Exploiting and Securing Web Application (In-House Training)
Date/Time: 22/04/2021 - 23/04/2021 9:30 am - 4:30 pm
About this course
The development of Web 2.0, HTML5 technology and better internet services allow users to interact, generate contents, and access information anytime and anywhere. Businesses are moving to online and running mainly on web application which serves a large amount of sensitive information, especially personal and financial data. All of these advancements in web applications have also attracted malicious hackers and scammers, who are always coming up with new attack vectors. To make matters worse, over the past few years, user information has become more profitable to attackers. These all have raised critical concerns for ensuring the privacy of digital communications and rendered the need for robust protection mechanisms over the web. Such demands are pushing web developers to have a basic knowledge of web application security in order to implement and deploy their code securely.
We will wear many hats in this training. We will point out numerous exploitations e.g., Injection attacks to steal data, Cross Site Scripting (XSS) vulnerabilities to compromise a user’s browser, break authentication to gain access to data and access some secrets. We will also wear Defender Hats. We will discuss various mitigation strategies as well as explore some of code examples and fix the root cause of these vulnerabilities.
Since we want to make this training more practical and applicable to developers, we will also focus on developing software using Secure Software Development Life Cycle (Secure SDLC). We will detail some of common developers’ mistakes in implementations and deployments which in turn become security vulnerabilities of their systems.
This training is mainly based on OWASP The Top-10 Project, WebGoat, an OWASP project designed to teach penetration testing for web applications as well as the instructor’s web security experience and knowledge. In addition, we will discuss online resources as well as useful tools to help developers create a more secure web application.
- At least 1-2-year programming experience
- Interested in security and/or wanted to build more secure (web) applications
- CIA Triad: Confidentiality, Integrity, Availability
- “Security” as part of system initial design
- Cyber security attacks and trends in 2010s
- Overview of resources and tools for this training: OWASP WebGoat Project
Web Application in a nutshell
- Web 2.0 as stateless request-response
- Request: GET vs POST
- HTTP and HTTPS
- Authentication: Cookie, OAuth
Understanding Web Application Security
Explore common web application vulnerabilities, selected from OWASP Top 10 2013 and 2017.
Sensitive Data Exposure [A3: 2017]
- Why we care about data: Data leakage impacts, PII, EU GDPR, user privacy
- Attack vector examples. Popular attack vectors e.g., man-in-the-middle attacks (HTTP, SSL/TLS striping, session hijacking, replay)
- Encryption at best (Enforce encryption deployment): HSTS
- How to store sensitive data, or how not to store sensitive data
Cross-Site Request Forgery (CSRF) [A8: 2013]
- What is Cross-site Request Forgery
- Vulnerable code examples
- DEMO: CSRF in action (e.g., on java web application)
- Basic testing and how to prevent CSRF attacks and practical countermeasures (e.g., preventing CSRF in java)
- DEMO: Testing our measurement deployment
Cross-site Scripting Attacks (XSS) [A7: 2017, A3: 2013]
- DOM, Dynamically Generating Pages, and Cross-Site Scripting (XSS)
- XSS vulnerabilities
- Dangers of XSS attacks
- DEMO: XSS attacks in action
- Protection against XSS
- Patching reflected XSS
- DEMO: example of patching an XSS vulnerability
Injection [A1: 2017, A4: 2017, A1: 2013]
- Injection attacks and popular injection attacks
- SQL syntax and basics
- SQL injection attacks
- Mitigating SQL Injection Using Prepared Statements, Stored Procedures, Whitelisting
Broken Authentication and Session Management [A2: 2017, A2: 2013]
- Common authentication weaknesses
- Protecting our user → Protect our system: how to prevent automated, credential stuffing, brute force, and stolen credential reuse attacks
- Hey what is your password? It is “password”
- Common session management weaknesses
- DEMO: WebGoat’s Session Management Vulnerability
Insecure Deserialization [A8: 2017]
- What is serialization and deserialization?
- Object serialization attack examples e.g., untrusted input
- Countermeasures e.g., integrity checks, hash and signatures
- OWASP Deserialization security risks
Broken Access Control [A5: 2017, A4: 2013, A7: 2013]
- Access control and authorization
- Example scenarios e.g., users access API with missing authorization
- Rate limit APIs
- OWASP Testing for Access Control
Secure Software Development Life Cycle (Secure SDLC)
Explore the Secure SDLC as well as OWASP Top-10 vulnerabilities that are common mistakes from development process.
Planning and Requirement
- Goal, threat modeling, security baselines, mapping assets
- Security training and awareness
Architecture and design
- Because security is not only at the testing phrase
- Security design and peer review
- Security review and peer review
- Software version control
- Unit testing
Security Testing, Deployment and Beyond
Vulnerability scanning: Static and dynamic analysis
Security Misconfiguration [A6: 2017, A5: 2013]
- Security misconfiguration: Configuration madnesses on level of application stacks (web components)
- Common misconfigurations e.g., develop vs production environment
- Example of web security misconfigurations e.g., HTTP headers: HSTS, CORS, Content Security Policy
- Upgrade and deployment processes
- OWASP Testing guidelines
– Using Components with Known Vulnerabilities [A9: 2013, A9: 2013]
- Actively monitoring: update, upgrade, patch them!
- List of vulnerabilities and testing before and after deployment
- Zero-day vulnerabilities
- OWASP Testing guidelines
- Security tools to check vulnerabilities (automated style!)
Insufficient Logging and Monitoring [A10: 2017]
- Why logging and monitoring?
- How to store security logs
- Penetration testing
- Real-time logging analysis, anomaly detection, and security data science
Review, Take away, Other useful resources, tools and feature readings
Duration : 2 Days
Date : Apr 22 – 23, 2021
Time : 9.30-16.30 pm.
Venue : Client’s Venue
Training Fee : Please Call
Tel. 02 670 8980-3 ext. 304, 305
Email. [email protected]
Terms & Conditions for Course Registration
Please read the following terms & conditions for course registration carefully. Upon clicking submit button, it is demonstrated that I/We understand and accept the registration and cancellation policies and procedures.
- Full payment is required in advance prior to course commencement date.
- Payment is due upon registration
- Delegates who cancel after registration, or who don’t attend, are liable to pay the full course fee and no refunds can be given
- A replacement is always welcome
Disclaimer: ACinfotec reserves the right to change, postpone or cancel. Any part of its published programme due to unforeseen circumstances.