Web Application Security is an eye-opening and practical security training for anyone involved with development, testing and upkeep of web applications on a daily basis.
Trainers will engage participants with lectures and practical examples followed by hands-on exercises. For each vulnerability and attack, the participants will be taken through the correct defensive method with additional insights into incorrect defensive methods and pitfalls that we often encounter in penetration tests. Our trainers provide unique insight into an attacker’s mindset by sharing stories and takeaways from years’ worth of penetration testing experiences. This helps to change the perspective and understanding of real life security threats as well as provide valuable information regarding how and why various attacks against web applications
NOTE the training days: 03-04 May & 10-11 May 2021
A total of 4 days of highly practical information heavily mixed with hands-on labs: two days of client-side attacks (attacks that incorporate the victim’s browser) and two days of server-side attacks (directly attacking the server
- Client-Side module (2 days):
- Security, Information sources
- Client-Server communication, HTTP vs HTTPS, HTTP request methods
- User input and why it can not be trusted
- XSS (Cross Site Scripting) – One of the most widespread, yet often trivialized vulnerabilities that in reality opens up many other vectors for combined attacks
- HTML and HTML injection
- URL and URL manipulation
- Cookies and cookie manipulation
- Sessions and session hijacking, session fixation
- Request forgery attacks (CSRF & OSRF) – goes together wonderfully with XSS
- UI Redress Attacks (ClickJacking, CursorJacking, TypeJacking)
- Using 3rd party content
- Combined client side attacks – how some vulnerabilities give you complete control
- Server-Side module (2 days):
- Authentication, passwords and hashes
- Authorization vulnerabilities (lacking access controls)
- Business logic issues
- Google hacking
- Web server configuration and the file system
- Command injection
- File handling (file extensions, public folders, enumeration, metadata)
- File inclusion attacks (LFI, RFI, LFI2RCE)
- File upload
- XXE (XML eXternal Entity) attacks
- SQL injection – detection, query and database structure identification, blind and partially blind attacks, incorrect defenses and bypasses
Target audience: WebApp developers, testers, QA, maintainers, team leads, web server or hosting providers / administrators, information security specialists and managers, testers.
Learning methods: lectures, practical examples, hands-on exercise
Assesment methods: Execution of independent work.
Assesment form: Independent practical tasks on relevant topics.
More information read from here.