Click here to register, you will be asked to choose your training during the second step (“Agenda“).

One day trainings

Android App Hacking – Internet Banking Edition – Aditya Modha
Bootstrap and improve your SDLC with OpenSAMM – Bart De Win
Building Secure Single Page Applications – Philippe De Ryck
Checking SSL/TLS in Practice – Achim Hoffmann

Two days trainings

Assessing and Exploiting Web Apps with SamuraiWTF – Justin Searle
Enterprise Business Application Security: Attack and Defense – Alexey Tuyrin and Dmitry Chastuhin
SOLD OUT Exploiting Websites by using offensive HTML, SVG, CSS and other Browser-Evil – Mario Heiderich
Hands on Web and REST Testing: Assessing Apps the OWASP way – Matt Tesauro
CANCELLED Javascript for Pentesters – Vivek Ramachandran
Ruby on Rails – Auditing & Exploiting the Popular Web Framework – Joern Schneeweisz
Secure Java Coding – Sebastien Deleersnyder and Steven Wierckx
Web Service and Single Sign-On Security – Christian Mainka and Juraj Somorovsky

Android App Hacking – Internet Banking Edition
Aditya Modha

Wednesday, May 20, 2015 9:00 AM – 5:00 PM (Central European Time)

Android App Hacking is a one day course on learning Android application security assessment based on the “OWASP Top 10 Mobile Risks”. This hands-on training is designed around the dummy internet banking application which contains vulnerabilities that were observed by the trainer during his daily application security assessments. This dummy internet banking application has features such as adding a beneficiary account, fund transfer, view statements, OTP, Pin sign-in, etc. to provide attendees a real world application scenario.

Attendees will get familiar with following topics during the class:

  • Crash course on – Android application permission model, APK file architecture and – Setting up the emulator.
  • Reversing the APK file package
  • Investigating app permissions through manifest file
  • Understanding, patching and runtime debugging smali code
  • Importing SSL certificates and bypassing SSL pinning
  • Intercepting traffic and network activity monitoring
  • Exploring local data store
  • Analyzing system logs
  • Understanding components such as content provider, broadcast receiver and activity
  • Classification of vulnerabilities based on “OWASP Top 10 Mobile Risks”

Aditya Modha is a Senior Security Analyst at Lucideus Tech focused on web and mobile applications security assessment. Prior to joining Lucideus, he was a Principal Security Analyst at Net-Square solutions. He is a computer science graduate and a Microsoft Certified Technology Specialist. He has carried out security assessment of more than 200 eb and mobile applications including core banking solutions and middleware applications. He blogs at
Aditya Modha was a trainer at the following international conferences: HITB, KL – Extreme Web Hacking Oct’ 2013 and HackCon, Oslo – Advanced Burp Suite Mar’ 2014.

↑ Back to top

Bootstrap and improve your SDLC with OpenSAMM
Bart De Win

Wednesday, May 20, 2015 9:00 AM – 5:00 PM (Central European Time)

Building security into the software development and management practices of a company can be a daunting task. There are many elements to the equation: company structure, different stakeholders, technology stacks, tools and processes, and so forth.
Implementing software assurance can have a significant impact on the organisation. Yet, trying to achieve this without a good framework is most likely leading to just marginal and unsustainable improvements. OWASP OpenSAMM gives you a structural and measurable framework to do just that.
It enables you to formulate and implement a strategy for software security that is tailored to the risk profile of your organisation.

The goal of this one-day training, which is conceived as a mix of training and workshop, is for the participants to get a more in-depth view on and practical feeling of the OpenSAMM model.
The training is setup in three different parts.

In a first part, an overview is presented of the OpenSAMM model and similarities and differences with other similar models are explained.
The different domains (governance, construction, verification, deployment), their activities and relations are explained.
Furthermore, different constituent elements (e.g., metrics) are discussed and the overall usage scenarios of the model are explained.
Next, approx. half a day will be spent on doing an actual OpenSAMM evaluation of your own organisation (or one that you have worked for).
We will go through an evaluation of all the OpenSAMM domains and discuss the results in group. This will give all participants a good indication of the organisation’s maturity with respect to software assurance.
In the same effort, we will define a target model for your organisation and identify the most important challenges in getting there.
The final part of the training will be dedicated to specific questions or challenges that you are facing with respect to secure development in your organisation. In this group discussion, experience
between the different participants will be shared to address these questions.

