I, Hacker
Hacking and music and activism, oh my!
2013-06-11.1

Introduction

Today I'm proud to announce a first-of-its-kind web security course. Spanning 12 intensive weeks, this course goes well beyond what's possible in traditional trainings and will transform you into a web security professional.

Note: this is not in any way affiliated with my employer.

Goal

My goal with this course is to take you from web developer to web security professional. You will know common (and uncommon) vulnerabilities, how to discover them, how to exploit them, and how to protect against them.

By the end of the 12-week course, you will be in a good position to build secure products, work as a security consultant, and generally break everything that comes across your desk.

There are no written tests or fill-in-the-blanks homework. Every exam is a practical one and you will be finding bugs from day one.

Security professionals are more in demand than ever; whether you're looking to move up as a developer or jump into the security field, you will get your money's worth.

Upon successful completion of the course, I will -- if you opt-in -- personally refer you to several of the top security consultancies in the world. You will be the perfect candidate!

Prerequisites

  • You are a developer with experience working on and with web applications.
  • You understand HTML and can read and write Javascript well.
  • You know at least one of {PHP, Python, Ruby, Java} and can read and understand web applications written in them.

What to expect

As mentioned before, you will be finding bugs on day one. You can expect 2-4 hours of course work in the week following each class and 3-4 practical exams throughout the course. Your success in this course is highly dependent upon completing the assigned work in a timely fashion, due to the depth and breadth covered.

If you start to get in the weeds or just have some questions, I'll be available to help you out and get you back on track. You'll also have access to private forums for students, and an IRC channel in which to discuss problems.

Syllabus

Week 1

The first week, we start with an introduction to the course and end with you finding your very first bug. This sets the pace for the rest of the course.

  • Introduction
    • Structure of the course
    • How to contact me
    • Resources
  • General introduction to security
    • How to think like a breaker
    • How to write up security findings
  • Tools and setup
  • Your first bug

Week 2

In this week, we will discuss how browsers work, from the ground up. This will give you insight into how you can violate trust boundaries and lead us right into breaking web applications. You'll also learn about cross-site request forgery (CSRF) attacks, one of the most common you will find in applications today.

  • HTTP requests
    • What they look like and what the contain
    • How cookies work
  • HTML
    • How it's parsed
    • How legacy code in browsers helps attackers
  • Javascript and DOM
    • How Javascript runs
    • How the DOM works
  • Content-type sniffing overview
  • Encoding overview
  • Same-origin policy
  • Cross-Site Request Forgery

Week 3

In this week, we'll dive in with several common, severe vulnerabilities. We'll examine real-world cases with a focus on how to discover them, how to exploit them, and how to mitigate them.

  • Forced browsing
  • Directory traversal
  • Improper authorization
  • Authentication bypasses

Week 4

In this week, we'll discuss in-depth two of the most common and crippling vulnerabilities found in web applications today. You'll learn discovery and exploitation techniques as well as mitigations.

  • Cross-Site Scripting
    • Reflected
    • Stored
    • DOM
    • Common protections and how they fail
  • SQL Injection
    • Typical
      • Discovery
      • Exploitation
    • Blind
      • Discovery
      • Exploitation
        • Tools

Week 5

In this week, we will discuss several vulnerabilities with far-reaching consequences for web applications. Command injection will be a focal point, wherein you will learn how to bypass standard protection mechanisms and see how subtle bugs can lead to major bugs in real-world applications. You'll also get an introduction to testing web services and web APIs.

  • Clickjacking
  • Command injection
  • Cookie tampering
  • Session fixation
  • Testing web services/APIs
    • REST
    • SOAP
    • JSONP

Week 6

In this week, you will learn how to turn an application's logic against itself, enabling you to read and write files, execute your own code on the webserver, and more.

  • Arbitrary file reads/writes
  • Local and remote file inclusion
  • File upload flaws
  • Unchecked redirects

Week 7

In this week, we'll discuss how to effectively review source code, an invaluable tool in the security professional's skillset.

