Pentest Web White Box Intermediate - 5 days
Description
The complexity of modern web applications requires a strong understanding of the native mechanisms of the languages used. Source code analysis methods make it possible to optimize the search for vulnerabilities during an intrusion.
During this five-day course, you will acquire the skills necessary to identify complex vulnerabilities within the source code of Java, PHP and .NET applications. Based on many practical cases on popular frameworks such as Spring or Symfony, participants will learn how to optimize their research using static and dynamic analysis tools.
-
5 days (35 hours) customizable
-
3 course modules covering the specifics of Java, PHP and .NET
-
Case studies on Spring, Struts, Hibernate, Zend, Symfony and Laravel frameworks
-
Practical cases on recent vulnerabilities aimed at improving the trainees' ability to discover new vulnerabilities by following different approaches
-
Patch diffing
-
Tinted analysis (CodeQL / Semgrep)
-
Instrumentation and debugging
-
Study of main frameworks
-
1-days analysis: vulnerability discovery and working exploit creation
-
Public and prerequisites
This training is suitable for people with good knowledge of web technologies and associated vulnerabilities. It is mainly intended for pentesters and developers wishing to improve their research method.
-
Pentesters
-
Developers
Good networking and Unix knowledge is recommended.
Content
Day 1
Methodology: top-down, bottom-up and hybrid approaches, static and dynamic analysis, tooling, analysis of the application architecture and its environment. PHP: reminders, functioning of the language, security mechanisms, traps, study of known frameworks and analysis of their defense mechanisms and functionalities leading to vulnerabilities, setting up the analysis environment (IDE, Xdebug, PHP configuration, Semgrep).
Day 2
PHP: classic vulnerabilities and exploitation specificities related to PHP, functions leading to vulnerabilities and research methodology. The following topics will be studied: SQL injections, code executions, type juggling, deserialization, wrappers and filters.
Day 3
Java: study of classic Java applications, structure of an application (Class components, JAR, JSP, configurations), formats (WAR, EAR), web.xml configuration (URI mapping, filters, hooks, security constraints), application of top-down and bottom-up approaches, tooling. Specificity of web servers: Tomcat, Jetty, WebLogic, Glassfish, WildFly. Instrumentation and analysis of Java code: setting up a code audit environment, use of an IDE, debugging, instrumentation, decompilation (jd-gui, procyon), tinted analysis using CodeQL, from simple execution of the tool to writing specific queries.
Day 4
Java Spring: dependency injections, beans, controllers, mappings and annotations. Classic vulnerability analyses and exploitation specificities related to Java: LFI, IDOR, XXE and deserialization. Mechanisms implemented by Java to prevent deserialization vulnerabilities (JEP 290, JEP 396) as well as their workarounds.
.NET: .NET environment, .NET Framework, .NET Core, ASP.NET and their specificities. IIS Server: operation, configuration, architecture, analysis of a classic deployment and key points to audit. Study of web applications in .NET in order to set up a code audit environment, ways to decompile them and find the key elements for identifying vulnerabilities.
Day 5
.NET deserialization and marshalling: how it works, how it is configured, and how it is used. Understanding existing gadgets to find new ones. .NET Remoting: identifying vulnerable configurations.