day 2:
discussed data source injection and programing best practices. also discussed code revision and auditing policies.
tips and tricks for safe sql.
At the end we had a comprehensive test that came in three parts. The first part had two red herrings. 1 a bogus hidden form value and 2 a trick question which was hacking the testing software itself to display the hardcoded userid and password. The 2nd component was to do a sql injection on a cookie value. lastly the third part was a windows shell injection to 'deface' the page. this was all in a test environment but still very cool.
I will post more details tomorow.