In case you haven’t started a secure software initiative in your organisation yet, this training should provide you with the necessary foundations and ideas to do so. Be prepared for a highly effective and applicable treatment of this large domain! And in case you would be concerned about confidentiality issues, we adhere to the Chatham House Rule.
After the conference the OpenSAMM project team comes together for their first OpenSAMM summit in Cambridge.
If you want to contribute to this flagship project, stay and join us at the summit. More details on

Bart De Win has over 15 years of experience in software security. He has an extensive background in the field, including his Ph.D. and research work on methods and techniques for software protection. Since 2009, Bart has been responsible for all application security services within Ascure & PwC Belgium. He has extensive project experience in software testing and in assisting companies improving their secure software development practices.
Bart is member of the OWASP Belgium Chapter board and he is a co-leader of the OpenSAMM Software Assurance Model. Bart is SABSA, Prince 2 and CSSLP certified.
↑ Back to top

Building Secure Single Page Applications
Philippe De Ryck

Wednesday, May 20, 2015 9:00 AM – 5:00 PM (Central European Time)

Single page web applications with a RESTful backend have profoundly changed the way web applications are developed, and are making their way onto mobile platforms as well. In this course, attendees will gain hands-on experience with the popular AngularJS framework. Throughout the course, we will use a realistic example application to discover the specifics of single page applications, potential security issues and effective countermeasures. Concretely, the course will cover the following topics:

  • Single page application architecture and basic concepts (templating, routing, controllers,…)
  • Authentication and authorization with a stateless RESTful backend
  • Applying well-known security practices in a single page application (XSS, CSRF,…)
  • Communication with third-party APIs and continuous updating information
  • Client-side data storage, offline operations and mobile applications

Attendees are expected to bring a laptop with VirtualBox installed to participate in the lab sessions.

Philippe De Ryck is a postdoctoral researcher with the iMinds-DistriNet research group at KU Leuven, Belgium, where he obtained his PhD on client-side web security. He has recently published a book titled Primer on Client-Side Web Security, which focuses on the state of practice and state of the art in client-side web security. Philippe is responsible for the web security modules in the secure software curriculum at the university, and is also an acclaimed trainer at industry events. His experience includes an extensive two-day training course at the European Space Agency (ESA), a BCCentre training day focused on law enforcement officers and the financial sector, and repeated participation in the renowned weeklong SecAppDev course.
↑ Back to top

Checking SSL/TLS in Practice
Achim Hoffmann

Wednesday, May 20, 2015 9:00 AM – 5:00 PM (Central European Time)

SSL/TLS as used today has more and more problems and it’s difficult to understand, what are the root causes of these problems, and how to detect and finally avoid or fix them.
This training will give a brief introduction to SSL, how it works, what problems are known according the protocol, the PKI used, and the known vulnerabilities including potential attacks and provide tools to check for these issues. The main focus will be on SSL used in HTTPS. Other usages i.e. SSL for SMTP are a small subset. As a round-up there will be recommendations how to configure SSL securely.

Starting with Linux/network security in the nineties. Achim Hoffmann has been working in web application security since more than 12 years. While working as a developer for web-application for several years he started concentrating on web application security as major subject in different roles like penetration tester, doing SCA and giving security workshops.
He is author, co-author and maintainer of various papers about web application security at BSI (Germany), OWASP and WASC. He also published some tools (EnDe,EMiR, ReDoS, O-Saft) which aim to make web application security more visible.Achim is owner of sic[!]sec GmbH, Germany, a company that provides information security services. Outside work he is German OWASP Board Member and helps maintaining OWASP’s mailing lists.

↑ Back to top

Assessing and Exploiting Web Apps with SamuraiWTF
Justin Searle

Tuesday, May 19, 2015 9:00 AM – Wednesday, May 20, 2015 5:00 PM (Central European Time)

Come take the official Samurai-WTF (Web Testing Framework) training course given by one of the founders and lead developers of the project! You will learn the latest Samurai-WTF open source tools and the latest manual techniques to perform an end-to-end penetration test. After a quick overview of pen testing methodology, the instructors will lead you through the process of testing and exploiting web applications, including client side attacks using flaws within the application. We will introduce you to the best open source tools currently available, and teach you how these tools integrate with the manual testing techniques. One of the major goals in this course is teaching you the glue that keeps all these techniques and tools together to successfully perform a pentest from beginning to end, which is overlooked in most web pentesting courses.

