نقص های تزریق از زمان های بسیار قدیم بر لیست آسیب پذیری برنامه های وب غالب بوده است. و با وجود کاهش رتبه OWASP از 1 به 3، آنها همچنان یکی از مخرب ترین آسیب پذیری های برنامه های وب هستند. سالها تلاشهایی برای ایمن کردن برنامهها در برابر حملات مرتبط، از چارچوبهای جدید گرفته تا تکنیکهای دفاعی جدید، انجام شده است. کارهای زیادی انجام شده است، اما آیا کافی است؟ این دوره شما را قادر میسازد تا در میان دهها hacklabs قدم بزنید و بیاموزید که چگونه – علیرغم تلاشهای دفاعی – نقصهای تزریق پابرجا هستند و اثرات شدیدی بر امنیت برنامهها دارند. این دوره عملی مملو از اطلاعات است و توسط تستکنندگان نفوذ حرفهای ارائه میشود که از سالها تجربه خود در هک وب به خوبی آگاه هستند و متوجه خواهید شد که چگونه حملات را با استفاده از نقص های پیچیده تزریق انجام دهید.
لینک دانلود دوره آموزشی BlackHat – Attacking Injection Flaws Masterclass – Edition 2022
حجم: 3.6 گیگابایت
دانلود – بخش اول
دانلود – بخش دوم
دانلود – بخش سوم
دانلود – بخش چهارم
Date: 2024
Price: $4,100
Publisher: BlackHat
Format: Video + Guide PDF + File Config
Website: Link
Injection flaws have dominated web application vulnerability lists since time immemorial. And despite OWASP reducing their ranking from 1 to 3, they are still one of the most devastating web application vulnerabilities. Efforts have been made for years to secure applications against related attacks, from new frameworks to new defensive techniques. A lot has been done, but is it enough? This course enables you to walk through dozens of hacklabs and learn how – despite defensive efforts – injection flaws persist, with drastic effects on application security.
Get into the attacker mindset for 2 days and deploy over 30 fresh and novel injection attacks via our state-of-the-art hacklabs. This practical course is packed with information and delivered by professional penetration testers, well-versed in web hacking from their years of experience in the wild. By the time you leave, you’ll understand how to deploy attacks using complex injection flaws.
This course will be delivered virtually.
Course highlights:
- 2 days of hands-on hacking, led by professional trainers experienced in real-world pentesting
- A focus on current, novel, and advanced exploitation techniques across web applications, APIs, cloud components, and other endpoints
- 30-day free access to the course lab after the class
Course details:
- Learning – 30% theory, 70% practical
- Real-world-led theory sessions + technical challenges followed by trainer-led walkthrough
- Includes a personal progress tracker to support learning at your own pace
- Access to a custom Kali Linux image, fully loaded with plugins, tools, and other features to help you identify and exploit vulnerabilities
- Designed for practical application and to support studies for accreditations
Course syllabus:
Lab set up and architecture overview
- Introduction to Burp Features
Structured Query Language (SQL) injection masterclass
- Second-order injection
- Out-of-band (OOB) exploitation
- SQLi through crypto
- OS code execution via PowerShell
- Advanced topics in SQli
- Advanced SQLMap usage and web application firewall (WAF) bypass
- Pentesting GraphQL
- Introspection-based attacks on GraphQL
- SQL injection via file metadata
Extensible Markup Language (XML) external entity (XXE) attack
- XXE Basics
- Advanced XXE exploitation over OOB channels
- XXE through Security Assertion Markup Language (SAML)
- XXE in file parsing/uploads
- XXE via XInclude
Remote Code Execution (RCE)
- Java serialisation attack
- Binary
- XML
- JSON
- SerialVersionUID mismatch
- .Net serialisation attack
- PHP serialisation attack
- Python serialisation attack
- Server-side template injection
- Ruby injection
- Analysing CVE-2021-25770
- Exploiting code injection over OOB channels
- Exploiting misconfigured code control systems
Server-Side Request Forgery (SSRF)
- SSRF to query internal network
- SSRF to exploit templates and extensions
- SSRF filter bypass techniques
- SSRF exploitation in AWS
- Examples from in the wild ( Case Studies )
Miscellaneous injections
- Host header validation bypass
- HTTP parameter pollution (HPP)
- Advanced SAML injection
- Attacking Log4j to achieve RCE (Log4Shell CVE-2021-44228)
- Examples from the Wild ( Case Studies )
با سلام،
ضمن خشته نباشید. دوستان عزیز این فایل مربوط به
Access to a custom Kali Linux image, fully loaded with plugins, tools, and other features to help you identify and exploit vulnerabilities
را باید از کجا دانلود کنیم؟
یا باید خود کالی را سفارشی سازی کنیم ؟
لطفا راهنمایی بفرمایید