Web Application Security

"Web Applications Security" in hands-on hacking format is an eye-opening course for developers and those who have to keep web sites up and running on daily basis

Course duration : 4 days of instructions heavily mixed with hands-on labs.

Group size : 12 participants maximum

Target audience : WebApp developers, maintainers, web server or hosting providers/administrators, information security specialists and managers, testers

Web Application Security course consists of two modules:

  • Server-Side Attacks
  • Client-Side Attacks

It's possible to order the modules on separate weeks (2 days + 2 days).

Price  : 4 days, 2400 EUR + VAT

Next public training courses

Trainers

Trainers are Elar Lang and Marko Belzetski .

Elar Lang Elar Lang

Elar is an experienced PHP developer who enjoys researching web attacks and security. In Estonian IT College he wrote his diploma on "PHP Application Layer Attacks - mechanisms and protection" and in Tallinn University of Technology his master thesis on "Web Application Security - hands-on training". Both schools were graduated with honors ( cum laude ), of course. He is constantly improving and working on his trainings to keep them up to date and for giving the best trainings possible. In March 2017 he rounded up 2000 hours of WAS training given since 2012 March launch and the count is growing fast.

Marko Johani Belzetski Marko Belzetski

Marko joined the team in August 2016. His focus lies in Android and web application penetration testing. He is also one of the main lecturers of our 4-day Web Application Security course. Previously he has worked in finance and business support along with some freelance web application development. Marko has a diploma of professional higher education in IT systems development from Tallinn Technical University. His thesis on the subject of Android IPCs was awarded best thesis in the BSc category of his graduation year. He also holds a bachelor's degree in business administration from Northwood University, which he graduated magna cum laude.

Training methods

Our course employs a dynamic blend of theoretical concepts and hands-on application. Through interactive lectures, engaging discussions, and immersive labs, participants actively experience web application security. Everyone, regardless of their background, will successfully complete the labs, either independently or with guidance from our expert instructors. By placing you in the attacker's shoes within our dedicated lab environment, we transform theoretical knowledge into practical skills. Instructors leverage real-world case studies and storytelling from penetration tests to provide a vivid and relatable learning experience. This approach ensures that participants not only grasp the intricacies of security principles but also gain the practical know-how to navigate and secure real-world scenarios.

Ideology of this course

At the core of our course is the belief that understanding the offensive side is paramount to effective defense. The "Attack to Defend" motto encapsulates this ideology, emphasizing the importance of practical knowledge. We go beyond traditional approaches, challenging outdated terms and providing insights into cutting-edge techniques. The course is designed not just to teach security principles but to instill a proactive mindset, empowering you to anticipate and thwart potential threats.

Contents of this course

Web Application security essentials (4 parts, 8 lectures with practical demos and exercises for each vulnerability, including complex attack scenarios):

Server-Side attacks

  • - Security, security related terminology
    - Factors for calculating riskInformation sources
    - The HTTP protocol and communication, using intercepting proxies 
    - Web application architectures - REST vs "oldschool" 
    - Building a defense (user input, input validation, encoding, sanitization, defense layers) 
    - Authentication (passwords and hashes; rules, common misunderstandings and myths related to passwords)
    - Authorization (lacking access controls)
    - Unintended information leakage (using search engines, metadata from files)
    - Business logic issues
    - SQL injection – detection, query and database structure identification, blind and partially blind attacks, incorrect defenses and bypasses - Command injection
    - Web server configuration issues
    - Path traversal
    - File inclusion attacks (LFI, LFI2RCE)
    - File upload and processing (bypassing incorrect defenses, ZIP and XML features)
    - Server-Side Request Forgery (SSRF)
    - XML eXternal Entity (XXE)

Client-Side attacks

- Browser security policies and terminology
- Cross-Site Script (XSS) - what it is and what it is not
- Web Content Injection attacks (HTML injection, JavaScript injection)
- URI encoding, URL manipulation
- Referrer, Referrer-PolicyContent Execution Attacks
-Web Content Execution from uploaded files (HTML, XMl, SVG)
- Serving files, Content-Disposition header
- Using 3rd party content
- HTTP response headers (Content-Security-Policy (CSP), X-Content-Type-Options, Strict-Transport-Security)
- Browser storages
- Cookies, setup and parameter nuances
- Web Storage API
- Session, session hijacking and session fixation attacks
- Client-Side Request Forgery attacks
- Cross-Origin Resource Sharing (CORS), CORS-safelisted and pre-flight requests, related headers 
- UI Redress Attacks (ClickJacking)

* All attacks have hands-on demos, exercises and “lessons learned” from our pentesting services.

Intended outcome

By the end of this course, participants will possess the expertise to architect inherently secure software, integrating robust defense mechanisms seamlessly into the development process. Security will be ingrained as a proactive element, enabling participants to identify vulnerabilities early and build resilient applications from the ground up. Whether you're a security enthusiast, developer, or IT professional, this program equips you to confidently create digital landscapes where security is not an addition but an integral part of the development lifecycle.

Delivery

We can deliver on-site at group pricing anywhere in the world where decent Internet connection is available. Ask us for the group pricing or for times and locations of our public courses. Public groups are currently available directly or via partners in Estonia: BCS Koolitus , Nordic Koolitus .

Feedback

Villu Teearu Villu Teearu,
Elisa Eesti AS
29 FEB 2024
Elisa software developers participated in a Web Application Security (WAS) course. Their feedback on training was really high. Practical examples and hands-on parts impressed them the most. Training format 2+2 days was also very good as there is really much data to process and it is better than there is a little pause between the sessions. Training program was built up in such a way that both junior and senior developers got something from it. From Elisa's perspective this training helps developers to see applications from a hacker perspective and therefore it is a great tool for building more reliable software.
Priit Matiisen Priit Matiisen,
CO-Founder & CTO of Scoro
27 JAN 2017
The most valuable asset of this training was the „reality check“. The technologies we use on a daily basis have their weak spots and quirks that could be exploited, if not properly handled. This training is structured very well and suits everybody. Even people who are not developers by profession. All participants got a valuable theoretical and practical overview of how to defend our personal and our clients’ data against external attacks. Best training ever – really : )
Raul Ennus Raul Ennus,
Head of Development,
Helmes AS
31 JUL 2017
For Helmes solid software security is essential and different security trainings are mandatory for every Helmes software and infrastructure engineer. CS WAS trainings are one important part in Helmes security trainings roadmap. CS has been providing continuously excellent quality with its trainings despite quickly changing global cyber-attacks and risks. WAS training is a must for every serious software engineer.