BSides Boston 2016

GuidePoint Security’s Advanced Web Hacking class heavily emphasizes hands on learning through an instructor led, simulated Web Application Assessment against a proprietary web application that was built specifically for this course. Throughout the course, students will perform OSINT gathering, Application Discovery, manual vulnerability identification, and various exploitation techniques. The course moves beyond the basic OWASP Top 10 Web Application Vulnerabilities, by introducing advanced forms of these common vulnerabilities, built from our own penetration testing experience. Focus is also placed on creating realistic Proof of Concepts to show higher impact and what an attacker could do if the vulnerabilities were exposed. Topics Covered:

Application Discovery

• Information Gathering
• Application Functionality 
• OSINT 
• Fingerprinting 
• Identifying Application Entry Points

• Automated Scanning Limitations
• Manual Vulnerability Identification Techniques

Vulnerability Exploitation

• Blind SQLi
• Advanced XSS
• Server Side Template Injection (SSTI)
• Privilege Escalation
• Account Hijacking
• Writing Proof of Concept Exploits

This training will introduce the audience to the field of reverse engineering electronics. Attendees will learn in a hands on environment how to identify areas of circuit boards to target and perform the extraction of firmware and data at rest, and interception of data in transit. The workshop will introduce and explain various ICs such as microcontrollers and radio transceivers, JTAG, common embedded flash storage solutions, and various types of communication buses. Registration cost includes some hardware hacking tools that may be kept by attendees. The target audience for this workshop has little to no experience in electronics. 

Learn about Capture The Flag (CTF) competitions and how you can participate. This training will provide a background on what CTFs are and how they operate.  This training will then guide participants through several real CTF challenges from previous competitions to help build an intuition for how to approach CTF problems and teach real world hacking skills that are used to defeat the challenges. Completion of this training should prepare participants for competing in the BSides Boston CTF.

This training presentation will be a complete walk through on how to perform physical security tests. This is NOT a lock-picking class. We will be covering common tools and tactics used to gain access to target facilities as well as provide videos from real world testing and hands on demonstrations of physical and electronic tools. Additionally, common issues that penetration testers encounter into will also be discussed, such as personal psychological issues (insertion mentality), manipulating people efficiently and and understanding the most common physical security controls encountered during testing.

Additional topics to include:
- Onsite and remote advance work (recon/surveillance)
- Penetration of the external barriers
- Penetrating the facility/internal barriers
- Penetrating the people (security personnel and attacking human targets)
- Deploying low power boxes on the network for remote network access and audio/video surveillance.