We are currently in beta mode, if you experience any difficulties or glitches, please let us know! Email us at support@securitycompass.com ×

Building Secure Software

Defending Web Applications

Course Learning Objectives

  • Express software defects, including the OWASP Top 10 vulnerabilities and how these vulnerabilities can impact your business.
  • Describe the best practices to defending against common web application exploits.
  • Execute exploits against our TrueLabs ExploitMe Bank web application using the concepts learned within the course.

Description

Understand an additional set of common web application vulnerabilities typically seen during security testing such as brute force attacks, session management concerns, encryption and more. These aspects although not directly part of the OWASP Top 10, are important to know as they can still lead to security vulnerabilities. Students will have a greater knowledge of application security threats and will understand how hackers exploit these issues and important defenses. This course is meant as a LEVEL200 course to the OWASP Top 10.

Audience

Developers / Testing / Quality Assurance

Time Required

Tailored learning - 60 minutes total

Course Outline

  1. Concept of authorization
    • What is authorization
    • Horizontal & vertical privilege escalation
    • Common techniques to access control
  2. Concept of session management
    • About session management
    • About Session Hijacking
    • Stealing credentials
    • Encryption
    • Short session timeouts
  3. Concept of data validation
    • Why perform data validation
    • Where validation vulnerabilities happen
    • Statistics around data validation
  4. Brute-force attacks
    • Sequential brute force attacks
    • Dictionary attacks
    • Newsflash Ð Brute force
    • Account lockout
    • Password complexity
    • Increasing time delay
    • CAPTCHA
  5. Predicable sessions
    • What makes sessions predictable?
    • Problem with pseudo random numbers
    • Sequential tokens
    • Repeating or exhausting tokens
    • Time driven generation
    • Generating random session tokens
    • Cryptographically strong generators
    • Long key space
  6. Session Fixation
    • About session tokens
    • How session fixation happens
    • How users get tricked
    • Assigning a new session token after login
  7. Insecure logging
    • Information disclosure through logging
    • Monitoring events
    • Accidental storage of sensitive data
    • Generic error messages
    • Logging frameworks
    • Sanitizing data before logging
  8. User enumeration attacks
    • What is enumeration of usernames?
    • Enumeration through forgot password
    • Different forms of disclosure
    • Generic error messages
  9. + Expand Course Outline
$249.99 *prices shown in USD Add to Cart or Subscribe your team