Learning objectives

The participants will expand their basic knowledge of web application security topics. They gain an understanding of the additional risks of modern web technologies, the meaning of the Same Origin Policy and also Cross Domain subjects. In addition, the participants will have a closer look at some of the modern authorization and authentication frameworks, which are used nowadays to build single-sign-on solutions.

The exercises will be done on www.hacking-lab.com. Following the course, the lab environment is available to the participants for another monthups.

Demarcation: The course is focussed on the web layer. Nessus, Nmap and Vulnerability Scanning are not included in this course. In addition, the course is the continuation of the foundation course, "Web Application Security Basic".

Highlights

  • XML Injection Attacks
  • Java Deserialization
  • JSON Hijacking
  • Same Origin Policy
  • Cross-Origin Resource Sharing (CORS)
  • Advanced SQL Injection
  • Web Entry Server & Web Application Firewall
  • HTML5 Attacks
  • AngularJS Security & Best Practices
  • SAML Attacks
  • JOSE (JSON Object Signing and Encryption)
  • OAuth
  • OpenID Connect

                                Target group

                                • Security Officers
                                • Web developers
                                • Graduates of the "Web Application Security Basic” seminar

                                Prerequisite

                                • Familiarity with the Linux command line
                                • Knowledge of the HTTP protocol
                                • Knowledge of the various components of a modern web application
                                • JavaScript, GET/POST, XML, JSON are familiar concepts
                                • Knowledge from the "Web Application Security Basic” seminar

                                      CALENDAR

                                      Beer-Talk in St. Gallen: Azure Security 101

                                      Im Sommer 2018 kündigte Microsoft an, ihre Cloud-Lösungen aus Schweizer Rechenzentren anzubieten. Viele hiesige KMUs und Grossunternehmen haben sich... Read more

                                      Swiss Cyber Hackathon 2019 / Zurich

                                      Simulating Real World Cyber Scenarios – Educational Cyber Competition of Defending your Environment and Attacking your Opponents Read more

                                      Internet Security Days 2019 - Game of IT-Security

                                      Based on the theme "Online Security", a wide conference program and an exhibition awaits you on September 26/27, 2019. New in the programme are... Read more

                                      ALL DATES

                                      NEWS

                                      So leicht wird dein Handy gehackt

                                      Die Blick-Reporterin weiss dank Ivan Bütler, warum man auch bei einer SMS von Mami kritisch sein soll. Read more

                                      Rückblick Digitaltag 2019

                                      Ivan Bütler von Compass Security hat einen aufregenden Digitaltag hinter sich. Seine Live Hacks am Züricher Hauptbahnhof waren ein Publikumsmagnet. Read more

                                      Wie steht es um die Sicherheit der Schweizer Stromversorgung?

                                      Im Bericht der Eidgenössischen Elektrizitätskommision kommt die Schweizer Stromversorgung diesbezüglich nicht gut weg. Studerus AG hat dazu Cyrill... Read more

                                      ARCHIVES

                                      Compass Security Blog

                                      enOcean Security

                                      In this post, we are going to take a closer look at the enOcean technology, how security is implemented, and if the security measures and options available are sufficient. mehr

                                      Privilege escalation in Windows Domains (3/3)

                                      In this last article about privilege escalation in Windows domains, we demonstrate how to extract credentials from running systems to compromise high-privileged accounts. mehr

                                      ZUM BLOG