The majority of the course will be performing an instructor lead, hands-on penetration test. We don’t give you a list of overly simplistic steps to go and do in the corner. Instead, at each stage of the test we present the goals that each testing task is to accomplish and perform pentest along with you on the projector while you are doing it on your own machine. Primary emphasis of these instructor lead exercises is how to integrate these tools into your own manual testing procedures to improve your overall workflow. At the end of course, you will be challenged with a capture the flag event to apply your new skills and knowledge. We will also send you home with several additional vulnerable web apps to practice your new skills at your own pace and experiment with your favorite new tools. This experience will help you gain the confidence and knowledge necessary to perform web application assessments and expose you to the wealth of freely available, open source tools.

Justin Searle is a Managing Partner of UtiliSec, specializing in Smart Grid security architecture design and  penetration testing. Justin led the Smart Grid Security Architecture group in the creation of NIST Interagency  Report 7628 and played key roles in the Advanced Security Acceleration Project for the Smart Grid (ASAP4SG).   He currently leads the testing group at the National Electric Sector Cybersecurity Organization Resources  (NESCOR). Justin has taught courses in hacking techniques, forensics, networking, and intrusion detection for  multiple universities, corporations, and security conferences.  Mr. Searle is currently a certified instructor for  the SANS Institute. In addition to electric power industry conferences, Justin frequently presents at top  international security conferences such as Black Hat, DEFCON, OWASP, Nullcon, and AusCERT. Justin co4leads  prominent open source projects including the Samurai Web Testing Framework, Middler, Yokoso!, and  Laudanum. Justin has an MBA in International Technology and is a CISSP and SANS GIAC certified Incident  Handler (GCIH), Intrusion Analyst (GCIA), and Web Application Penetration Tester (GWAPT).
↑ Back to top

Enterprise Business Application Security: Attack and Defense
Alexey Tuyrin and Dmitry Chastuhin

Tuesday, May 19, 2015 9:00 AM – Wednesday, May 20, 2015 5:00 PM (Central European Time)

This training will cover basic and advanced areas of ERP and Business Application security. You will understand the architecture of typical business application systems and how every single component of those systems can be penetrated. Course will include live demo and hands-on exercises covering business applications from vendors such as SAP, Oracle and Microsoft.

Current dependence of big businesses on Enterprise Business applications is greater than ever before. These enormous systems store and process all the companies’ critical data. Any information an attacker might want, be it a cybercriminal, industrial spy or a competitor, is stored here. This information includes financial, customer or public relations, intellectual property, personally identifiable information and more. Industrial espionage, sabotage and insider embezzlement is a reality today, and for an attacker what can be more effective than targeting victim’s Business application systems and inflicting severe a damage. These applications may be of different types like ERP, CRM, SRM, XI, BI, ESB and others. Some of them store data and some of them like Enterprise Service Bus are for transferring critical data.
Unfortunately, there exists minimal information about Security of those systems both about how to break them during penetration tests and about how to configure them securely. Most of public research was focused on SAP ERP applications, but we additionally will also cover other software such as Oracle PeopleSoft, Oracle EBS, Oracle JD Edwards, Microsoft Dynamics, etc.

Alexey Tuyrin – Head of Oracle Security at ERPScan
He holds a PHD in computer security. He is a director of Oracle Security department has a tremendous hands-on on experience in penetration testing projects on different business systems like ERPs, Banking software and Virtual infrastructure. Co-author of “SAP Security in figures 2011” research. He is a main developer ERPScan free tools like “ERPScan Pentesting tool” and “ERPScan XXE Scanner. Famous for his groundbreaking research of Oracle Peoplesoft applications security highlighted at BlackHat and HITB.

