Web Application Security

This is a three-day training. It takes place online on March 15 to 17, 2021.

Have you ever hacked a website? Have you ever stolen a database or executed unauthorized commands remotely on a server? Ever stolen a user account with JavaScript? But better, yet: Have you ever fixed security vulnerabilities? The great and fun hands-on experience on web application security is not only for beginners. Its a back-and-forth between attacking and protecting, discussing the quick-and-dirty fixes and comparing them to better architectural changes to prevent such mistakes in the future.

In this workshop you will learn how to fix and secure a horribly insecure classified ad application against the most common and severe attacks on web applications.

You’ll learn systematically about the most critical security vulnerabilities in web applications, you will get enough well guided hands-on experience in first finding a vulnerability, executing attacks, and finally fixing it once and for all. Step by step we’ll secure the application and you’ll see how easy it is to avoid critical mistakes. You’ll learn and understand concepts and principles, rather than a certain framework or language. Despite the fact that we’ll hack and protect a Java-Application, every concept is technology independent and can be directly transferred to .net, PHP, or other technologies. You don’t even have to know any Java to have fun and learn a lot in this workshop!

Agenda

Introduction to OWASP
SQL Injection
Authentication (including and beyond passwords)
Cracking and securing passwords
Securing your cookies from the cookie monster
TLS
Command Injection
Cross Site Scripting (XSS)
Insecure Deserialization
XML External Entity Attacks
Session Hijacking and Session Fixation
Input Validation vs. Output Escaping
Cross Site Request Forgery
Same Origin Policy
Security Headers (CSP, CORS, and many, many more)
Clickjacking
Tools (sqlmap, OWASP ZAP, …)
Authorization (Access Control)

Who should attend this training

This workshop is targeted mainly to Software Developers, Software Engineers, Software Architects, but also Project Managers, Software Team Leaders, Product Owners, etc. will benefit from this training. If you are a beginner in the security-world, you will get a great and comprehensive overview of web-application security. If you are an experienced secure developer, I guarantee you, you will still learn something new and get a lot of practical experience!

Prerequisites

You should be familiar with at least one programming language, and have at least a basic understanding of the terms http, HTML, browser, client, and server.

Requirements

Most of the training you will be actively hacking and securing a web application which comes as a convenient VirtualBox-Image (.ova). You’ll get a link to the VM at least one week before the training together with easy and detailed instructions on how to set this up. (VMware Workstation or VMware Player should also work, but you’ll know more about it than I do).

About the Speaker

Hannes Molsen

Hannes Molsen is Product Security Manager for Dräger, a more than 130 year-old family company known, e.g., for medical devices and safety systems. He is responsible for creating and maintaining an environment which enables Dräger to ship devices and applications that are secure to sustain in an interconnected world. Throughout the entire system’s lifecycle, to protect life, data and system functionality.

At Draeger as well as during his activities as self-employed Security Professional, he also tests devices and applications, and gives security trainings for developers, product managers and software architects, and creates and assesses secure software architectures.

Before taking this position, he was working as a passionate secure coder, with over 15 years of experience in web application development, software for embedded systems and interconnected devices. He is also actively involved with the grass roots organization “I am the cavalry”, supporting the efforts to connect manufacturers and the security research community to become safer, sooner, together.