Learning objectives

The participants will expand their basic knowledge of web application security topics. They gain an understanding of the additional risks of modern web technologies, the meaning of the Same Origin Policy and also Cross Domain subjects. In addition, the participants will have a closer look at some of the modern authorization and authentication frameworks, which are used nowadays to build single-sign-on solutions.

The exercises will be done on www.hacking-lab.com. Following the course, the lab environment is available to the participants for another monthups.

Demarcation: The course is focussed on the web layer. Nessus, Nmap and Vulnerability Scanning are not included in this course. In addition, the course is the continuation of the foundation course, "Web Application Security Basic".


  • XML Injection Attacks
  • Java Deserialization
  • JSON Hijacking
  • Same Origin Policy
  • Cross-Origin Resource Sharing (CORS)
  • Advanced SQL Injection
  • Web Entry Server & Web Application Firewall
  • HTML5 Attacks
  • AngularJS Security & Best Practices
  • SAML Attacks
  • JOSE (JSON Object Signing and Encryption)
  • OAuth
  • OpenID Connect

                                Target group

                                • Security Officers
                                • Web developers
                                • Graduates of the "Web Application Security Basic” seminar


                                • Familiarity with the Linux command line
                                • Knowledge of the HTTP protocol
                                • Knowledge of the various components of a modern web application
                                • JavaScript, GET/POST, XML, JSON are familiar concepts
                                • Knowledge from the "Web Application Security Basic” seminar


                                      Cyber Risks – from abstract risk to everyday reality

                                      The Europa Institut at the University of Zurich (EIZ) is one of the leading centres of expertise for European Law and is an important provider of... Read more

                                      Swiss Treasury Summit 2019

                                      Das Schweizer Jahrestreffen der Treasurer - am 11. September 2019 an der HSLU in Rotkreuz. Read more

                                      Cyber Security Days an der HSR

                                      Das INS Institut für vernetzte Systeme und die Compass Security laden ein zur zweitägigen Cyber Security Veranstaltung an der HSR Hochschule für... Read more

                                      ALL DATES


                                      Eine gelungene Feier zum 20-Jahre-Jubiläum

                                      Compass Security lud am 07. Juni 2019 aktuelle und ehemalige Mitarbeitende, Kunden, Partner und Freunde ein, um ihr 20-jähriges Bestehen zu feiern.... Read more

                                      Butcher Wechsler and the Hackers

                                      The latest magazine of "Die Mobliliar" focusses on artificial intelligence as well as digitalization - and take a look at cyber crime. Read more

                                      Hack2improve - a success story

                                      The Furtwangen University of Applied Sciences offered a hacking workshop for the first time in 2008. What was a novelty at that time is now firmly... Read more


                                      Compass Security Blog

                                      From Open Wi-Fi to WPA3

                                      Security in Wi-Fi networks has been, at some point non-existent, then questioned, improved and questioned again over the last two decades. This post provides an overview over the latest developments... mehr

                                      Practical OpenID Connect Pentesting

                                      This post is intended to explain what you typically want to check for during an OpenID Connect assessment and also provide you with a guide to setup your own OpenID Connect test environment. mehr

                                      ZUM BLOG