Web Application Security
This is a three-day training. It takes place online on March 15 to 17, 2021.
Have you ever hacked a website? Have you ever stolen a database or executed unauthorized commands remotely on a server? Ever stolen a user account with JavaScript? But better, yet: Have you ever fixed security vulnerabilities? The great and fun hands-on experience on web application security is not only for beginners. Its a back-and-forth between attacking and protecting, discussing the quick-and-dirty fixes and comparing them to better architectural changes to prevent such mistakes in the future.
In this workshop you will learn how to fix and secure a horribly insecure classified ad application against the most common and severe attacks on web applications.
You’ll learn systematically about the most critical security vulnerabilities in web applications, you will get enough well guided hands-on experience in first finding a vulnerability, executing attacks, and finally fixing it once and for all. Step by step we’ll secure the application and you’ll see how easy it is to avoid critical mistakes. You’ll learn and understand concepts and principles, rather than a certain framework or language. Despite the fact that we’ll hack and protect a Java-Application, every concept is technology independent and can be directly transferred to .net, PHP, or other technologies. You don’t even have to know any Java to have fun and learn a lot in this workshop!
Agenda
-
Introduction to OWASP
-
SQL Injection
-
Authentication (including and beyond passwords)
-
Cracking and securing passwords
-
Securing your cookies from the cookie monster
-
TLS
-
Command Injection
-
Cross Site Scripting (XSS)
-
Insecure Deserialization
-
XML External Entity Attacks
-
Session Hijacking and Session Fixation
-
Input Validation vs. Output Escaping
-
Cross Site Request Forgery
-
Same Origin Policy
-
Security Headers (CSP, CORS, and many, many more)
-
Clickjacking
-
Tools (sqlmap, OWASP ZAP, …)
-
Authorization (Access Control)
Who should attend this training
This workshop is targeted mainly to Software Developers, Software Engineers, Software Architects, but also Project Managers, Software Team Leaders, Product Owners, etc. will benefit from this training. If you are a beginner in the security-world, you will get a great and comprehensive overview of web-application security. If you are an experienced secure developer, I guarantee you, you will still learn something new and get a lot of practical experience!
Prerequisites
You should be familiar with at least one programming language, and have at least a basic understanding of the terms http, HTML, browser, client, and server.
Requirements
Most of the training you will be actively hacking and securing a web application which comes as a convenient VirtualBox-Image (.ova). You’ll get a link to the VM at least one week before the training together with easy and detailed instructions on how to set this up. (VMware Workstation or VMware Player should also work, but you’ll know more about it than I do).