Presented at
AppSec USA 2015,
Sept. 23, 2015, 3:30 p.m.
(90 minutes)
Note: This is a two day course from Tues 2015-09-22 - Wed 2015-09-23
The OWASP Top 10 web application vulnerabilities has done a great job promoting awareness for the developers. Along with many cheat sheets, they provide valuable tools and techniques to web developers. But such a great source of information could be overwhelming for the programmer who wants to learn about security.
To achieve this goal, participants will first learn the technical details about each OWASP Top 10 vulnerability. Then the instructor will give demos on how attacks are performed against each of them. After that, participants will use virtual machines and follow step by step procedures to launch attacks against a vulnerable web site. This step is key in understanding how exploitation works so they can later implement effective safeguards in their systems.
The course will cover the following topics:
1. SSL Certificates
2. Password Management
3. Cryptography Concepts
4. OWASP Top 10 web application vulnerabilities:
A1 - Injection Attacks
a. Command Injection
b. File Injection
c. SQL Injection
A2 - Broken Authentication and Session Management
A3 - Cross-Site Scripting (XSS)
A4 - Insecure Direct Object References
A5 - Security Misconfiguration
A6 - Sensitive Data Exposure
A7 - Missing Function Level Access Control
A8 - Cross-Site Request Forgery (CSRF)
A9 - Using Known Vulnerable Components
A10 - Unvalidated Redirects and Forwards
14. Securing AJAX and Web Services (REST and SOAP)
15. OWASP Application Security Verification Standard (ASVS)
16. Web Application Firewalls (WAF)
17. Using a Vulnerability Scanner (Zed Attack Proxy - ZAP)
18. Effective Code Review Techniques
19. OWASP Enterprise Security API
20. Secure Coding Best Practices
21. Effective Safeguards
Demos from the instructor:
1. SQL Injection Attack
2. Cross-Site Scripting Attack
3. Insecure Direct Object References
4. Sensitive Data Exposure
5. Cross-Site Request Forgery
Using their laptop and the provided virtual machines, participants will have 7 hands-on exercises:
1. Session Initialization and Client-Side Validation
• Part 1: Web Proxy and Session Initialization
• Part 2: Client-Side Validation
2. Online Password Guessing Attack
3. Account Harvesting
4. Using a Web Application Vulnerability Scanner
5. Sniffing Encrypted Traffic
6. Launching Command Injection Attacks
7. Create SSL certificates
In addition, each participant will receive a printed student guide containing all the slides and exercises.
Who Should Take This Course?
This course is designed to help intermediate to expert web developers and security professionals understand how to secure web applications. Candidates are expected to have basic knowledge of web technologies, but no experience in security is required prior to taking this course. However, security professionals who want to learn more about web security will benefit from this class.
What Should Students Bring?
Participants are required to bring a laptop (Windows, Mac or Linux) with at least 3 GB of RAM, 20 GB of free disk space, a DVD reader and either VMWare Player (free), VMWare Workstation, VMWare Fusion or Oracle VirtualBox pre-installed. They must also have an administrator/root account on their laptop. At the beginning of the course, participants will receive a DVD containing two pre-configured virtual machines.
Presenters:
-
David Caissy
- Penetration Tester - TRM Technologies Inc.
David Caissy is a web application penetration tester with in-depth developer and IT Security background spanning over 17 years. He has extensive experience in conducting vulnerability assessments and penetration tests as well as providing training globally, amongst numerous other teaching engagements. He has worked for the Bank of Canada, the Department of National Defense, various government agencies and private companies. David has been teaching web application security in colleges, conferences and for many government agencies over the last decade.
Links:
Similar Presentations: