AppSecUSA 2015

This training will teach students how to conduct website assessments with Python. Students will learn the essentials of the python language and learn to create useful algorithms that perform various exploits through "other" tools like Nmap and through "custom" tools that perform password cracking, DOM modification, injections, and more. The capstone of the class is the development of a python based web application scanner and using it to assess some various broken web applications.

Students will perform the following tasks:
>>Quickstart basics of Python programming
>>Development of various scripts to perform: Network sniffing and exploitation (including one than integrates Nmap functions), DOM modification, Searching an Analysis, plugin grabber which integrates with "Exploit DB" (this includes the ability to store information for future or automated exploitation), Password cracking, SQL Injection, CSRF, XSS (including the automation of XSS identification), root exploitation, porting of various other scripts into Python (focus on ruby scripts)
>>Development of a custom Web Application scanner
>>Use of these new tools to attack various intentionally broken web apps, including a vulnerable shell-shock server

Who Should Take This Course?
This class does not require python experience and is encouraged for the un-seasoned pen-testers who want to learn this language and integrate it into their professional security testing.

What Should Students Bring?
Students should bring a laptop with Oracle virtualbox or VMplayer installed. Lecture material and lab exercises will be provided in electronic form.