Web Application Security

Have you ever hacked a website? Have you ever stolen a database or executed unauthorized commands remotely on a server? Ever stolen a user account with JavaScript? But better, yet: Have you ever fixed security vulnerabilities? The great and fun hands-on experience on web application security is not only for beginners. Its a back-and-forth between attacking and protecting, discussing the quick-and-dirty fixes and comparing them to better architectural changes to prevent such mistakes in the future.

In this workshop you will learn how to fix and secure a horribly insecure classified ad application against the most common and severe attacks on web applications.

You’ll learn systematically about the most critical security vulnerabilities in web applications, you will get enough well guided hands-on experience in first finding a vulnerability, executing attacks, and finally fixing it once and for all. Step by step we’ll secure the application and you’ll see how easy it is to avoid critical mistakes. You’ll learn and understand concepts and principles, rather than a certain framework or language. Despite the fact that we’ll hack and protect a Java-Application, every concept is technology independent and can be directly transferred to .net, PHP, or other technologies. You don’t even have to know any Java to have fun and learn a lot in this workshop!


  • Introduction to OWASP
  • SQL Injection
  • Authentication (including and beyond passwords)
  • Cracking and securing passwords
  • Securing your cookies from the cookie monster
  • TLS
  • Command Injection
  • Cross Site Scripting (XSS)
  • Insecure Deserialization
  • XML External Entity Attacks
  • Session Hijacking and Session Fixation
  • Input Validation vs. Output Escaping
  • Cross Site Request Forgery
  • Same Origin Policy
  • Security Headers (CSP, CORS, and many, many more)
  • Clickjacking
  • Tools (sqlmap, OWASP ZAP, …)
  • Authorization (Access Control)


You should be familiar with at least one programming language, and have at least a basic understanding of the terms http, HTML, browser, client, and server.


You’ll need your own laptop with administrative privileges, including pre-installed VirtualBox (VMware Workstation or VMware Player should also work, but you’ll know more about it than I do).

About the Speaker