Saturday, July 17, 2010

TRAINING: Web Testing & Exploiting Workshop

Bonsai, brings again the best Security Web training of nowadays to ekoparty

Check here for further information.

Web Testing & Exploiting Workshop

The Bonsai Web application Security training focuses on teaching participants the different Web vulnerabilities and the way in which these can be identified manually or automatically. During the course you will learn theoretical concepts followed by hands-on practices performed in the laboratory especially designed for the course.

Our experience in training has helped us to create the best course of Web Application Security, which is aimed at understanding the source code: for each subject a vulnerable code segment is presented. In the class, attendees will learn Vulnerability in Java, PHP, ASP.NET, ASP, Ruby and Python languages.

The course was developed for participants, with varying skill levels, can benefit as much as possible. During the first hour, will review basic concepts on HTTP and generic techniques about vulnerability discoveries, then gradually the difficulty will increase up to the level you can understand and identify more complex vulnerabilities. Informatic security experts, as well as Web application developers will benefit from this course.

To ensure the quality of our course, we will have a maximum of eighteen assistants, each with its own computer and connected to the training laboratory.

- Transfer the knowledge, tools and necessary techniques to understand the different types of existing Web Vulnerabilities, to identify any security leak in the future.

- Understand vulnerabilities in a theoretical environment and be able to identify them in practical laboratory examples.

- Apply in a controlled environment and using hands-on methodology the tools used by professionals like w3af ( created by the trainer), burp and sqlmap.

All the students will received:
- A folder with the training slides
- Live CD with the Web security tools used in the training
- VMware Image with the training environment
- Assistance Certificate

TRAINER: Nahuel Grisolía
Nahuel Grisolía is Project Manager of Penetration testing team in Bonsai Information Security Company. Currently he is working in Intrusion Test projects, related with Web application and LAN/WAN networks. His main interest is on the security development and web application analysis, code reviewing, GNU Linux/Unix platforms and electronic devices.

Nahuel has discovered many vulnerabilities related with Web application security on commercial products like McAfee Ironmail and Manage Engine Service Desk Plus and in Free Software projects like Achievo, Cacti, OSSIM y osTicket.

Currently, he is is attending Ingenireria en Informatica at UBA (Universidad de Buenos Aires) and has a CEH certification provided by EC-Council.

TRAINER: Andrés Riancho
Andrés Riancho is an information security researcher and he has founded Bonsai Information Security Company. Besides managing Bonsai, he is involved in the Penetration Testing and Vulnerabilities Research presentations. He has discovered critical vulnerabilities in IPS appliances from 3com and ISS and hascontributed in SAP security investigation for may other security information companies.

His main concern has always been Web application security. This concern took him to create a tool to help in the optimization of Web applications and based on this need he designed and develop w3af software (Web Application Attach and Audit Framework), which is widely used for penetration testers and security consultants. Andrés has spoken at numerous security conferences around the world, such as SecTor (Canada), FRHACK (France), OWASP (Polony) CONFidence (Polony), OWASP World C0n (USA), CanSecWest (Canada), T2 (Finland) y ekoparty (Buenos Aires).

Andrés founded Bonsai in 2009 to continue his investigation about automated vulnerabilities detection and exploitation in Web applications. And to provide professional and high quality service in a undeveloped area like information security.


1. HTTP protocol introduction
. Requirements and responses
. HTTP Headers
. Secure Socket Layer (SSL)

2. Generic concepts for secure web application development
. Tainted Variables
. Sensitive Functions
. Functions validation

3. Types of analysis:
. Static code analysis, black box testing and gray box testing
. Definitions
. Detectable Vulnerabilities
. Non-Detectable Vulnerabilities

4. Configuration and development common errors
. HTML Comments and versions
. Backup Archives
. Local data bases
. HTML hidden fields
. Directory numeration
. Directory Indexing

5. Web Application Vulnerabilities
. Error and exception messages
. Path Disclosure
. OS Commanding
. Local file read
. Local inclusion of archives
. Path Traversal and Null Bytes
. Remote file inclusions
. HTTP Response Splitting
. Non-Common Attack vectors
. LDAP Injection
. PHP preg_replace vulnerabilities
. SQL Injection
. Blind SQL Injection
. Cross Site Scripting (XSS)
. Cross Site Request Forgeries / Session Riding

6. Scalation of privileges in Web application

7. Vulnerabilities in the application logic

8. Control in the Object authorization

9. Web services Security considerations

10. Web 2.0 application vulnerabilities


  1. Exchange in just months the rising popularity of binance originates from several binance login Trading currencies include Bitcoin and also Litecoin along with EOS, NEO as well as ETH.

  2. I think that you need to read this blog post because it has some info on how to write great essay conclusion. That could be really great

  3. According to the American Dental Association, then flossing is not something you visit this web page link you need to fill up the device up every couple of days, this only takes about 10 seconds.


