The aim of this training is to make web developers aware of the common insecure coding practices and how these can be addressed to make secure applications. The attendees will have access to web applications specifically designed to demonstrate these vulnerabilities. Besides learning about the vulnerabilities which arise from insecure coding, the attendees will also learn the hacking techniques which attackers use to subvert the application's programming/business logic for their advantage. This will also help developers adopt the defence-in-depth approach and ensure they have all aspects of security in consideration while developing applications.
Duration: 2 Days
Who Should Attend: professional software developers, software security auditors, penetration testers, security managers.
Outline: The following outline shows the vulnerabilities which will be covered during this training:
1. Introduction to Web application
* Authentication
* Authorization
* cookies
* HTTP protocol
* overview of Google hacking.
2. Attacking Authentication
* Types of authentication
* clear text http protocol
* Username Enumeration
* Security through Obscurity
3. Web server Issues
* IIS/Apache exploits and introduction to hacking tools such as metasploit
* Insecure HTTP methods
4. Cross Site Scripting
* Types of XSS
* Secure cookie, HTTP-only
* Complicated XSS
5. Cross Site Request Forgery
* Demo
* Complicated XSRF with POST requests
* XSRF in web services
6. Session Fixation
7. CRLF injection
* Proxy Poisoning, XSS with CRLF injection.
8. Clickjacking
9. SQL Injections(basic to advanced)
* Introduction to SQL Injections
* Authentication bypass
* Extracting Data
* O.S code execution
* Overview of advanced sql injections.
10. Malicious File Uploads
11. Vulnerable flash Applications
12. parameter manipulation attacks
13. business logic bypass.
* Authentication bypass
* Other logical flaws
14. SSL misconfigurations
* SSL and Man in the middle attacks
* screenshots
15. Security problems with thick client applications.
