Learning objectives

The participants are aware of the OWASP TOP 10 vulnerabilities and the according countermeasures. They can estimate what the risks are that underlie the respective weaknesses and what kind of effects these will have on an application, the underlying system and the user. For every attack like SQL Injection, XSS, XSRF and Authorization Bypass, there is theoretical content as well as laboratory exercises. In addition, the capability for self-assessment and the important foundations of HTTP/HTTPS are taught.

The exercises will be done on www.hacking-lab.com. Following the course, the lab environment is available to the participants for another month.

Demarcation: The course is focussed on the web layer. Nessus, Nmap and Vulnerability Scanning are not included in this course. In addition, the course is intended to be the foundation for the Web Application Security Advanced seminar, which covers the subjects of Web 2.0, HTML5, Advanced JavaScript, AngularJS, Cross-Domain access and authentication frameworks.

Highlights 

  • Introduction to HTTP/S, cookies, sessions
  • Legal boundary conditions
  • OWASP TOP 10
  • Tool Introduction: HTTP/S recording and analysis
  • Authentication & Authorization Bypass
  • Session Handling
  • Stored/Reflected Cross-Site Scripting (XSS)
  • SQL Injection
  • Input & Output Validation
  • Web Application Firewall
  • Cross-Site Request Forgery (XSRF)
  • URL Redirection Attacks
  • Security Misconfiguration

                        Target group

                        • Security Officers
                        • Web Developers

                        Prerequisite

                        • Familiarity with the Linux command line
                        • Basic knowledge of the HTTP protocol
                        • Fundamental knowledge of the components of a web application
                        • Programming skills are an advantage

                            CALENDAR

                            Cyber Risks – from abstract risk to everyday reality

                            The Europa Institut at the University of Zurich (EIZ) is one of the leading centres of expertise for European Law and is an important provider of... Read more

                            Swiss Treasury Summit 2019

                            Das Schweizer Jahrestreffen der Treasurer - am 11. September 2019 an der HSLU in Rotkreuz. Read more

                            Cyber Security Days an der HSR

                            Das INS Institut für vernetzte Systeme und die Compass Security laden ein zur zweitägigen Cyber Security Veranstaltung an der HSR Hochschule für... Read more

                            ALL DATES

                            NEWS

                            Eine gelungene Feier zum 20-Jahre-Jubiläum

                            Compass Security lud am 07. Juni 2019 aktuelle und ehemalige Mitarbeitende, Kunden, Partner und Freunde ein, um ihr 20-jähriges Bestehen zu feiern.... Read more

                            Butcher Wechsler and the Hackers

                            The latest magazine of "Die Mobliliar" focusses on artificial intelligence as well as digitalization - and take a look at cyber crime. Read more

                            Hack2improve - a success story

                            The Furtwangen University of Applied Sciences offered a hacking workshop for the first time in 2008. What was a novelty at that time is now firmly... Read more

                            ARCHIVES

                            Compass Security Blog

                            From Open Wi-Fi to WPA3

                            Security in Wi-Fi networks has been, at some point non-existent, then questioned, improved and questioned again over the last two decades. This post provides an overview over the latest developments... mehr

                            Practical OpenID Connect Pentesting

                            This post is intended to explain what you typically want to check for during an OpenID Connect assessment and also provide you with a guide to setup your own OpenID Connect test environment. mehr

                            ZUM BLOG