Web Application Security Basic

Learning objectives

The participants are aware of the OWASP TOP 10 vulnerabilities and the according countermeasures. They can estimate what the risks are that underlie the respective weaknesses and what kind of effects these will have on an application, the underlying system and the user. For every attack like SQL Injection, XSS, XSRF and Authorization Bypass, there is theoretical content as well as laboratory exercises. In addition, the capability for self-assessment and the important foundations of HTTP/HTTPS are taught.

The exercises will be done on www.hacking-lab.com. Following the course, the lab environment is available to the participants for another month.

Demarcation: The course is focussed on the web layer. Nessus, Nmap and Vulnerability Scanning are not included in this course. In addition, the course is intended to be the foundation for the Web Application Security Advanced seminar, which covers the subjects of Web 2.0, HTML5, Advanced JavaScript, AngularJS, Cross-Domain access and authentication frameworks.

Highlights 

  • Introduction to HTTP/S, cookies, sessions
  • Legal boundary conditions
  • OWASP TOP 10
  • Tool Introduction: HTTP/S recording and analysis
  • Authentication & Authorization Bypass
  • Session Handling
  • Stored/Reflected Cross-Site Scripting (XSS)
  • SQL Injection
  • Input & Output Validation
  • Web Application Firewall
  • Cross-Site Request Forgery (XSRF)
  • URL Redirection Attacks
  • Security Misconfiguration

                        Target group

                        • Security Officers
                        • Web Developers

                        Prerequisite

                        • Familiarity with the Linux command line
                        • Basic knowledge of the HTTP protocol
                        • Fundamental knowledge of the components of a web application
                        • Programming skills are an advantage

                            CALENDAR

                            Security Training: Secure Mobile Apps

                            In the 2-day course (in German) from October 20/21, 2020, you will learn about the most important security problems of mobile apps. Read more

                            Security Training: Social Engineering

                            In the 2-day course (in German) from December 1/2, 2020, you will get to know and understand the methods, tools and tricks of social engineering. Read more

                            ALL DATES

                            NEWS

                            Vulnerability in Mailster

                            Thierry Viaccoz identified an XSS vulnerability in Mailster (email newsletter plugin for WordPress). Read more

                            Secure Payments on th Internet

                            More and more goods and services are bought and paid on the internet. Ivan Bütler summarizes security relevant information on online shopping and... Read more

                            Vulnerability in Froala WYSIWYG HTML Editor

                            Security Analyst Emanuel Duss identified a DOM XSS vulnerability in the Froala WYSIWYG HTML Editor Read more

                            ARCHIVES

                            Compass Security Blog

                            Yet Another Froala 0-Day XSS

                            Compass found a DOM-based cross-site scripting (XSS) in the Froala WYSIWYG HTML Editor. HTML code in the editor is not correctly sanitized when inserted into the DOM. This allows an attacker that can... mehr

                            Relaying NTLM authentication over RPC

                            Since a few years, we - as pentesters - (and probably bad guys as well) make use of NTLM relaying a lot for privilege escalation in Windows networks. In this article, we propose adding support for... mehr

                            ZUM BLOG