Abraham Aranguren - Hacking Modern Web Apps: Master the Future of Attack Vectors - DCTLV2025
Name of Training: Hacking Modern Web Apps: Master the Future of Attack Vectors
Trainer(s): Abraham Aranguren, Anirudh Anand, and Ashwin Shenoi
Dates: August 11-12, 2025
Time: 8:00 am to 5:00 pm PT
Venue: Las Vegas Convention Center
Cost: $1,700
Course Description:
This course is a 100% hands-on deep dive into the OWASP Security Testing Guide and relevant items of the OWASP Application Security Verification Standard (ASVS), so this course covers and goes beyond the OWASP Top Ten.
Long are the days since web servers were run by perl scripts apps written in Delphi. What is common between Walmart, eBay, PayPal, Microsoft, LinkedIn, Google and Netflix? They all use Node.js: JavaScript on the server.
Modern Web apps share traditional attack vectors and also introduce new opportunities to threat actors. This course will teach you how to review modern web apps, showcasing Node.js but using techniques that will also work against any other web app platform. Ideal for Penetration Testers, Web app Developers as well as everybody interested in JavaScript/Node.js and Modern app stack security.
Get a FREE taste for this training, including access to video recording, slides and vulnerable apps to play with:
1 hour workshop - https://7asecurity.com/free-workshop-web-apps
All action, no fluff, improve your security analysis workflow and immediately apply these gained skills in your workplace, packed with exercises, extra mile challenges and CTF, self-paced and suitable for all skill levels, with continued education via unlimited email support, lifetime access, step-by-step video recordings and interesting apps to practice, including all future updates for free.
Course Outline:
### Day 1: Hacking Modern Web apps by Example ###
Part 0 - Modern Web App Security Crash Course
- The state of Modern Web App Security
- Modern Web App architecture
- Introduction to Modern Web Apps
- Modern Web Apps the filesystem
- JavaScript prototypes
- Recommended lab setup tips
Part 1 – Static Analysis, Modern Web App frameworks and Tools
- Modern Web App frameworks and their components
- Finding vulnerabilities in Modern Web App dependencies
- Common misconfigurations / flaws in Modern Web App applications and frameworks
- Tools and techniques to find security flaws in Modern Web Apps
Part 2 - Finding and fixing Modern Web App vulnerabilities
- Identification of the attack surface of Modern Web Apps and general information gathering
-
Identification of common vulnerability patterns in Modern Web Apps:
- CSRF
- XSS
- Access control flaws
- NOSQL Injection, MongoDB attacks
- SQL Injection
- RCE
- Crypto
- Monitoring data: Logs, Insecure file storage, etc.
Part 3 - Test Your Skills
- CTF time
### Day 2: Advanced Modern Web App attacks ###
Part 0 - Advanced Attacks on Modern Web Apps
- Leaking data from memory at runtime
- Prototype Pollution Attack
- From deserialization to RCE
- Server Side Template Injection
- OAuth attacks
- JWT attacks
- Scenarios with CSP
- Scenarios with Angular.js
- Race conditions
- Sandbox related security
- Real world case studies
Part 1 - Advanced Modern Web Apps CTF
- Challenges to practice advanced attacks
Difficulty Level:
Intermediate
Suggested Prerequisites:
This course has no prerequisites as it is designed to accommodate students with different skills:
- Advanced students will enjoy comprehensive labs, extra miles and CTF challenges
- Less experienced students complete what they can during the class, and can continue at their own pace from home using the training portal.
This said, the more you learn about the following ahead of the course, the more you will get out of the course:
- Linux command line basics
- Basic knowledge of Node.js or JavaScript is not required, but would help.
What Students Should Bring:
A laptop with the following specifications:
- Ability to connect to wireless and wired networks
- Ability to read PDF files
- Administrative rights: USB allowed, the ability to deactivate AV, firewall, install tools, etc.
- Knowledge of the BIOS password, in case VT is disabled
- Minimum 8GB of RAM (recommended: 16GB+)
- 60GB+ of free disk space (to copy a lab VM and other goodies)
- VirtualBox 6.0 or greater, including the “VirtualBox Extension Pack” (NOTE: VMWare is also known to work)
Trainer(s) Bio:
After 17 years in itsec and 24 in IT, Abraham Aranguren is now the CEO of 7ASecurity (7asecurity.com), a company specializing in penetration testing of web/mobile apps, infrastructure, code reviews and training. Co-Author of the Mobile, Web and Desktop (Electron) app 7ASecurity courses. Security Trainer at Blackhat USA, HITB, OWASP Global AppSec and many other events. OWASP OWTF project leader, an OWASP flagship project (owtf.org), Major degree and Diploma in Computer Science, some certs: CISSP, OSCP, GWEB, OSWP, CPTS, CEH, MCSE:Security, MCSA:Security, Security+. As a shell scripting fan trained by unix dinosaurs, Abraham wears a proud manly beard. He writes on Twitter as @7asecurity @7a_ @owtfp or https://7asecurity.com/blog. Multiple presentations, pentest reports and recordings can be found at https://7asecurity.com/publications.
Anirudh Anand is a security researcher with a primary focus on Web and Mobile Application Security. He is currently working as a Principal Security Engineer at CRED and also Security Trainer at 7asecurity. He has been submitting bugs and contributing to security tools for over 9 years. In his free time, he participates in CTF competitions along with Team bi0s (#1 security team in India according to CTFtime). His bounties involve vulnerabilities in Google, Microsoft, LinkedIn, Zendesk, Sendgrid, Gitlab, Gratipay and Flipboard.
Anirudh is an open source enthusiast and has contributed to several OWASP projects with notable contributions being in OWTF and Hackademic Challenges Project. He has presented/trained in a multitude of conferences including BlackHat US 2020, OWASP NZ 2021, HackFest CA 2021, c0c0n 2019, BlackHat Arsenal 2019, BlackHat Europe Arsenal 2018, HITB Dubai 2018, Offzone Moscow 2018, Ground Zero Summit Delhi 2015 and Xorconf 2015.
Ashwin Shenoi is an avid application security enthusiast who currently works as a Senior Security Engineer at CRED and likes to break into applications and automate stuff. He is part of team bi0s, the top ranked CTF team according to CTFTime. He heads the Web Security team at team bi0s and is also the core challenge setter and organiser of the various editions of InCTF and the other CTFs organised by team bi0s. He has also presented talks in various security meet-ups and conferences including BlackHat Asia and BlackHat USA. He does a fair share of breaking into open source applications services and has also been awarded several CVEs for the same.
Registration Terms and Conditions:
Trainings are refundable before July 8, 2025, the processing fee is $250.
Trainings are non-refundable after July 8, 2025.
Training tickets may be transferred. Please email us at training@defcon.org for specifics.
Failure to attend the Training without prior written notification, will be considered a No-Show. No refund will be given.
By purchasing this ticket you agree to abide by the DCT Code of Conduct and the registration terms and conditions listed above.