Web Application Security (WAS) (inglise keeles)
Training duration: 4 days (32 academic hours) of highly practical information heavily mixed with hands-on labs.
Group size: 12 participants maximum
Target audience: WebApp developers, testers, QA, maintainers, team leads, project leads, web server or hosting providers / administrators, information security specialists and managers.
Web Application Security training consists of two modules:
- Client-Side Attacks (attacks that incorporate the victim’s browser).
- Server-Side Attacks (directly attacking the server itself)
The training is held by our partner Clarified Security.
Training methods
Our course employs a dynamic blend of theoretical concepts and hands-on application. Through interactive lectures, engaging discussions, and immersive labs, participants actively experience web application security. Everyone, regardless of their background, will successfully complete the labs, either independently or with guidance from our expert instructors. By placing you in the attacker’s shoes within our dedicated lab environment, we transform theoretical knowledge into practical skills. Instructors leverage real-world case studies and storytelling from penetration tests to provide a vivid and relatable learning experience. This approach ensures that participants not only grasp the intricacies of security principles but also gain the practical know-how to navigate and secure real-world scenarios.
Ideology of this training
At the core of our course is the belief that understanding the offensive side is paramount to effective defense. The “Attack to Defend” motto encapsulates this ideology, emphasizing the importance of practical knowledge. We go beyond traditional approaches, challenging outdated terms and providing insights into cutting-edge techniques. The course is designed not just to teach security principles but to instill a proactive mindset, empowering you to anticipate and thwart potential threats.
Contents of this training
Topics covered in the training course
| Client-Side attacks module (2 days): • Browser security policies and terminology • Cross-Site Script (XSS) – what it is and what it is not • Web Content Injection attacks (HTML injection, JavaScript injection) • URL encoding, URL manipulation • Referrer, Referrer-Policy • Content Execution Attacks • Web Content Execution from uploaded files (HTML, XMl, SVG) • Serving files, Content-Disposition header • Using 3rd party content • HTTP response headers (Content-Security-Policy (CSP), X-Content-Type-Options, StrictTransport-Security) • Browser storages • Cookies, setup and parameter nuances • Web Storage API • Session, session hijacking and session fixation attacks • Client-Side Request Forgery attacks • Cross-Origin Resource Sharing (CORS), CORS-safelisted and pre-flight requests, related headers • UI Redress Attacks (ClickJacking) |
Server-Side attacks module (2 days): • Security, security related terminology • Factors for calculating risk • Information sources • The HTTP protocol and communication, using intercepting proxies • Web application architectures – REST vs “oldschool” • Building a defense (user input, input validation, encoding, sanitization, defense layers) • Authentication (passwords and hashes; rules, common misunderstandings and myths related to passwords) • Authorization (lacking access controls) • Unintended information leakage (using search engines, metadata from files) • Business logic issues • SQL injection – detection, query and database structure identification, blind and partially blind attacks, incorrect defenses and bypasses • Command injection • Web server configuration issues • Path traversal • File inclusion attacks (LFI, LFI2RCE) • File upload and processing (bypassing incorrect defenses, ZIP and XML features) • Server-Side Request Forgery (SSRF) • XML eXternal Entity (XXE) |
Intended outcome
By the end of this course, participants will possess the expertise to architect inherently secure software, integrating robust defense mechanisms seamlessly into the development process. Security will be ingrained as a proactive element, enabling participants to identify vulnerabilities early and build resilient applications from the ground up. Whether you’re a security enthusiast, developer, or IT professional, this program equips you to confidently create digital landscapes where security is not an addition but an integral part of the development lifecycle.
Tehnilised nõudmised
Võta kindlasti kaasa oma sülearvuti, laadija ja vajadusel ka muu tööks vajalik (hiir, jms). Sülearvutil peab olema võrgukaabli pesa või võimekus ühenduda Wi-Fi võrku ning ekraani resolutsioon vähemalt 1920×1080.
Kõik operatsioonisüsteemid on sobivad, peamine on kaugtöölauakliendi olemasolu.
Kogu koolitustegevus toimub meie koolituskeskkonnas. Juhul kui Sul on soov omale eelnevalt kaugtöölauaklient arvutisse paigaldada, on meie soovitusteks:
• Linux: Remmina, rdesktop
• macOS: Microsoft Remote Desktop client (Saadaval Mac App Stores)
• Windows: Windows 10 sisseehitatud
Täienduskoolituse õppekavarühm: Informatsiooni- ja kommunikatsioonitehnoloogia interdistsiplinaarne õppekavarühm
Koolitaja
-
Marko BelzetskiPentester (WebApps) and trainerMarko joined the team in August 2016 as a Web Application Pentester. Although his previous work experience has mainly been in finance and business support, he has also done freelance web application development. Marko holds a bachelor in business administration from Northwood University and is currently obtaining a degree in IT Systems Development from Estonian Information Technology College.