Dimitry Chastuhin — Director. Security Consulting at ERPScan
Dmitry is a Director of security consulting at ERPScan. He works upon SAP security, particularly upon Web applications and JAVA, HANA and Mobile solutions. He has official acknowledgements from SAP for the vulnerabilities found. Dmitry is also a WEB 2.0 and social network security geek and bug bounty who found several critical bugs in Google, Nokia, Badoo. He is a contributor to the EAS-SEC project. He spoke at the following conferences: BlackHat, Hack in the Box, DeepSec, and BruCON. Twitter: @_chipik

↑ Back to top

Exploiting Websites by using offensive HTML, SVG, CSS and other Browser-Evil
Dr.-Ing. Mario Heiderich

Tuesday, May 19, 2015 9:00 AM – Wednesday, May 20, 2015 5:00 PM (Central European Time)
Small Slide-Preview: PDF


More and more web applications delegate business logic to the client., JavaScript, SVG, Canvas, ES6, AngularJS and ReactJS are just some terms that describe the contents of the modern web stack. But how does the attack surface look for those? What if there’s not GET parameters anymore that our scanner scan tamper with? What can we do when the server just delivers raw data and the rest is done by the browser? Classic web-pentests are “so nineties” in this realm. And keeping up the pace with progress is getting harder and harder.

But there is hope. The focus of this workshop is on the offensive and dangerous parts of HTML, JavaScript and related technologies, the nasty and undocumented stuff, dozens of new attack techniques straight from the laboratory of horrors of those maintaining the HTML5 Security Cheatsheet. We’ll learn how to attack any web-application with either unknown legacy features – or the half-baked results coming to your browser from the labs of W3C, WHATWG and the ES6 mailing lists. Whether you want to attack modern web applications or shiny browser extensions and Chrome Packaged Apps – we have that covered.

Whoever works with or against the security of modern web applications will enjoy and benefit from this workshop. A bit of knowledge on HTML and JavaScript is required, but rookies and rocket scientists will be satisfied equally.

HTML is a living standard. And so is this workshop. The course material will be provided on-site and via access to a private Github repo so all attendees will be receive updated material even months after the actual training. All attendees are granted perpetual access to updated slides and material.

Dr.-Ing. Mario Heiderich, handsome heart-breaker, bon-vivant and (as he loves to call himself) “security researcher” is from Berlin, likes everything between lesser- and greater-than and leads a small yet exquisite pen-test company. He commonly pesters peaceful attendees on various capitalist conferences with powerpoint-slides and profanities. Mario also recently watched “Sharknado” and believes it to be one of the greatest movies of all times. I mean come on! Sharknado? Really?
↑ Back to top

Hands on Web and REST Testing: Assessing Apps the OWASP way
Matt Tesauro

Tuesday, May 19, 2015 9:00 AM – Wednesday, May 20, 2015 5:00 PM (Central European Time)

The training will teach students how to identify, test, and exploit web application and REST vulnerabilities. The creator and project lead of the OWASP WTE (formerly the OWASP Live CD) will be the instructor for this course and WTE will be a major component of the class. Through lecture, demonstrations, and hands on labs, the session will cover the critical areas of web application security testing using the OWASP Testing Guide v3 as the framework and a custom version of OWASP WTE as the platform. Students will be introduced to a number of open source web security testing tools and provided with hands on labs to sharpen their skills and reinforce what they’ve learned. Students will also receive a complimentary USB drive containing the custom WTE training lab, a copy of the OWASP Testing Guide, handouts and cheat-sheets to use while testing plus several additional OWASP references. Demonstrations and labs will cover both common and esoteric web vulnerabilities and includes topics such as Cross-Site Scripting (XSS), SQL injection, CSRF and REST API testing. Students are encouraged to continue to use and share the custom WTE lab after the class to further hone their testing skills.

Matt Tesauro has worked in web application development and security since 2000. He has worn many different hats, from developer to DBA to System Administrator to Penetration Tester. Matt also taught graduate and undergraduate classes on web application development and XML at Texas A&M University. Currently, he’s focused on application security risk assessments at Praetorian. Outside work, he is the project lead for the OWASP Live CD / WTE, a member of the OWASP Foundation board, and part of the Austin OWASP chapter leadership. Matt Tesauro has a B.S. in Economics and a M.S in Management Information Systems from Texas A&M University. He is also has the CISSP, CEH (Certified Ethical Hacker), RHCE (Red Hat Certified Engineer), and Linux+ certifications.
↑ Back to top

Javascript for Pentesters
Vivek Ramachandran

Tuesday, May 19, 2015 9:00 AM – Wednesday, May 20, 2015 5:00 PM (Central European Time)


Javascript for Pentesters (JFP) focuses on teaching the basics of Javscript and then moves on to its application in infosec such as Session and Form Hijacking, Keystroke Monitoring, Data Exfiltration, XSS (DOM, Stored, Reflected), Filter evasion etc.

