This training focuses on attacks so that the need for defense is better understood. OWASP project should be the bible of everyone dealing with WebApp development and security and OWASP ASVS (Application Security Verification Standard) is one of the golden standards of WebApp security testing. This training will cover all WebApp attack types and instills this knowledge with lot of hands-on exercises. With first-hand experience in those attacks, participants are better armed with understanding the attacks and why they are conducted.
NOTE the training days: 12th – 13th February and 19th – 20th February 2020
- Client-Side attacks:
- Introduction, Client-Server system
- OWASP (Top 10, ASVS)
- Input data
- GET vs POST
- HTTP vs HTTPS
- Controlling the thick client (Java applet, Flash, etc.,)
- XSS (Cross-Site-Scripting)
- Session security, cookies, session hijacking
- OSRF/CSRF (On-Site and Cross-Site Request Forgery)
- UI Redress Attacks (inc ClickJacking, CursorJacking)
- Combined client side attacks
- Server-Side attacks:
- Password security, crypto, brute-force, dictionary, sensitive data
- Authentication and authorization errors, “remember me” features
- Business logic implementation errors
- Direct Object Reference mistakes
- SQL injection
- Code and Command injection
- source code and structure defence, attack code upload, configuration
- File handling (file extensions, public folder, execution, enumeration and quessing, meta info)
- File inclusion (LFI, RFI, RCE, NULL-Byte)
- File upload
- Other file insertion vectors (log files)
- Configuration (Java/PHP, error messages (what to show & what to log), Apache, file permissions)
- Google hacking
Participants will have their assumptions challenged, get a healthy dose of paranoia and will start to fear user input. In other words: learn the security basics of producing better software.
Participants will receive a certificate of completion for 32-hour hands-on course to clarify web application attacks, vulnerabilities and defence.
Target audience: WebApp developers, maintainers, web server or hosting providers/administrators, information security specialists and managers, testers
Learning methods: lectures, practical examples, hands-on exercise
Assesment methods: Execution of independent work. All participants will receive certificate.
Assesment form: Independent practical tasks on relevant topics.
More information read from here.