HackerOne's bug hunters have earned $20-Million in bug bounties by 2017, and are expected to earn $100-Million by the end of 2020. Some of HackerOne's customers include the United States Department of Defense, General Motors, Uber, Twitter, and Yahoo. This clearly shows where the challenges and opportunities are for bug hunters in the upcoming years. This course will provide you with a solid technical training by one of the Top 10 HackerOne bug hunters.
Modern web applications are complex, and it's all about full-stack nowadays. That's why we will dive into full-stack exploitation so that you can master web attacks and maximize your payouts. Say "No" to classical web application hacking, and instead join this unique hands-on training to become a full-stack exploitation master.
Key Learning Objectives:
After completing this training, you will have learned about:
- REST API hacking
- AngularJS-based application hacking
- DOM-based exploitation
- Bypassing Content Security Policy
- Server-side request forgery
- Browser-dependent exploitation
- DB truncation attack
- NoSQL injection
- Type confusion vulnerability
- Exploiting race conditions
- Path-relative stylesheet import vulnerability
- Reflected file download vulnerability
- Subdomain takeover
- and more...
Students will be provided with a VMware image with a specially prepared testing environment to play with the bugs. This environment will be self-contained, and when the training is over students can take it home to hack again at their own pace, after signing a Non-disclosure Agreement.
PREREQUISITE WARNING Each class has prerequisites for software loads and a laptop is mandatory. These individual class guides will list material the students are expected have knowledge about coming in and software tools that need to be pre-installed before attending so you get the maximum benefit from the focused intermediate or advanced level course. Please pay particular attention to the prerequisites, as the material listed there will not be reviewed in the courses, and will be necessary to get the maximum benefit out of these educational programs.
Pre-requisites:
To get the most out of this training, an intermediate knowledge of web application security is recommended. Students should be familiar with common web application vulnerabilities and have experience in using a proxy, such as Burp Suite Proxy or similar, to analyse or modify the traffic.
What you will need to bring:
Students will need a laptop with a 64-bit operating system, at least 4 GB RAM (8 GB preferred), 35 GB free hard drive space, USB port (2.0 or 3.0), wireless network adapter, administrative access, ability to turn off AV/firewall and VMware Player/Fusion installed (64-bit version).
Prior to the training, make sure there are no problems with running 64-bit VMs (BIOS settings changes may be needed). Please also make sure that you have Internet Explorer 11 installed on your machine or bring an up-and-running VM with Internet Explorer 11 (you can get it here: https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/).
Who Should Attend:
Penetration testers, bug hunters, security researchers/consultants.