A non-exhaustive list of topics to be covered includes:
Module 1: Language Basics (.5 Days)

  • Introduction and Hello World in JS
  • Variables in JS
  • Operators
  • Conditional Statements
  • Loops
  • Functions
  • Data Types
  • Enumerating Object Properties
  • Event Handlers
  • Cookies
  • Exception Handling
  • Forms Manipulation

Module 2: Application in Infosec (1.5 Days)

  • Cross Domain Policies and Restrictions
  • XMLHttpRequest Use and Restrictions
  • Cross Site Scripting (XSS)
  • Reflected XSS
  • Stored XSS
  • XSS Filters
  • Filter Evasion Techniques
  • Stealing Cookies
  • Social Engineering and Phishing
  • Modify HTML
  • Add, Remove HTML elements
  • Hijacking Form Submits
  • Hijacking Mouse Clicks
  • Hijacking Links
  • Keystroke Logging
  • Stealing from Auto-Complete
  • Data Fetching, Posting and Exfiltrating with XMLHttpRequest

Vivek Ramachandran is the founder and chief trainer at He discovered the Caffe Latte attack, broke WEP Cloaking (a WEP protection schema) in 2007 publicly at DEF CON, and conceptualized enterprise Wi-Fi Backdoors. He is also the author of the book, “Backtrack 5 Wireless Penetration Testing.” which has sold over 13,000+ copies worldwide. He runs SecurityTube Trainings and Pentester Academy – currently taken by InfoSec professionals in 90 countries. He also conducts in-person trainings in the US, Europe, and Asia. Vivek’s work on wireless security has been quoted in BBC Online, InfoWorld, MacWorld, The Register, IT World Canada, etc. He has spoken/trained at top conferences around the world including Black Hat USA, Europe and Abu Dhabi, DEF CON, Hacktivity, BruCON, ClubHack, SecurityByte, SecurityZone, Nullcon, C0C0n, etc.

↑ Back to top

Ruby on Rails – Auditing & Exploiting the Popular Web Framework
Joern Schneeweisz

Tuesday, May 19, 2015 9:00 AM – Wednesday, May 20, 2015 5:00 PM (Central European Time)

Day 1

  • Introduction
  • Ruby crash course – Structured introduction into the Ruby language specifics. This section will set the necessary basis for the rest of the training.
  • Bug Classes in Ruby – Common generic bug classes as well as Ruby specific issues will be introduced by example.
  • Introduction to Rails – A Ruby on Rails walk-through. On the way, the participants will learn the key features and usual as well as unusual patterns and techniques used in real-world applications.
  • The Rails Framework itself – In this section of the training, the participants will get an insight on the Rails framework itself, how it is designed and where to look for which feature implementation. Along with this, past vulnerabilities within the Rails framework will be explained and elaborated.
  • Real-world Apps hands-on – Day 1 closes with a hands-on on various real world applications.

Day 2

  • Rails Vulnerabilities – Day 2 will be all about Rails vulnerabilities. The common OWASP Top 10 style issues will be explained in Rails style and, of course, Rails specific flaws will be introduced and exploited in hands-on sessions. Various payloads for successful exploitation ranging from simple info leaks to a fully blown in-memory backdoor will be introduced to the participants.
  • Final Ruby on Rails Wargame – Day 2 closes with a Ruby on Rails wargame, where the participants can compete in hacking several Rails based challenges and use the skills learned the past two days.

This training is meant for:

  • Web App hackers – who want to audit/assess/break Ruby on Rails apps.
  • Professional Pentesters – who’d like to find more subtle issues on RoR assessments.
  • Ruby on Rails developers – who want to code more securely and get another point of view on RoR.
  • Everyone else – who is interested in RoR security and exploitation.

Objectives and Outcomes

After the training the participants will be able to assess, audit and exploit Ruby on Rails applications. This includes knowledge about the inner workings of the framework itself as well as a set of decent payloads for practical demonstration of vulnerabilities.

Required Skills

The training will cover most of the basics needed in order to audit and assess Ruby on Rails applications. However some intermediate programming skills in any language are required. Additionally basic (web) application security skills are required for this training.

