Online
Classroom

Web Security OWASP 2017 for Developers

Part of our web Courses

1 day


Course Overview

From OWASP Top 10: "The OWASP Top 10 is a powerful awareness document for web application security. It represents a broad consensus about the most critical security risks to web applications. "

This course leads you through these vulnerabilities and common protection and best practices for the various attack vectors.

The hands-on during the course consist of attacking a website.

Among other tools you will be using the OWASP Zed Attack Proxy

Course Prerequisites

This course is geared towards developers, but can also be attended by other roles. Basic knowledge of Web Development is required (html, javascript, xml)

Outline

Introduction

  • Introduction to web security terminology
  • Explanation of same origin
  • Explanation of CORS
  • Introduction to OWASP
  • Introduction to OWASP Top 10 2017
  • Differences with Top 10 2013

OWASP Top Ten 2017

  • 1. Injection (sql, jpql, ldap, …)
  • Discover Various types for SQL Injection (tautology, union, stacked)
  • Discuss protection against injections
  • Understand obfuscation
  • 2. Broken Authentication
  • Discuss attack vectors (known passwords, dictionary words)
  • How attackers can find valid usernames
  • Discuss credential stuffing
  • Discuss session fixation
  • Best practices for session ids
  • 3. Sensitive Data Exposure
  • Hashing and rainbow tables
  • Discuss bcrypt
  • 4 XML External Entities (XXE)
  • Understand XML Entities
  • Attack vectors with XML Entities
  • Remote code execution (java)
  • Server Side Request Forgery SSRF
  • 5 Broken Access Control
  • Discuss various attack vectors
  • Discuss protection
  • Discuss CORS misconfiguration
  • 6 Security Misconfiguration
  • Discuss common misconfigurations
  • Discuss various HTTP Security Headers
  • 7 Cross-Site Scripting (XSS)
  • Discuss stored and reflected XSS
  • Session/Account Stealing with XSS
  • Key loggers with XSS
  • Discuss XSS protection (whitelist, blacklist)
  • Using security headers
  • 8 Insecure Deserialization
  • Understand the process of marshalling/unmarshalling
  • Discuss vulnerabilities and prevention
  • Remote code execution with Java Serialisation
  • 9 Using Components with Known Vulnerabilities
  • Discuss known vulnerabilities
  • Using tools such as nsp, dependency-check and retire.js
  • 10 Insufficient Logging & Monitoring

Other vulnerabilities

  • Cross-Site Request Forgery CSRF
  • CSRF protection with XSRF tokens

Public Events

Currently we have no public courses planned for Web Security OWASP 2017 for Developers

Private Events

Do you have a team that needs a Web Security OWASP 2017 for Developers course?

Contact Us

Send us a message

This Web Security OWASP 2017 for Developers course looks very interesting, I do however have a question