Training 2014

The 20/03/2014, we will propose 3 workshops to help you improve your security skills.
2 workshops are organized by the Appsec forum


Workshop 1 : APPSEC workshop , Avanced Burp Pro, 100% hands‐on, by N gregoire (pdf)

The trainer :
Nicolas Gregoire has more than 13 years of experience in penetration testing and auditing of networks and (mostly Web) applications. He founded Agarri, a small company where he finds security bugs for customers and for fun. His research was presented at numerous conferences around the world (Hack in the Box, HackInParis, ZeroNights, …) and he was publicly thanked by some well known vendors (Microsoft, Adobe, Mozilla, Google, Apple, VMware, …) for responsibly disclosing vulnerabilities in their products. He also participates in bug bounties and won (twice) the highest Prezi reward ever offered.
Nicolas presented last year at HackInParis and OWASP AppSec about advanced usage of Burp Suite, based on his 8 years of experience. This “Burp Pro real‐life tips and tricks” talk was very well received. All modesty aside, the author of Burp himself published on Twitter “Serioulsy cool presentation – excellent work!”. This talk was a compilation based on a 3‐days hands‐on Burp training proposed by Nicolas to his customers. A compact 1‐day version is now proposed at Insomni’Hack 2014.
Mastering Burp Suite allows a penetration tester to get the most of a tool where he usually spend countless hours. His work is then faster, less error‐prone and more reproducible. Last but not least, more time and brain power are available to the tester, who can focus on identifying and exploiting complex and creative vulnerabilities. Possible targets are classical web applications (of course) but also thick clients, mobile applications, internal networks or complex cloud deployments.

Training duration :
1 day

Thématique(s) :
Note: this plan may be modified depending on the audience skills or expectations
Introducing Burp (GUI, tools, audit workflow)
Using a personalized configuration
Advanced usage of Intruder, Repeater, Proxy and Sequencer, …
Tons of tips and tricks (cf. my HackInParis’13 talk for an excerpt)
Extensions: useful on‐the‐shelf ones, basic templates for common needs, coding your own

The training is based on dozens of micro‐challenges replicating real‐life scenarios:
Complex brute‐force, data extraction, thick clients, ACL, cryptography, home‐made encoding, CSRF tokens, sessions and macros, …

Nombre de participants minimum requis: 3
Nombre de participants maximum autorisé: 10

Languages :
French/English

Matériel nécessaire :
Laptop with an Ethernet/RJ45 connector
OS Linux (including Kali) or Windows or Mac
Recent JVM (preferably from Oracle)
Burp Pro license (if needed, a temporary one can be provided on prior request)
Basic knowledge of Burp Suite (UI navigation, traffic interception and replay)
Text editor + browser

Workshop 2 : APPSEC workshop , Cryptography for developers , by JP Aumasson (pdf)

The trainer :
Jean‐Philippe Aumasson is Principal Cryptographer at Kudelski Security, and is employed in the Kudelski Group since 2010. In 2009, he obtained a PhD in cryptography from EPFL, while working as a researcher in applied cryptography and cryptanalysis at Fachhochschule Nordwestschweiz with Prof. Willi Meier. Prior to that he received a research master in computer science from UniversitÈ Paris VII. Jean‐Philippe is known for designing the cryptographic algorithms BLAKE (one of 5 SHA‐3 finalists), SipHash (used in OpenDNS, Perl, Ruby, etc.), and BLAKE2 (used in WinRAR, Pcompress, etc.).
He authored more than 30 research articles in the field of cryptography and cryptanalysis, and talked at a number of security cons including Black Hat and CCC. Recently he initiated the Cryptography Coding Standard (https://cryptocoding.net) and the Password Hashing Competition (https://password-hashing.net), which are open collaborative projects aimed to improve the overall state of security.

Training duration :
1 day

Thématique(s) :
Cryptography for developers

Useful references to check before the training :
https://cryptocoding.net/
http://blog.cryptographyengineering.com/
https://131002.net/data/talks/cryptanalysis_bhad11.pdf
http://spar.isi.jhu.edu/~mgreen/650.445/Course_Syllabus.html
http://cacr.uwaterloo.ca/hac/
http://www.cryptofails.com/

Nombre de participants minimum requis: 5
Nombre de participants maximum autorisé: 10
Nombre de participants désirés: 10

Languages :
French/English

Matériel nécessaire :
laptop avec python installé

Workshop 3 : Exploitation Linux, par SCRT

The trainers : SCRT – Michael Zanetta & Florian Gaultier

Training duration : 1 day

Thématique(s) :
Cette formation permet d’obtenir de solides bases en exploitation de corruption mémoire sur un système linux 32bit. Elle commence par une introduction de l’assembleur x86 et la création de shellcode et se termine par la création de chaînes ROP en passant par les format string et le buffer overflow.

Languages : French

Pré‐requis:
Connaissance en C et assembleur.
Bonnes bases en Linux.
Un laptop avec au moins vmware player.