Learning objectives
The participants are aware of the OWASP TOP 10 vulnerabilities and the according countermeasures. They can estimate what the risks are that underlie the respective weaknesses and what kind of effects these will have on an application, the underlying system and the user. For every attack like SQL Injection, XSS, XSRF and Authorization Bypass, there is theoretical content as well as laboratory exercises. In addition, the capability for self-assessment and the important foundations of HTTP/HTTPS are taught.
The exercises will be done on www.hacking-lab.com. Following the course, the lab environment is available to the participants for another month.
Demarcation: The course is focussed on the web layer. Nessus, Nmap and Vulnerability Scanning are not included in this course. In addition, the course is intended to be the foundation for the Web Application Security Advanced seminar, which covers the subjects of Web 2.0, HTML5, Advanced JavaScript, AngularJS, Cross-Domain access and authentication frameworks.
Highlights
- Introduction to HTTP/S, cookies, sessions
- Legal boundary conditions
- OWASP TOP 10
- Tool Introduction: HTTP/S recording and analysis
- Authentication & Authorization Bypass
- Session Handling
- Stored/Reflected Cross-Site Scripting (XSS)
- SQL Injection
- Input & Output Validation
- Web Application Firewall
- Cross-Site Request Forgery (XSRF)
- URL Redirection Attacks
- Security Misconfiguration
Target group
- Security Officers
- Web Developers
Prerequisite
- Familiarity with the Linux command line
- Basic knowledge of the HTTP protocol
- Fundamental knowledge of the components of a web application
- Programming skills are an advantage