Web Security OWASP 2017 for Web Developers

Duration: 1 days

From OWASP Top 10: "The OWASP Top 10 is a powerful awareness document for web application security. It represents a broad consensus about the most critical security risks to web applications. "

This course leads you through these vulnerabilities and common protection and best practices for the various attack vectors.

The hands-on during the course consist of attacking a website.

Among other tools you will be using the OWASP Zed Attack Proxy

January 2018 Update note : we have updated this course to the OWASP Top 10 2017 version

This course is geared towards developers, but can also be attended by other roles. Basic knowledge of Web Development is required (html, javascript, xml)

Please find the course objectives below:

Introduction

  • Introduction to web security terminology
  • Explanation of same origin
  • Explanation of CORS
  • Introduction to OWASP
  • Introduction to OWASP Top 10 2017
  • Differences with Top 10 2013

OWASP Top Ten 2017

  • 1. Injection (sql, jpql, ldap, …)
  • Discover Various types for SQL Injection (tautology, union, stacked)
  • Discuss protection against injections
  • Understand obfuscation
  • 2. Broken Authentication
  • Discuss attack vectors (known passwords, dictionary words)
  • How attackers can find valid usernames
  • Discuss credential stuffing
  • Discuss session fixation
  • Best practices for session ids
  • 3. Sensitive Data Exposure
  • Hashing and rainbow tables
  • Discuss bcrypt
  • 4 XML External Entities (XXE)
  • Understand XML Entities
  • Attack vectors with XML Entities
  • Remote code execution (java)
  • Server Side Request Forgery SSRF
  • 5 Broken Access Control
  • Discuss various attack vectors
  • Discuss protection
  • Discuss CORS misconfiguration
  • 6 Security Misconfiguration
  • Discuss common misconfigurations
  • Discuss various HTTP Security Headers
  • 7 Cross-Site Scripting (XSS)
  • Discuss stored and reflected XSS
  • Session/Account Stealing with XSS
  • Key loggers with XSS
  • Discuss XSS protection (whitelist, blacklist)
  • Using security headers
  • 8 Insecure Deserialization
  • Understand the process of marshalling/unmarshalling
  • Discuss vulnerabilities and prevention
  • Remote code execution with Java Serialisation
  • 9 Using Components with Known Vulnerabilities
  • Discuss known vulnerabilities
  • Using tools such as nsp, dependency-check and retire.js
  • 10 Insufficient Logging & Monitoring

Other vulnerabilities

  • Cross-Site Request Forgery CSRF
  • CSRF protection with XSRF tokens
For an onsite course please contact us