  • Source code auditing
    • What you can reasonably expect to accomplish
    • Tools
    • Tracking coverage
    • Entrypoint tracing

Week 8

This week will focus on how to think through secure design and architecture, identify threats, and enable more secure development.

  • Threat modeling
    • What it is
    • Why it's useful
    • Why full threat modeling is a waste of time for consultants
  • Secure design
    • Questions to ask
    • Red flags
    • Supporting legacy designs

Week 9

In this week, we will discuss securely storing passwords -- and what's possible when this is not done -- as well as go through the core things you need to understand about crypto and what to look for in a secure application.

  • Password storage
    • Pitfalls
    • Doing it right
  • Crypto crash course
    • Stream ciphers
    • Block ciphers
    • Asymmetrical ciphers
    • Hashes
    • MACs

Week 10

This week will focus on various common crypto bugs and discuss how to take advantage of them and how to prevent them.

  • ECB failings
    • Block reordering
    • Block replacement/corruption
  • Padding oracles
  • Hashes versus MAC
  • Stream cipher XOR

Week 11

Leading into the final week, we will cover several advanced exploitation techniques that will come in handy in secure real-world applications.

  • WAF bypasses
  • XSS via alternate encodings
    • Encoding sniffing
  • External entity injection
  • Advanced SQL injection

Week 12

In the final lesson, we will review all that has been learned, then run through several real-world scenarios from both an attacker and defender's perspective.

  • Review of web vulnerabilities
  • Review of crypto and vulnerabilities
  • Scenarios for secure architecture design
  • Scenarios for general web security

Schedule

Current plans are to begin classes the week of August 11th, then the subsequent 12 weeks from there. Each class will be one hour long and take place twice weekly (two identical classes), to accomodate different schedules.

I'm going to be taking a poll of students to see which of the time slots I propose will be best; as it stands, there will likely be one in the evening during the week (EST/GMT-5) and one earlier in the day on the weekend, to give coverage and flexibility to the majority of the world.

Price

The price is $1000 for early-bird sign-ups and $1500 for the remaining seats. This comes out to $125 a week ($83 for the early-birds) -- the best money you'll ever spend to expand your knowledge and further your career.

This price will double in subsequent runs of the course and seats are very limited. Being the first run, there will certainly be some bumps in the road, but I guarantee that everyone who participates will find it very valuable.

Sign up

You can sign up for the course at Eventbee, here. See you in class!

FAQ

Who are you and why are you doing this?

I'm Cody Brocious, a security consultant and reverse-engineer with nearly a decade of experience in the field. You can see my portfolio and read more about me on Wikipedia.

The reason I'm doing this is that I absolutely love the security industry, and having more people in the field makes it more exciting and makes the world a better place. Whether you stay in software development or become a security consultant, you will be making software safer and more secure for all of us.

How are the classes being run?

Each class is a live video stream where I give the class, diagram things out as necessary, and show relevant code and attacks. While that's going on, you'll be in an IRC channel where you can discuss the class and ask me questions in real time. The recorded class and IRC logs will be available after the fact for review.

In addition to this, you'll receive an outline of what the class covered and anything else that may help you along with your coursework.

What is the coursework? What about exams?

The majority of the coursework will be styled as a CTF (capture the flag). In essence, you will be breaking from day one and putting these attacks in practice. The exceptions are some of the crypto and the secure architecture/threat modeling portions of the course. These will be graded for your benefit but do not count towards your score.

Exams are largely practical as well, but will be more open-ended, as you will see in real-world security testing.

Can we work in groups?

Absolutely! I encourage you to form groups -- local study groups especially, if you're able -- and make use of the forums and IRC channel that will be provided. The one exception is on exams, as those are graded.

What do I get for completing the course?

You will receive a unique certificate upon successful completion of the course -- cryptographically signed, of course!

I have a question that isn't covered. How can I reach you?

Feel free to shoot me an email at cody.brocious+course@gmail.com with any questions you may have. I look forward to speaking with you!

Sign up

In case you didn't already sign up above, you can do so at Eventbee, here.