Course duration

2 days

Course prerequisites

Participants need a solid basic knowledge of HTML5, JavaScript, and HTTP.

Course overview

This course teaches participants the typical vulnerabilities in modern web applications as well as the tricks of secure web programming. The most common security issues are explained in detail and demonstrated with live sessions. The OWASP Top 10 are an important part of it. 

The new understanding will be applied directly to an insecure web application (OWASP Juice Shop). For this purpose, current security tools such as the OWASP ZAP Attack Proxy or SQLMap are used.

Participants will also learn how to implement countermeasures. The course is deliberately technology-independent and is therefore suitable for any web developer.

Course Agenda

Day 1

The first part of the course focuses on the aspects of server-side security. It alternates between theory, demonstrations, and practical exercises. Participants will be able to attack an application in a protected environment and identify existing vulnerabilities. Common tools are presented, and training is given on how to use them.

Topics covered are:

• Setup Hacking Lab (OWASP ZAP)
• Risks and Threats
• Broken Access Control
• SQL Injection
• Authentication, Federated Logins
• JWT Vulnerabilities
• Misconfiguration & Known Vulnerabilities
• Server-Side Request Forgery

Day 2

The second day focuses on the client (desktop browser, mobile browser) and participants practice the weak points at the OWASP Juice Shop.

Topics covered are: 

• XSS (Reflected-, Stored-, Dom-XSS, Mutation-XSS)
• Same Origin Policy
• CSRF Attacks
• CORS & Cookie Security
• Secure Development (Security Testing Pyramid, Threat Modeling)
• DevSecOps (Static Analysis, Dependency Checks, Vulnerability Scanner)
   

Secure development and DevSecOps are also new topics covered in the course. Participants will receive practical tips on how to improve security in their own software project.

Day 3 - Fireside Chat (optional)

Approximately two weeks after the course, you will have the opportunity to participate in a 'Fireside Chat'. During this follow-up coaching, the trainers answer open questions and provide valuable tips and suggestions. Participation in the one-hour Fireside Chat is optional and takes place online.

Goals

Participants know the current vulnerabilities of modern web applications (including OWASP Top 10) and can recognize and exploit them. They understand which protective measures exist and how to implement them. Participants also learn about necessary tools to analyze & secure a web application and they can put themselves in the role of a hacker.

Target group

The workshop is aimed at software developers and architects who are involved in web technologies.