Exploiting and Securing Web Application (In-House Training)

Date/Time: 13/04/2020 - 14/04/2020 9:30 am - 4:30 pm

Category(ies)


About this course

The development of Web 2.0, HTML5 technology and better internet services allow users to interact, generate contents, and access information anytime and anywhere. Businesses are moving to online and running mainly on web application which serves a large amount of sensitive information, especially personal and financial data. All of these advancements in web applications have also attracted malicious hackers and scammers, who are always coming up with new attack vectors. To make matters worse, over the past few years, user information has become more profitable to attackers. These all have raised critical concerns for ensuring the privacy of digital communications and rendered the need for robust protection mechanisms over the web. Such demands are pushing web developers to have a basic knowledge of web application security in order to implement and deploy their code securely.

We will wear many hats in this training. We will point out numerous exploitations e.g., Injection attacks to steal data, Cross Site Scripting (XSS) vulnerabilities to compromise a user’s browser, break authentication to gain access to data and access some secrets. We will also wear Defender Hats. We will discuss various mitigation strategies as well as explore some of code examples and fix the root cause of these vulnerabilities.

Since we want to make this training more practical and applicable to developers, we will also focus on developing software using Secure Software Development Life Cycle (Secure SDLC). We will detail some of common developers’ mistakes in implementations and deployments which in turn become security vulnerabilities of their systems.

This training is mainly based on OWASP The Top-10 Project, WebGoat, an OWASP project designed to teach penetration testing for web applications as well as the instructor’s web security experience and knowledge. In addition, we will discuss online resources as well as useful tools to help developers create a more secure web application.

Course Requirement?

  • At least 1-2-year programming experience
  • Interested in security and/or wanted to build more secure (web) applications

Course Contents

Day1 :

Cyber Security

  • CIA Triad: Confidentiality, Integrity, Availability
  • “Security” as part of system initial design
  • Cyber security attacks and trends in 2010s
  • Overview of resources and tools for this training: OWASP WebGoat Project

Web Application in a nutshell

  • Web 2.0 as stateless request-response
  • Request: GET vs POST
  • HTTP and HTTPS
  • Authentication: Cookie, OAuth

Understanding Web Application Security

Explore common web application vulnerabilities, selected from OWASP Top 10 2013 and 2017.

Sensitive Data Exposure [A3: 2017]

  • Why we care about data: Data leakage impacts, PII, EU GDPR, user privacy
  • Attack vector examples. Popular attack vectors e.g., man-in-the-middle attacks (HTTP, SSL/TLS striping, session hijacking, replay)
  • Encryption at best (Enforce encryption deployment): HSTS
  • How to store sensitive data, or how not to store sensitive data

Cross-Site Request Forgery (CSRF) [A8: 2013]

  • What is Cross-site Request Forgery
  • Vulnerable code examples
  • DEMO: CSRF in action (e.g., on java web application)
  • Basic testing and how to prevent CSRF attacks and practical countermeasures (e.g., preventing CSRF in java)
  • DEMO: Testing our measurement deployment

Cross-site Scripting Attacks (XSS) [A7: 2017, A3: 2013]

  • DOM, Dynamically Generating Pages, and Cross-Site Scripting (XSS)
  • XSS vulnerabilities
  • Dangers of XSS attacks
  • DEMO: XSS attacks in action
  • Protection against XSS
  • Patching reflected XSS
  • DEMO: example of patching an XSS vulnerability

Injection [A1: 2017, A4: 2017, A1: 2013]

  • Injection attacks and popular injection attacks
  • SQL syntax and basics
  • SQL injection attacks
  • Mitigating SQL Injection Using Prepared Statements, Stored Procedures, Whitelisting

Broken Authentication and Session Management [A2: 2017, A2: 2013]

  • Common authentication weaknesses
  • Protecting our user → Protect our system: how to prevent automated, credential stuffing, brute force, and stolen credential reuse attacks
  • Hey what is your password? It is “password”
  • Common session management weaknesses
  • DEMO: WebGoat’s Session Management Vulnerability

Insecure Deserialization [A8: 2017]

  • What is serialization and deserialization?
  • Object serialization attack examples e.g., untrusted input
  • Countermeasures e.g., integrity checks, hash and signatures
  • OWASP Deserialization security risks

Broken Access Control [A5: 2017, A4: 2013, A7: 2013]

  • Access control and authorization
  • Example scenarios e.g., users access API with missing authorization
  • Rate limit APIs
  • OWASP Testing for Access Control

Day 2

Secure Software Development Life Cycle (Secure SDLC)

Explore the Secure SDLC as well as OWASP Top-10 vulnerabilities that are common mistakes from development process.

Planning and Requirement

  • Goal, threat modeling, security baselines, mapping assets
  • Security training and awareness

Architecture and design

  • Because security is not only at the testing phrase
  • Security design and peer review

Development

  • Security review and peer review
  • Software version control
  • Unit testing

Security Testing, Deployment and Beyond

Vulnerability scanning: Static and dynamic analysis

Security Misconfiguration [A6: 2017, A5: 2013]

  • Security misconfiguration: Configuration madnesses on level of application stacks (web components)
  • Common misconfigurations e.g., develop vs production environment
  • Example of web security misconfigurations e.g., HTTP headers: HSTS, CORS, Content Security Policy
  • Upgrade and deployment processes
  • OWASP Testing guidelines

– Using Components with Known Vulnerabilities [A9: 2013, A9: 2013]

  • Actively monitoring: update, upgrade, patch them!
  • List of vulnerabilities and testing before and after deployment
  • Zero-day vulnerabilities
  • OWASP Testing guidelines
  • Security tools to check vulnerabilities (automated style!)

Insufficient Logging and Monitoring [A10: 2017]

  • Why logging and monitoring?
  • How to store security logs
  • Penetration testing
  • Real-time logging analysis, anomaly detection, and security data science

Conclusion

Review, Take away, Other useful resources, tools and feature readings

Q&A

Training info

Duration : 2 Days
Date : TBA
Time : 9.30-16.30 pm.
Venue : Client’s Venue
Training Fee : Please Call
Tel. 02 670 8980-3 ext. 304, 305
Email. [email protected]