We offer web security training courses for primarily two target audiences: First, developers who want to learn about web application security, Single Sign-On, TLS, XML, and web service technologies. Second, penetration testers who want to get an in-depth knowledge about web security. Our discussed topics are both known, and also usually unknown attacks, along with their countermeasures. Furthermore, we go into detail regarding solutions to automate security tests.

Data transmitted across the Internet is often secured by TLS (the successor of SSL). Whether web, email, phone calls, chat, or VPN - there is hardly a type of communication which cannot be secured using TLS. Due to the critical environments TLS is used in successfull attacks can have severe impacts on the confidentiality and integrity of the affected systems and data. Therefore, it is important to properly implement and configure TLS when you rely on its protection.

There is a variety of attacks you need to address when securing your communication with TLS. Some attacks benefit from minor flaws in cryptographic or implementation details. This makes the attacks be complex to understand and hard to mitigate.

This training focuses on TLS attacks and aims to provide you specific tools for their detailed analyses. You will learn how to exploit specific attacks and prevent weaknesses in your TLS configuration. The training will address, among others, the following questions:

  • How does the TLS protocol work?
  • What are the known TLS attacks? How do they work? How can I write exploits for them?
  • How can I properly secure my systems? How can I defend against known attacks?
  • Does TLS 1.3 prevent all the attacks?

Training Contents:

  • Short introduction:
    • Cryptography
    • TLS protocol flow
    • Certificates
  • TLS attack analysis in detail (with TLS-Attacker):
    • Padding oracle attacks
    • Bleichenbacher's attack, ROBOT, DROWN
    • CRIME, BREACH
    • Heartbleed
    • Raccoon
    • ... and more
  • Defending against known TLS attacks
  • Review of your own server configuration with common tools

Requirements: This course is designed for two groups. First, for penetration testers, who want to learn how to exploit known TLS attacks. Second, for system administrators and developers, who want to learn how known TLS attacks affect their servers. You will learn how to securely configure your servers and how to check the server configuration with common tools. We assume that you have basic knowledge of cryptography and TLS.

For your participation all you need is a computer, as well as virtualization software for working on the practical exercises; we recommend VirtualBox. For optimal sound quality, we recommend using a headset.

Fixed dates for online training courses

In addition to the possibility of booking this training course individually for your team, it is possible to register for one of our fixed dates. The next date for this online training course is 22.06. - 25.06.2021.

Registration: Registration for the online training courses is via email to Prof. Dr. Juraj Somorovsky and is possible until Monday, 01.03.2021.

Overview:

  • Date: Tuesday, Wednesday, Thursday and Friday, 08.03. - 11.03.2021
  • Time: each day from 16:00 to 20:00 (UTC+1)
  • Duration: 4 days, 4 hrs. per day (incl. breaks)
  • Total price: 1.300€ plus VAT (per person)
  • Registration: by email to Prof. Dr. Juraj Somorovsky
  • Registration deadline: Monday, 01.03.2021
  • Note: We reserve the right to cancel the training course if there are less than 5 participants. A possible cancellation will be communicated at least one week before the training date.

The training course will be provided by M. Sc. Robert Merget and Prof. Dr. Juraj Somorovsky.

M. Sc. Robert Merget

Co-Trainer

M. Sc. Robert Merget


Prof. Dr. Juraj Somorovsky

Your Contact and Trainer for This Training

Prof. Dr. Juraj Somorovsky
juraj.somorovsky@hackmanit.de
+49 (0)234 / 54452661