Joern Schneeweisz is a Security Consultant over at Recurity Labs by day. As findings bugs ~ 8hrs a day is not enough for him, he digs for bugs in Ruby on Rails apps in his spare time as well. By that he can look back to almost 5 years of bug hunting in both Ruby on Rails applications and the framework itself.
↑ Back to top

Secure Java Coding
Sebastien Deleersnyder and Steven Wierckx

Tuesday, May 19, 2015 9:00 AM – Wednesday, May 20, 2015 5:00 PM (Central European Time)

Secure programming is the best defense against hackers. This multilayered hands-on course will demonstrate live real time hacking methods, analyze the code deficiency that enabled the attack and most importantly teach how to prevent such vulnerabilities by adopting secure coding best practices in order to bullet-proof your Java application.
The methodology of the cycle of knowledge is as follows: Understand, Identify, Prevent. This methodology presents the student with analytical tools to keep a deeper understanding of coding vulnerabilities and implement security countermeasures in different areas of the software development lifecycle. Using sound programming techniques and best practices shown in this course, you will be able to produce high-quality code that stands up to attack.
The course covers major security principles in the Java framework, programming vulnerabilities, and specific security issues in J2EE web applications and JNLP applications.
This course is aimed at Java developers or software architects. Before attending this course, students should be familiar with basic knowledge of Java, Web Applications, Databases & SQL language. The students should bring their own laptop to connect to the online lab environment.

Course topics
Securing Authentication Mechanisms

  • What is authentication
  • Password storage
  • Securing passwords
  • Brute force attacks
  • Anti-automation tips
  • Revealing to much information
  • Integrating Authentication

Securing Authorization Mechanisms

  • Client side authorization
  • Failure to Restrict URL Access
  • Insecure Direct Object Reference
  • File authorization
  • URL authorization

Performing Input Validation

  • Injection Flaws
  • OS Command Injection
  • SQL Injection
  • Parameterized queries
  • Stored procedures
  • XPATH Injection
  • LDAP Injection
  • Strong typing
  • Blacklist VS. Whitelist validation
  • Regular expressions (Regex)
  • LAB

Output encoding

  • Cross Site Scripting (XSS)
  • What is Encoding
  • Html Encode
  • Encoding With ESAPI
  • Other Encoding

Browser Manipulation

  • Cross Site Request Forgery (CSRF)
  • Open redirect
  • Clickjacking
  • Auto complete
  • Browser’s cache
  • Session management
  • LAB

File Handling

  • Directory traversal
  • Canonicalization
  • File extension handling
  • Directory listing

Data Confidentiality & Integrity

  • Insecure communication
  • Secure traffic enforcement
  • Insecure storage
  • Symmetric encryption
  • A-Symmetric encryption
  • Hash functions
  • Digital signatures
  • LAB

Error Handling & logging

  • Information disclosure
  • Custom error pages
  • logging technologies
  • Events you should log
  • Events you should not log
  • LAB

HTML5 Security

  • Introduction to HTML5
  • Client side storages
  • Offline web application
  • Same origin policy
  • Cross origin resource sharing
  • LAB

All chapters include: hands-on demonstrations and interactive questions.
The students should bring their own laptop.

Student package
The course students receive the following package as part of the course:

  • Preliminary exam: take preliminary exam (optional)
  • Access to student kit: View student kit
  • Access to course book (PDF): View course book in PDF format
  • Access Labs: Access labs and 8 hours of hands on labs per student
  • View Lab solutions: Following the completion of the lab session the trainer will enable students to view and review lab solutions
  • Manage own lab hours: Use lab VM when best for you to get the maximum out of the training
  • Access to final exam: When enabled by trainer the student may access his exam
  • Access to feedback form: When enabled by trainer the student may access the feedback form and share his/her thoughts about the training
  • Receive certificate: Following a successful exam (passing grade defined at 70%) the student will receive certification for successful completion of course

Labs and Virtual Machines
As highly skilled professionals with years of experience under our belts we know that there is a gap between academic knowledge and the real world.
In order to minimize that gap we have developed a unique lab environment which is cloud based for our students to practice what we have preached and come in full contact with the issues they have studied Hands On.
Using this methodology for the hands on training we provide our students with a robust training experience and the tools to incorporate Secure Coding best practices in their daily work.
Each student will get access to a personal Virtual Machine which will come fully prepared for the student to just connect (via our Training Center) and start working on the lab assignments by writing real code.
The virtual machines will be used as an integral part of the training and as mentioned above, each registered student will receive access to a personal machine.

