Web Security Workshop


The best way to learn security is to hack yourself! This course teaches how current web application vulnerabilities work and how to exploit them. With this knowledge, effective countermeasures are discussed and applied.

Subjects that will be discussed:

  • Backend Security (Broken Access Control, SQL Injection, ...)
  • Frontend Security (XSS, CSRF, ...)
  • Secure Development and DevSecOps

Course duration

2 days

Course prerequisites

Participants need a solid basic knowledge of HTML5, JavaScript, and HTTP.

Course overview

This course teaches participants the typical vulnerabilities in modern web applications as well as the tricks of secure web programming. The most common security issues are explained in detail and demonstrated with live sessions. The OWASP Top 10 are an important part of it. 

The new understanding will be applied directly to an insecure web application (OWASP Juice Shop). For this purpose, current security tools such as the OWASP ZAP Attack Proxy or SQLMap are used.

Participants will also learn how to implement countermeasures. The course is deliberately technology-independent and is therefore suitable for any web developer.

Course Agenda
Day 1

The first part of the course focuses on the aspects of server-side security. It alternates between theory, demonstrations, and practical exercises. Participants will be able to attack an application in a protected environment and identify existing vulnerabilities. Common tools are presented, and training is given on how to use them.

Topics covered are:

  • Setup Hacking Lab (OWASP ZAP)
  • Risks and Threats
  • Broken Access Control
  • SQL Injection
  • Authentication, Federated Logins
  • JWT Vulnerabilities
  • Misconfiguration & Known Vulnerabilities
  • Server-Side Request Forgery


Day 2

The second day focuses on the client (desktop browser, mobile browser) and participants practice the weak points at the OWASP Juice Shop.

Topics covered are: 

  • XSS (Reflected-, Stored-, Dom-XSS, Mutation-XSS)
  • Same Origin Policy
  • CSRF Attacks
  • CORS & Cookie Security
  • Secure Development (Security Testing Pyramid, Threat Modeling)
  • DevSecOps (Static Analysis, Dependency Checks, Vulnerability Scanner)

Secure development and DevSecOps are also new topics covered in the course. Participants will receive practical tips on how to improve security in their own software project.

Day 3 - Fireside Chat (optional)

Approximately two weeks after the course, you will have the opportunity to participate in a 'Fireside Chat'. During this follow-up coaching, the trainers answer open questions and provide valuable tips and suggestions. Participation in the one-hour Fireside Chat is optional and takes place online.


Participants know the current vulnerabilities of modern web applications (including OWASP Top 10) and can recognize and exploit them. They understand which protective measures exist and how to implement them. Participants also learn about necessary tools to analyze & secure a web application and they can put themselves in the role of a hacker.

Target group

The workshop is aimed at software developers and architects who are involved in web technologies.

Ask for a corporate course

Get a free offer for a corporate training, tailored to your needs.

Ask for a course

Show interest in a public course

Contact us if you are interested in a public course.

Show interest