Course duration
2 days
Course prerequisites
Participants need a solid basic knowledge of HTML5, JavaScript, and HTTP.
Course overview
This course teaches participants the typical vulnerabilities in modern web applications as well as the tricks of secure web programming. The most common security issues are explained in detail and demonstrated with live sessions. The OWASP Top 10 are an important part of it.
The new understanding will be applied directly to an insecure web application (OWASP Juice Shop). For this purpose, current security tools such as the OWASP ZAP Attack Proxy or SQLMap are used.
Participants will also learn how to implement countermeasures. The course is deliberately technology-independent and is therefore suitable for any web developer.
Course Agenda
Day 1
The first part of the course focuses on the aspects of server-side security. It alternates between theory, demonstrations, and practical exercises. Participants will be able to attack an application in a protected environment and identify existing vulnerabilities. Common tools are presented, and training is given on how to use them.
Topics covered are:
- Setup Hacking Lab (OWASP ZAP)
- Risks and Threats
- Broken Access Control
- SQL Injection
- XML External Entities
- Authentication, Federated Logins
- JWT Vulnerabilities
- Misconfiguration & Known Vulnerabilities
Day 2
The second day focuses on the client (desktop browser, mobile browser) and participants practice the weak points at the OWASP Juice Shop.
Topics covered are:
- XSS (Reflected-, Stored-, Dom-XSS, Mutation-XSS)
- Same Origin Policy
- CSRF Attacks
- CORS & Cookie Security
- Secure Development (Security Testing Pyramid, Threat Modeling)
- DevSecOps (Static Analysis, Dependency Checks, Vulnerability Scanner)
Secure development and DevSecOps are also new topics covered in the course. Participants will receive practical tips on how to improve security in their own software project.
Goals
Participants know the current vulnerabilities of modern web applications (including OWASP Top 10) and can recognize and exploit them. They understand which protective measures exist and how to implement them. Participants also learn about necessary tools to analyze & secure a web application and they can put themselves in the role of a hacker.
Target group
The workshop is aimed at software developers and architects who are involved in web technologies.
Subscribe for public classes
07.03.2022 - 08.03.2022 Zurich
Participants need to bring their own Notebook/Laptop.
Members of selected organisations (SwissICT) benefit from discounted rates. Discounts are not cumulative.
20.06.2022 - 21.06.2022 Zurich
Participants need to bring their own Notebook/Laptop.
Members of selected organisations (SwissICT) benefit from discounted rates. Discounts are not cumulative.
29.08.2022 - 30.08.2022 Zurich
Participants need to bring their own Notebook/Laptop.
Members of selected organisations (SwissICT) benefit from discounted rates. Discounts are not cumulative.
11.11.2022 - 12.11.2022 Zurich
Participants need to bring their own Notebook/Laptop.
Members of selected organisations (SwissICT) benefit from discounted rates. Discounts are not cumulative.
Ask for a corporate course
You would like to attend this course from another place or at another time? We organise online courses on request, contact us to find out more.
Ask for a courseShow interest in a public course
No public classes available or none of the available dates are convenient for you? Get in touch with us to stay informed about future classes.
Show interest