This training focuses on attacks so that the need for defence is better understood. OWASP project should be the bible of everyone dealing with WebApp development and security and OWASP ASVS (Application Security Verification Standard) is one of the golden standards of WebApp security testing. This training will cover all WebApp attack types and instills this knowledge with lot of hands-on exercises. With first-hand experience in those attacks, participants are better armed with understanding the attacks and why they are conducted.
Web Application security essentials (4 parts, 8 lectures with practical demos and exercises for each vulnerability, including complex attack scenarios):
- Client-Side attacks:
- Security, Information sources
- Client-Server communication, HTTP vs HTTPS, HTTP request methods
- User input and why it can not be trusted
- XSS (Cross-Site Scripting) – one of the most widespread, yet often trivialized vulnerabilities that in reality opens up many other vectors for combined attacks
- HTML and HTML injection
- URL and URL manipulation
- Cookies and cookie manipulation
- Session and session hijacking, session fixation
- Request forgery attacks (CSRF & OSRF) – goes together wonderfully with XSS
- UI Redress Attacks (ClickJacking, CursorJacking, TypeJacking)
- Using 3 rd party content
- Combined client side attacks – how some vulnerabilities give you complete control over a victim’s browser and a gateway into internal networks
- Server-Side attacks:
- Authentication, passwords and hashes
- Authorization vulnerabilities (lacking access controls)
- Business logic issues
- Google hacking
- Web server configuration and the file system
- Command injection
- File handling (file extensions, public folders, enumeration, metadata)
- File inclusion attacks (LFI, RFI, LFI2RCE)
- File upload
- XXE (XML eXternal Entity) attacks
- SQL injection – detection, query and database structure identification, blind and partially blind attacks, incorrect defenses and bypasses
Target audience: WebApp developers, maintainers, web server or hosting providers/administrators, information security specialists and managers, testers
Learning methods: lectures, practical examples, hands-on exercise
Assesment methods: Execution of independent work.
Assesment form: Independent practical tasks on relevant topics.
More information read from here.