Web Application Security

"Web Applications Security" in hands-on hacking format is an eye-opening training for developers and those who have to keep web sites up and running on daily basis

Training duration: 4 days of instructions heavily mixed with hands-on labs. Duration may depend on audience

Group size: 12 participants maximum

Target audience: WebApp developers, maintainers, web server or hosting providers/administrators, information security specialists and managers, testers

Web Application Security training consists of two modules:

  • Client-Side Attacks
  • Server-Side Attacks

It's possible to order them separately (2 days + 2 days).

Price: 4 days, 1400 EUR +VAT

Next public training courses

Trainers

Trainers are Elar Lang, Anti Räis or Jaanus Kääp.

Elar is an experienced PHP developer who enjoys researching web attacks and security. In Estonian IT College he wrote his diploma on "PHP Application Layer Attacks - mechanisms and protection" and in Tallinn University of Technology his master thesis on "Web Application Security - hands-on training". Both schools were graduated with honors (cum laude), of course. He is constantly improving and working on his trainings to keep them up to date and for giving the best trainings possible. In March 2017 he rounded up 2000 hours of WAS training given since 2012 March launch and the count is growing fast.

Anti joined the team in July 2014 as a Web application pentester. His previous work experience consists mainly of Web Application development. He holds a M.Sc. degree in Cyber Security from Tallinn University of Technology. He wrote his masters thesis about web content injection attacks. Anti is one of the trainers of our Web Application Security (WAS) training course.

Jaanus is an experienced WebApp pentester with extensive developer background. Jaanus has been breaking WebApps in Clarified Security OÜ team since 2011 and has IACRB CWAPT (Certified Web Application Penetration Tester) and OSEE (Offensive Security Exploitation Expert) certifications.

Training methods

Trainers will engage participants with lectures, live attack demonstrations and practical examples followed by individual hands-on exercise scenarios. Training is interactive, practical, and besides active participation also full of attack stories that help to change the perspective and understanding of real life security threats.

Ideology of this training

This training focuses on attacks so that the need for defence is better understood. OWASP project should be the bible of everyone dealing with WebApp development and security and OWASP ASVS (Application Security Verification Standard) is one of the golden standards of WebApp security testing. This training will cover all WebApp attack types and instills this knowledge with lot of hands-on exercises. With first-hand experience in those attacks, participants are better armed with understanding the attacks and why they are conducted.

Contents of this training

Web Application security essentials (4 parts, 8 lectures with practical demos and exercises for each vulnerability, including complex attack scenarios):

Client-Side attacks

  • Introduction, Client-Server system
  • OWASP (Top 10, ASVS)
  • Input data
  • GET vs POST
  • HTTP vs HTTPS
  • Controlling the thick client (Java applet, Flash, etc.,)
  • XSS (Cross-Site-Scripting)
  • Session security, cookies, session hijacking
  • OSRF/CSRF (On-Site and Cross-Site Request Forgery)
  • UI Redress Attacks (inc ClickJacking, CursorJacking)
  • Combined client side attacks

Server-Side attacks

  • Password security, crypto, brute-force, dictionary, sensitive data
  • Authentication and authorization errors, "remember me" features
  • Business logic implementation errors
  • Direct Object Reference mistakes
  • SQL injection
  • Code and Command injection
  • source code and structure defence, attack code upload, configuration
  • File handling (file extensions, public folder, execution, enumeration and quessing, meta info)
  • File inclusion (LFI, RFI, RCE, NULL-Byte)
  • File upload
  • Other file insertion vectors (log files)
  • Configuration (Java/PHP, error messages (what to show & what to log), Apache, file permissions)
  • Google hacking

* All attacks have hands-on demos, exercises and “lessons learned” from our pentesting services.