Ben Sadeghipour - Hacking Organizations: Phishing Not Required $1,500 (Early $1,300)
Name of Training:
Hacking Organizations: Phishing Not Required
Teach students how to identify vulnerabilities in web applications and digital assets from an external perspective.
“Hacking Organizations: Phishing Not Required” is a comprehensive course designed to teach students how to identify vulnerabilities in web applications and digital assets from an external perspective. The first two days of the course is cover the ten most common vulnerabilities found in web applications as well as principles of reconnaissance. On the third day, students will apply these skills to develop a technique for identifying impactful vulnerabilities that potentially allow access to an organization's internal infrastructure. This training is appropriate for anyone interested in web application penetration testing, bug bounties, or joining a red team with a web and reconnaissance focus.
Ben Sadeghipour, also known as NahamSec, is a hacker, content creator, trainer, public speaker, and conference organizer. He has extensive experience in ethical hacking and bug bounty hunting, having identified and exploited thousands of security vulnerabilities for companies such as Apple, Yahoo, Google, Airbnb, Snapchat, the US Department of Defense, and Yelp. Sadeghipour was formerly the head of Hacker Education at HackerOne. In addition to his professional pursuits, Sadeghipour also creates content on YouTube and Twitch to help others get into ethical hacking, bug bounty, web hacking and reconnaissance.
Trainer(s) social media links:
Burp Suite Basics
HTTP Basic Refresher
Open Redirects + Labs
Basics of open redirects
Cross-Site Scripting (XSS) + Lab Reflected Cross-Site Scripting Stored Cross-Site Scripting Dom Cross-Site Scripting
Blind XSS Break
Cross Site Request forgery (CSRF) + Lab No CSRF token Reusable CSRF token
Insecure Direct Object References (IDOR) + Lab Incrementing IDs Weak encryption (B64) UUID from other vulnerabilities
Local file Read & Path Traversal + Lab
Path Traversal Basics
Local File read
Path traversal bypasses
Advanced Path Traversal and local file read
Server-Side Request Forgery (SSRF) + Lab
Understanding SSRF + Protocols
Local File Read
Blind SSRF and Port Scan
Accessing Local Network via SSRf
White Listing and Black Listing
Exploiting PDF Generators and Similar
Privilege Escalation + Lab
Understanding user roles
Priv Esc through IDOR
Priv Esc via password brute force
Elevating user access roles
Arbitrary file upload + Lab
Unvalidated upload (php, asp, etc)
Path Traversal in uploaders
XML external entity (XXE) + Lab
Basics of XXE XXE in excel, docx, etc
XXE in PDF Generators
Remote Command / Code Execution
RCE via file uploads
Remote Command Injection in URL parsing
Weak or default credentials
Weak or default credential Basics
Looking through previous password dumps
Components with Known Vulnerabilities
RCE via known vulnerabilities
Reconnaissance - Asset Discovery + Hands on demo
ASN Ranges (Cloud vs in house)
Subdomain Brute Forcing
3rd Party tools (Shodan, Censys, etc)
Permutation and Environments
Reconnaissance - Content Discovery + Lab
Creating and maintaining word list
Contextualizing directory/file brute forcing
Information gathering using https
Leveraging search engines for reconnaissance
Finding additional information about your target
Understanding company infrastructure
Identifying and prioritizing interesting assets
Combining asset discovery and content discovery
Looking for leads (documentation, API specs, etc)
Looking for patterns of mistake across an infrastructure
DNS Misconfigurations (subdomain or DNS takeover)
SSO Bypass or priv escalation
Final Lab + Test
Beginner to intermediate
While this training will offer and cover the foundations of web application hacking, it is highly suggested that students have a solid foundation in web application hacking and in web development.
How to set up burp suite:
What students should bring:
Students should bring in a laptop (Mac OS, Windows, or a Linux distribution of your choice) with a working browser. Please make sure you have installed Burp Suite and are able to intercept your browsers traffic.
DATE: August 12th-13th, 2024
TIME: 8am to 5pm PDT
VENUE: Sahara Las Vegas
TRAINER: Ruben Gonzalez, Tim Schmidt
- 16 hours of training with a certificate of completion.
- 2 coffee breaks are provided per day
- Note: Food is not included
Registration terms and conditions:
Trainings are refundable before September 16th, the processing fee is $250.
Trainings are non-refundable after September 26th, 2024.
Training tickets may be transferred. Please email us for specifics.
Failure to attend the Training without prior written notification, will be considered a No-Show. No refund will be given.
By purchasing this ticket you agree to abide by the DCT Code of Conduct and the registration terms and conditions listed above.