A Decade of Training

Friday, February 22, 2019

Training has been a significant part of my professional life since 2009. I've never written about my training pursuits, so as I march into my tenth year of training, fifth year of Practical Web Application Penetration Testing (PWAPT), and the first year of Practical Burp Suite Pro: Advanced Tactics (PBAT), I'd like to share a little about where I've been, where I'm at, and where I'm going, while specifically addressing my various courses.

I started my training career in 2009 organizing the "255S Course": the Army's attempt at building the ideal Cyber Defender. This came on the heels of being an Army Red Team leader for a couple years, so I was a good fit for the role. You know the saying, the best defense is knowing your opponent's offense. Well, I had the opportunity to work with Chris Gates (@carnal0wnage), Matt Graeber (@mattifestation) and Chris Campbell (@obscuresec) on the Army Red Team, so you could say I learned a thing or two about offense.

I made my first personal venture in the classroom putting together a small Python for Pentesters class for the 255S course. However, I needed a LOT of help with other topics such as digital forensics, incident handling/response, packet analysis, Windows/Linux security, etc. So I formed a relationship with SANS to help me fill those needs.

It was early in my relationship with SANS that I became friends with John Strand (@strandjs). John introduced me to the training industry and mentored me into becoming an instructor for SANS. It was with John at BHIS that I also began to focus exclusively on Web Application Security. Therefore, SANS SEC542 was a natural fit and that is where I enjoyed my first public classroom experiences.

Teaching SEC542 for SANS worked out great for several years, but I had no control over the content I was teaching at SANS, and there was so much more that I wanted to share. The only option that afforded me complete control over the content I was teaching was to branch off on my own. So that's what I did.

PWAPT was initially designed in 2015 as a follow-on for SANS SEC542. When I was teaching for SANS, I noticed a gap between where students were after SEC542 and where they needed to be to conduct successful web application penetration tests. While the basic vulnerability theory was there in SEC542, how to apply it was lacking. Therefore, with PWAPT I was less interested in the vulnerabilities and more interested in the process and tooling for bringing it all together to conduct a successful test. To support this effort, version 1 of PWAPT leveraged an old server-side PHP application with traditional vulnerabilities that didn't offer much for exploration outside of the OWASP Top 10. Since I wasn't focused on vulnerabilities, the target application provided a good foundation for this early version of the class.

Soon after I began teaching PWAPT, I realized the need to focus at least some effort on vulnerabilities. I was getting a lot of students that had never taken SANS SEC542 and were missing the fundamentals required for the original vision of PWAPT. Therefore, I began building version 2 of PWAPT alongside a modern web application that leveraged Python Flask. The application was named PwnedHub and was built as "a service for hosted vulnerability scanning." Using a server-side rendered MVC framework provided a more realistic experience for students and better replicated real world applications that students could expect to see during the majority of their engagements. While the core focus of the course remained on process and tooling, I began incorporating vulnerability theory. However, I didn't restrict myself to the OWASP Top 10. I immediately expanded the content to include things like Server-Side Template Injection (SSTI), Mass Assignment, Server-Side Request Forgery (SSRF), etc. but PwnedHub was limited to vulnerabilities specific to server-side rendered applications.

As Single Page Applications (SPA) became a prominent architectural design pattern, it became important to begin incorporating client-side rendering as a major component of the PwnedHub application and PWAPT course material. Version 3 of PWAPT saw PwnedHub offer several pages rendered as SPAs written in React. This provided an opportunity to explore vulnerabilities in client-side rendering and REST web services as well as the process and tooling for testing them. Topics such as DOM-based Cross-Site Scripting (D-XSS), the impact of mismatched content types, REST authentication mechanisms, and Cross-Origin Resource Sharing (CORS) were added to the course content. The SPA components were eventually rewritten in Vue.js, but the course material around testing SPAs remained the same. Version 3 of PWAPT also saw the transition from Burp Suite Pro v1 to v2 beta and the implementation of my proprietary training content management and delivery platform.

With version 4 of PWAPT (finished this week), the transition to Burp Suite Pro v2 beta continues and will likely include the full transition to the Burp Suite Pro v2 release in the coming months (hopefully). Version 4 also takes a special interest in business logic vulnerabilities. This required a complete redesign of the PwnedHub application, which is now "a consolidated bug bounty and hosted scanning platform." While PwnedHub still includes re-skinned and enhanced versions of previous functionality, it's main business purpose is the one-of-a-kind bug bounty system that crowd sources the bug validation phase of bug bounties in addition to the actual discovery. As you can imagine, this provides all kinds of opportunities to introduce true business logic issues. Students are going to thoroughly enjoy the challenge of what I have in store for them.

The last four paragraphs covered four years, during which PWAPT was my sole training effort. I maintained PWAPT pretty much on a daily basis, and that will continue. I believe in the purpose of PWAPT, and the over 600 people that have been trained by PWAPT up to this point can provide testimony to its value. I won't compromise that and you can expect a fresh experience if you come back and take the course every other year. Many have, and many still do. But I'm not stopping there. I created Practical Security Services (PractiSec) in late 2017 to offer training in a more official capacity. While that's been a whole 'nother experience that I won't cover here, I do want to be clear about my intent for the future. I intend for PractiSec to be a training first, consulting second, practice built on the backs of classes like PWAPT. There is a desperate need for affordable world-class training, and I want to help meet that need. Last year I announced a new course in PBAT, and more will follow as gaps and needs are identified. And while I am focused on web application security now, I won't rule out bringing in other subject matter experts to teach courses based on practical skills in other disciplines.

Specifically regarding PBAT, I mentioned last year that I hope to have it done by Spring of 2019. While I am still on track to meet that timeline, the first two places I've submitted to teach it rejected my Call-for-Training (CFT) submission. I am still holding out hope that the last year for DerbyCon will be the first presentation for PBAT, but I won't know for a few months. If you are interested in hosting a PBAT class, please see the training page for details or contact me directly. If you're wondering what PBAT is, that is also on the training page.

I have thoroughly enjoyed sharing my passion through training over the past ten years, and I'm excited about what the future holds for my training pursuits. If you've joined me for a class before, thank you for your support and I hope to see you again. If you haven't attended one of my courses, then I hope to see you at a future event now that you know a little more about the history of what you'll be receiving.

Like what you see? Join me for live training! See the Training page for more information.

Please share your thoughts, comments, and suggestions via Twitter.