SEC-T - 0x10sion

With more than 55 labs in two days, you are in for a glue-me-to-the-keyboard adventure covering:

• Defending and attacking Web APIs (REST, GraphQL..etc)
• Attacking and securing AWS APIs and infrastructure.
• Launching and mitigating modern Injection attacks (SSTI, RCE, SQLi, NoSQLi, Deserialization, object injection and more)
• Securing and attacking passwords and secrets in APIs.
• API authentication, authorization and access control.
• Targeting and defending API architectures (Serverless, microservices, web services & APIs)

You will learn

• Attacking and defending web APIs. (REST, GraphQL):
  • Learn REST and GraphQL security best practices.
  • Create APIs that are easy to use securely and hard to use insecurely.
  • Techniques and tools to design, test and attack APIs and microservices.
  • Mitigate and defend against security weaknesses in APIs.
  • Implement secure web socket channels and defend against Cross-Site WebSocket Hijacking.
• Attacking and securing Amazon cloud (AWS) APIs and infrastructure.
  • Attack and defend against injection vulnerabilities such as Template Injection, SQL injection, NoSQL injection, pickle and YAML deserialization, object injections… etc
  • Perform post exploitation and pivot attacks against AWS environments.
• Performing modern injection attacks:
  • Attack and defend against injection vulnerabilities such as Template Injection, SQL injection, NoSQL injection, pickle and YAML deserialization, object injections… etc
• Securing passwords and secrets in APIs:
  • Learn how to effectively manage the problem of credential storage.
  • Attack insecure password protection schemes and export credentials.
  • Utilize open-source and platform-independent credential management solutions.
  • Implement secure password storage and handling.
  • API authentication and authorization techniques.
  • Understanding the intricate and minute details of authentication and authorization frameworks and technologies.
  • Obtain actionable knowledge and experience in using secure tokens, cookies, keys and tickets for authentication and authorization.
  • Understand OAuth2, JWT/JWS and other authentication technologies.
  • Attack and fix insecure JWT and cookie implementations.
  • Attack insecure implementations of session management, input validation, output encoding and loosely coupled components.
  • Implement and attack multi factor authentication for APIs.
• Designing secure API architecture:
  • API and microservices security architecture.
  • Handle files securely by allowing only authorized downloads even in segmented microservice architectures.
  • Learn and understand cache security and what threats and vulnerabilities can arise out of insecure caching methods and configurations.
  • Attack and secure cache implementations and infrastructure.
• Securing development environments:
  • Securing source code using secure Git configurations and live monitoring.
  • Securing software dependency and supply chain.

Course Outline

• Day 1:
  • Introduction to modern APIs
  • Security Architecture for APIs
  • Data and File attacks against APIs and clients
  • Injection attacks against APIs and clients:
  • HTTP Security
• Day 2:
  • Token Security
  • Cache Security
  • Credential handling and storage
  • Authentication and authorization in APIs
  • Securing Source Code

Training delivery format: full focus on hands on exercises and labs (55+) labs, with a CTF challenge and multiple questions. The labs have multiple levels to accommodate different levels and speeds of training attendees, as well as take-home labs for those interested in spending the night on the keyboard!

Students Should Bring

• Laptop with minimum 8GB RAM and 40GB free hard disk space with USB ports and virtualization enabled/available.
• Student must have full control of the laptop (can install software, can disable anti virus..etc).
• VMware Workstation or VMware Fusion (even trial versions can be used).
• Enough storage to host multiple copies of the class VM in case modifications and restores are needed.
• Ability to connect to the internet (The class requires going online).
• An active AWS account for each student (free tier or otherwise) is required.
• Note: VMware player or VirtualBox is not recommended for this training.

Student Prerequisites

• Familiar with the concepts of Web, Linux, Cloud services, security, and APIs
• Basic programming skills.
• Basic ability to use command line interfaces.
• Scripting experience recommended.
• Familiarity in Python and JavaScript is recommended.

The Instructor

Mohammed Aldoub is an independent security consultant and Blackhat Trainer from Kuwait, who, in his 12 years of experience, worked on creating Kuwait’s national infrastructure for PKI, cryptography, smartcards and authentication. Mohammed delivers security trainings, workshops and talks in events like Blackhat (USA,EU, Asia),DEFCON, SANS, RSA, SecTor, Infosec in the City, OPCDE, SEC-T, CyberNights around the world in places like the Netherlands, USA, Sweden, London, Czech Republic, Singapore, Dubai, Lebanon, Riyadh, Kuwait, and others. Mohammed is a member of the Training Review Board of the Blackhat conference, overseeing global training delivered there and ensuring the best quality training is delivered there. Mohammed is focusing now on APIs, secure devops, modern appsec, cloud-native security, applied cryptography, security architecture and microservices. He is the author of “barq”, the AWS post exploitation attack framework, which you can find at: https://github.com/Voulnet/barq and he’s also the author of Desharialize, which you can find at: https://github.com/Voulnet/desharialize Mohammed is deeply interested in malware, especially those used by state actors in the Middle East zone, where he volunteered as OWASP Kuwait’s chapter leader. You can find his twitter account at https://twitter.com/Voulnet You can find his Github accout at: https://github.com/voulnet