  5. Mybpcreditcard is a very favored credit card for its customers because with its help the cardholder gets financial help.
    bp credit card log in

  6. Popcorn Time is a multi-platform, free software BitTorrent client that includes an integrated media player. The applications provide a free alternative to subscription-based video streaming services such as Netflix. Popcorn Time uses sequential downloading to stream video listed by several torrent websites, and third party trackers can also be added manually.

  7. I'm shakshi.I am working in India top most Escort serviceEscort service in Mumbai.If u want to join the all facility of escortsEscort service in Bhubaneswar.pls call me & whatssapEscort service in Puri
    visit the sites.Escort service in Cuttack

  8. Hi Guys I'm Archana Kumari the most renowned call girls service provider. If you are not satisfied with your wife on bed and want to fulfill your dream of getting orgasm and full sensual entertainment with amazingly beautiful girls, Please follow me on the links given bellow.

    Escort services in Mumbai
    Escort services in Puri
    Escort services in Cuttack

    Escort services in Bhubaneswar
    Escort services in Gurgaon
    Escort services in Gurgaon

    Escort services in Jaipur
    Escort services in Jaipur
    Escort services in Jaipur

  9. All Ac market Cracked and Moded and Patched redirections like Minecraft stash variation are open. Ac market downloading is Easy to use and open in all dialects, and it will control you in particularly orchestrated strategy.

  10. It is really helpful for me to increase my knowledge to this related blog and content. If you need a better website development services, visit ogen infosystem.
    Website Development Company

  11. Awesome blog, Visit Mutualfundwala for best Mutual Fund Advisor, Investment Advisor in Delhi and Mutual Fund Distributor in India.
    Mutual Fund Advisor

  12. I have read your excellent post. This is a great job. I have enjoyed reading your post first time.

  13. This comment has been removed by the author.

  14. bp credit card synchrony bank
    If you are more into using Credit cards, then BP Credit Card will find you easy options to go ahead with your shopping and dining.

  15. It is convenient to access Top Essay Writing from Online Essay Writer at some clicks on your personal computer from Best Writing Services.

  16. Thanks for another informative website. The place else could I am getting that kind of information written in such a perfect means? I’ve a challenge that I’m simply now operating on, and I’ve been on the look out for such info.

    Geek Squad Appointment |
    Best Buy Geek Squad Appointment |
    Best Buy Appointment |
    Geek Squad Appointment Scheduling |
    Best Buy Geek Squad Appointment Schedule | Appointments |
    Geek Squad Appointments At Best Buy |
    Make An Appointment With The Geek Squad |
    Schedule Geek Squad Appointment |

  17. You finished a couple fine focuses there. I did a hunt on the subject and discovered almost all persons will oblige with your site.

  18. I read that Post and got it fine and enlightening. If you don't mind share more like that... Download Latest Brawl Stars Private Server 2019 Working

  19. This is really the sort of data I have been attempting to discover. Much thanks to you for composing this data. Download Complete Dream League Soccer kits List

  20. Fabulous .. Astonishing .. I'll bookmark your site and take the sustains likewise… I'm upbeat to discover such a large number of helpful data here in the post, we need work out more methods in such manner, a debt of gratitude is in order for sharing. Download Call of Duty Mobile Hack Android version

  21. I can’t imagine focusing long enough to research; much less write this kind of article. You’ve outdone yourself with this material. This is great content. Hack Call of Duty Mobile on iPhone

  22. I just couldn"t leave your site before letting you know that I genuinely delighted in the top quality information you present to your guests? Will be back again every now and again to determine the status of new posts. Get Free Fire Mod Unlimited Health Hack

  23. This was truly a fascinating subject and I kinda concur with what you have specified here. Download Fortnite Aimbot Season 9 working file

  24. I take in some new stuff from it as well, a debt of gratitude is in order for sharing your data. Premium Hill Climb Racing money Mod Apk

  25. That is truly decent to listen. much obliged to you for the upgrade and good fortunes. Check latest Thai Lottery Result here

  26. Amazing article! I need individuals to know exactly how great this data is in your article. It's fascinating, convincing substance. Your perspectives are much like my own particular concerning this subject West Bengal State Lottery 4 pm Today Online Result

  27. Incredible data on your web journal, thank you for setting aside an ideal opportunity to impart to us. New Coin Master Free Spin For Iphone & ioS Stunning understanding you have on this current, it's decent to discover a site that subtle elements such a great amount of data about diverse specialists.

  28. Extraordinary Article it its truly enlightening and creative update us as often as possible with new upgrades. its was truly important. much obliged. WB State Lottery Nababarsha Bumper Today Result

  29. That appears to be excellent however i am still not too sure that I like it. Check Manipur Teer Common Numbers At any rate will look far more into it and decide personally!

  30. That is truly decent to listen. much obliged to you for the upgrade and good fortunes. shipnamegenerator

  31. I needed to thank you for this incredible read!! I unquestionably adored each and every piece of it. cashcannonmoneythrower I have you bookmarked your site to look at the new stuff you post.