Learning objectives

The participants are aware of the OWASP TOP 10 vulnerabilities and the according countermeasures. They can estimate what the risks are that underlie the respective weaknesses and what kind of effects these will have on an application, the underlying system and the user. For every attack like SQL Injection, XSS, XSRF and Authorization Bypass, there is theoretical content as well as laboratory exercises. In addition, the capability for self-assessment and the important foundations of HTTP/HTTPS are taught.

The exercises will be done on www.hacking-lab.com. Following the course, the lab environment is available to the participants for another month.

Demarcation: The course is focussed on the web layer. Nessus, Nmap and Vulnerability Scanning are not included in this course. In addition, the course is intended to be the foundation for the Web Application Security Advanced seminar, which covers the subjects of Web 2.0, HTML5, Advanced JavaScript, AngularJS, Cross-Domain access and authentication frameworks.

Highlights 

  • Introduction to HTTP/S, cookies, sessions
  • Legal boundary conditions
  • OWASP TOP 10
  • Tool Introduction: HTTP/S recording and analysis
  • Authentication & Authorization Bypass
  • Session Handling
  • Stored/Reflected Cross-Site Scripting (XSS)
  • SQL Injection
  • Input & Output Validation
  • Web Application Firewall
  • Cross-Site Request Forgery (XSRF)
  • URL Redirection Attacks
  • Security Misconfiguration

                        Target group

                        • Security Officers
                        • Web Developers

                        Prerequisite

                        • Familiarity with the Linux command line
                        • Basic knowledge of the HTTP protocol
                        • Fundamental knowledge of the components of a web application
                        • Programming skills are an advantage

                            CALENDAR

                            Beer-Talk in St. Gallen: Azure Security 101

                            Im Sommer 2018 kündigte Microsoft an, ihre Cloud-Lösungen aus Schweizer Rechenzentren anzubieten. Viele hiesige KMUs und Grossunternehmen haben sich... Read more

                            Swiss Cyber Hackathon 2019 / Zurich

                            Simulating Real World Cyber Scenarios – Educational Cyber Competition of Defending your Environment and Attacking your Opponents Read more

                            Internet Security Days 2019 - Game of IT-Security

                            Based on the theme "Online Security", a wide conference program and an exhibition awaits you on September 26/27, 2019. New in the programme are... Read more

                            ALL DATES

                            NEWS

                            So leicht wird dein Handy gehackt

                            Die Blick-Reporterin weiss dank Ivan Bütler, warum man auch bei einer SMS von Mami kritisch sein soll. Read more

                            Rückblick Digitaltag 2019

                            Ivan Bütler von Compass Security hat einen aufregenden Digitaltag hinter sich. Seine Live Hacks am Züricher Hauptbahnhof waren ein Publikumsmagnet. Read more

                            Wie steht es um die Sicherheit der Schweizer Stromversorgung?

                            Im Bericht der Eidgenössischen Elektrizitätskommision kommt die Schweizer Stromversorgung diesbezüglich nicht gut weg. Studerus AG hat dazu Cyrill... Read more

                            ARCHIVES

                            Compass Security Blog

                            enOcean Security

                            In this post, we are going to take a closer look at the enOcean technology, how security is implemented, and if the security measures and options available are sufficient. mehr

                            Privilege escalation in Windows Domains (3/3)

                            In this last article about privilege escalation in Windows domains, we demonstrate how to extract credentials from running systems to compromise high-privileged accounts. mehr

                            ZUM BLOG