Building Secure Software

OWASP Top 10 2013

Course Learning Objectives

  • Discover the top 10 most important web application vulnerabilities in the OWASP 2013 list, the most recent list in this standard.
  • Covers all top 10 items, describing each vulnerability, why it happens from a business risk perspective, how hackers exploit it, and how best to defend against these issues.
  • Helps you comply with PCI-DSS 6.5 which requires developers to get trained on web application security education.


Students will learn the Top 10 threats as part of the OWASP Top 10 2013. This language agnostic course dives into concepts for web application threats, vulnerabilities and strategies to defend them. The OWASP top 10 list is an industry recognized list of vulnerabilities as dictated by the community, most recently in 2013. The course engages students in learning about each of the Top 10 items, providing easy to understand business risks, concepts, news articles demonstrating how vulnerabilities have impacted organizations and best practices to defending against each of them.


General staff / Developers

Time Required

Tailored learning - 60 minutes total

Course Outline

  1. Injection
    • About injection
    • Form injection flaws
    • How SQL injection happens
    • Database error messages
    • Other forms of injection
    • Mad Libs analogy
    • Query with bind parameters
  2. Cross-site Scripting
    • How XSS happens
    • Reflected XSS
    • DOM-based XSS
    • Why attackers use alert boxes
    • Stored XSS
    • Business risk to XSS
    • Newsflash Ð Samy worm
    • Data validation
    • Blacklisting
    • Whitelisting
    • Canonicalization
    • Output validation
    • Escaping for context
    • HTTPOnly
  3. Broken authentication and session management
    • Internet session management
    • Clear-text traffic
    • Hijacking sessions
    • Session timeout
    • Network encryption (SSL/HTTPS)
    • Account lockout
  4. Insecure direct object references
    • About parameter manipulation
    • Exploiting parameters
    • Newsflash
    • Indirect object mapping
    • Explaining a mitigated attack
  5. Security Misconfiguration
    • Considerations when deploying applications
    • Verbose error messages
    • Weak configuration
    • Generic error messages
    • Configuration activities
    • Hardening standards
    • Standardizing builds
    • Patch management and audits
  6. Sensitive data exposure
    • About sensitive data
    • Insecure storage
    • Newsflash Ð Credit card data breach
    • Identifying data sensitivity
    • Importance of threat modeling
    • Threat model process
    • Cryptographic defenses
    • Transport layer security
    • Hashing for confidentiality and challenges
    • Salts
  7. Missing functional level access control
    • Access to internal resources
    • Newsflash: Privacy disclosure
    • Page-level authorization
    • Beware only page-level authorization
    • Programmed authorization
  8. Cross-site request forgery (CSRF)
    • Anatomy of a CSRF attack
    • How users get tricked
    • How hackers exploit a CSRF attack
    • CSRF explained in detail
    • Anti-CSRF tokens and how it works
    • Re-authentication
  9. Using components with known vulnerabilities
    • Vulnerable components
    • External components in code
    • Exploiting vulnerabilities
    • Newsflash Ð Heartbleed vulnerability
    • Catalogue dependencies
    • Approval of external components
  10. Unvalidated redirects and forwards
    • Malicious redirects
    • Newsflash
    • Avoid use of redirect parameters
  11. + Expand Course Outline

$200.00 *prices shown in USD Add to Cart or Subscribe your team