting since 1996, when he began his career with the computer security and telephony fraud group at Bell Communications Research (Bellcore). David has taught at various security conferences around the globe (Interop, OWASP, USENIX, ISACA, SANS, DefCon, Black Hat). David is he chapter lead for OWASP Delaware chapter (https://www.owasp.org/index.php/Delaware). David has a Bachelor of Science degree in Computer Engineering from the Pennsylvania State University (psu.edu).

Recorded at BSides Philly 2017