[W1] Web Application Security Lab with Hacking-Lab.com

[W1] Web Application Security Lab with Hacking-Lab.com

Authors: Antoine Neuenschwander, Nicolas Heiniger, Giuseppe Scalzi
Language: French
Number of participants: Between 5 and 30 participants (number of trainers will vary to match number of students).
Date: Nov. 1 - 8:00-17:30
Price: 300.- CHF /  350.- CHF (There is a special price in bundle with the conferences, see below)

Content:

This training is based on the Hacking-Lab.com platform, providing an online lab with several hundreds of different security challenges. Participants of this training will be granted access to several challenges in Hacking-Lab.com, where they can exercise their skills or learn with step-by-step instructions on how to exploit vulnerable web applications. After a common introduction, participants can select the desired difficulty level and solve the proposed challenges at their own pace, with the support of two trainers. A virtual machine, including all required tools, is provided as working environment. Participants are required to bring their own laptop with the provided virtual machine image installed.

This training is open to anyone interested in web application security (e.g. web application developers, system administrators, CISOs, etc). The technical level is pretty much open, the trainers provide individual support to the participants during the training. To work with the lab environment, participants are expected to have basic experience working with the linux command line and also have basic knowledge of the HTTP protocol.

[T4] Hardware hacking for beginners

[T4] Hardware hacking for beginners

Author: Nicolas Oberli (@baldanos)
Language: French or English
Number of participants: 2 to 10
Price: 800.- CHF
Date: Nov. 1 - 8:00-17:30

Training Program:

Hardware hacking is a trending topic nowadays. With all new kinds of connected <you name it> and IoT gadgets, security researchers and hackers need different kind of skills to analyze those devices compared to, say, web applications.

This hands-on course aims to give all the basics one needs to know about electronic components and how to interact with them in order to explore how embedded systems work and analyze how they work.

[T3] Deep dive into today’s SSL/TLS
by Pascal Junod (@cryptopathe)

[T3] Deep dive into today’s SSL/TLS<br>by Pascal Junod (@cryptopathe)

Author: Pascal Junod (@cryptopathe)
Language: French or English
Number of participants: 6 to 18
Price: 750.- CHF
Date and time: Nov. 1 - 8:00-17:30

Training program:

This training is shaped as a one-day training around (mostly) practical aspects of the SSL/TLS protocol. As of today, SSL/TLS is securing a vast majority of Internet communications, like web, email, VPNs, etc. During the last years, SSL/TLS has known several cases of headlines in the news, being in terms of attacks (Heartbleed, Poodle, BEAST, etc.) or initiatives around it (Letsencrypt, etc.)....

[T2] Burp Suite Pro
by Nicolas Grégoire (@Agarri_FR)

[T2] Burp Suite Pro<br>by Nicolas Grégoire (@Agarri_FR)

Author: Nicolas Grégoire (@Agarri_FR)
Language: French or English
Number of participants: 5 to 15
Price: 750.- CHF
Date and time: Nov. 1 - 8:00-17:30

Training program:

This training is designed for Web penetration testers familiar with the Burp Suite Pro auditing tool. Based on the "Mastering Burp Suite Pro – 100% hands-on" class, this session is expected to go much faster, while covering interesting problems faced in everyday engagements and significantly enhancing your automation skills. The numerous elaborately designed challenges will guide trainees during this full day of intense-but-fun Burp Suite Pro practice.

[T1] Improving applications security in practice for Android developers
by Jérémy Matos (@SecuringApps)

[T1] Improving applications security in practice for Android developers<br>by Jérémy Matos (@SecuringApps)

Author:  Jérémy Matos (@SecuringApps)
Language: French or English
Number of participants: 4 to 16
Price: 750.- CHF
Date and time: Nov. 1 - 8:00-17:30

Training program:

Providing a native Android application, whether it is for usability/performance/connectivity reasons, has far more security implications than it may seem. Very often the mobile integration moves logic from server to client side, but this code cannot be considered secret anymore.

We will see with the exploitation of real world Android application (app1) how it is possible to cause rather easily a loss of revenue. The techniques of static analysis (bytecode decompiling) and dynamic analysis (hooking) will be used in practice in a lab to get unlimited free coins in a game (app2). Bytecode patching will also be addressed to understand the threat of application repackaging.

OWASP Mobile Top 10 2016 will be presented, with clear examples from app1 and app2 of what not to do. Practical recommandations will be provided to fix the security of app1 and app2, in addition to an inventory of useful protection features provided by Android (e.g. SafetyNet)

Finally, another lab will use the Native Development Kit (NDK) to handle a cryptography use case.