Sebastien Deleersnyder is Co-founder & managing partner application security at Sebastien has helped various companies improve their ICT-, Web- and Mobile Security, including BNP Paribas Fortis, Atos Worldline, KBC, Nationale Nederlanden (ING), Isabel, Fluxys, OLAF, EU Council, TNT Post, Flemish Community, Agfa-Gevaert and ING Insurance International. Sebastien is the Belgian OWASP Chapter Leader, co-project leader of the OpenSAMM project, served on the OWASP Foundation Board member (2007-2013) and performed several presentations and trainings on Web Application, Mobile and Web Services Security. Furthermore Sebastien co-organizes the yearly BruCON conference in Ghent (Belgium).

Steven Wierckx is application security expert and training at Steven is a software and security Tester with 15 years of experience in programming, training, security testing, source code review, test automation, functional and technical analysis, development and database design. Steven has a passion for web application security and writeq articles for several professional magazines with regards to that topic. He has spoken at the Belgium Testing Days with a tutorial on ‘BDD with Cucumber demystified’.

↑ Back to top

Web Service and Single Sign-On Security
Christian Mainka and Juraj Somorovsky

Tuesday, May 19, 2015 9:00 AM – Wednesday, May 20, 2015 5:00 PM (Central European Time)

Web Services and Single Sign-On belong to a group of most important Internet technologies. However, in recent years, it has been shown that these technologies allow for serious attacks. The attacks take advantage of the XML complexity and make it possible to read data from secured servers, authenticate as an arbitrary user in Single Sign-On scenarios, or decrypt confidential data.
In this training, we will give an overview of the most important Web Service and Single Sign-On specific attacks. Participants will get the opportunity to carry out these attacks in a prepared virtual machine. The attacks will be first tested manually (e.g., with soapUI), in order to get a feeling for the attacks. Subsequently, we will present our penetration testing tool WS-Attacker, which will be used to execute the presented attacks automatically. For each of the attacks, countermeasures will be discussed, and it will be shown how to deploy them on widely used systems and firewalls, including IBM Datapower or Axway.

Christian Mainka is in his second PhD year at the Ruhr University Bochum, Chair for Network and Data Security. Since 2009, he focuses on XML and Web Services technologies and develops his penetration testing tool WS-Attacker. Nowadays, the tool contains a large collection of specific attacks, which can be automatically applied to Web Services. Additionally to his scientific carrier he is a cofounder of 3curity GmbH and provides penetration tests in the area of XML and Web Services, with the help of WS-Attacker.

Dr. Juraj Somorovsky finished his PhD in the area of XML Security in 2013. In his thesis „On the Insecurity of XML Security“ he analyzes various attacks on Web Services and presents practical countermeasures against these attacks, which were applied in XML Security specifications and in countless frameworks and applications. He presented his work at many scientific and industry conferences, including Usenix Security or OWASP Germany. Currently, he works as a Postdoc at the Chair for Network and Data Security, where he focuses his research on Web Security analysis and cryptographic attacks, and teaches different security relevant subjects. In parallel, he works as a security specialist for his co-founded company 3curity GmbH.

The training is dedicated to:

  • Developers who implement XML, Web Services and Single Sign-On. They learn the dangers that are combined with the usage of these standards and how to circumvent the resulting attacks.
  • Security researchers and penetration testers, who want to get familiar with XML, Web Services and Single Sign-On. In this course, you will get a good overview of the most relevant technologies in this complex area.


  • XML and SOAP-based Web Services
  • XML Parsing and DTD attacks (XXE)
  • XSLT
  • XML-specific Denial-of-Service
  • XML Signature
  • XML Encryption
  • Automatic Tests with WS-Attacker
  • REST-based Web Services
  • SAML-based Single-Sign On
  • OAuth

In most of the topics, the attendants will get the opportunity to execute practical attacks using soapUI, WS-Attacker, or a different application. We will of course discuss relevant countermeasures.

A laptop with a recent version of Virtual Box (we provide a virtual machine with a set of tools and Web Services needed in our training).

↑ Back to top

Click here to register, you will be asked to choose your training during the second step (“Agenda“).