WEEK 3: Attack the Weakling

Thinking like an attacker is the crux of DevSecOps. During this session, we will put on our hoodies and go after vulnerabilities in our web application.

OBJECTIVES

During Week 3, we'll accomplish the following objectives:

• Understand AWS multi-tiered cloud architecture
• Deploy a vulnerable application (e.g. RailsGoat) on AWS
• Understand some hacking techniques, such as SQL Injection, Command Injection, Authentication Bypass ...etc.

LESSON 1: Basics for AWS

Knowing how to use AWS will help you with today's labs because it is where we will study the security defects of our weak app. This lesson is a quick introduction to some of the basics to set the stage for this week's labs.

LESSON 2: Intro to AWS Deployments

Now that we know a few basics, it's time to put our hands-on deploying an application to AWS for our lab work. In this lesson we will work on understanding control plan and assumer concepts to make it possible for you to set up user access separate from resources used in an account.

LESSON 3: Attack the Weakling

During Lesson 3, we will use Rails goat to exploit web application defects. The labs for this session will help you to get familiar with Burp Suite and some fuzzing techniques.

RESOURCES

• OWASP TOP 10
• Metasploit Tutorial
• Metasploit Unleashed
• Security Tube
• Rails Goat