We offer web security trainings for primarily two target audiences: First, developers who want to learn about web application security, Single Sign-On, TLS, XML, and web service technologies. Second, penetration testers who want to get an in-depth knowledge about web security. Our discussed topics are both known, and also usually unknown attacks, along with their countermeasures. Furthermore, we go into detail regarding solutions to automate security tests.

In the training for Secure Web Development, we use real-life examples where the participant will be taught how an attacker finds and exploits security vulnerabilities in web applications. In addition to well-known attacks such as SQL-injections, remote file inclusion, and cross-site scripting, there are also new threats from HTML(5) and NoSQL (e.g., MongoDB). The goal of this intensive training is to enable you to conduct smaller audits and penetration tests on your own. In addition, you will be able to understand and evaluate common attacks and to continually secure your web application regarding to these topics.

The training will address the following questions, among others:

  • How do attackers proceed when looking for vulnerabilities in a web application? Which tools and procedures are used?
  • How well is my web application protected against attacks? Where is it vulnerable?
  • How can I harden my web application against attacks in just a few steps?
  • Which measures are necessary to prevent future attacks against my web application?

Training Contents:

  • Short Introduction: HTTP, HTML, CSS, XML and DOM
  • Social Engineering
  • Information Disclosure
  • Logical Flaws
  • Same-Origin Policy
  • Cross-Site Request Forgery
  • Cross-Site Scripting
    • Non-persistent XSS
    • Persistent XSS
    • DOM-based XSS
    • Self-XSS
    • Mutation-based XSS
    • Scriptless Attacks
  • Session Hijacking and Session Fixation
  • UI Redressing and Clickjacking
  • DOM Clobbering
  • File Inclusions and Path Traversal
  • Remote Command and Code Execution
  • SQL- and NoSQL-Injections
  • Secure Coding
    • OWASP TOP-10
    • Character Sets
    • DOCTYPE-Switch
    • Content Security Policy
    • Feature and Referrer Policy
    • Burp Suite
  • Security Requirements

Requirements: The course is designed for people who wish to familiarize themselves with web hacking. This course is particularly helpful for web developers (both front-end and back-end), heads of a web development departments, and information security officers. It is also helpful if you have knowledge of web languages, such as HTML.

Example: 15 Slides
Flyer: Secure Web Development

Contact: Dr. Marcus Niemietz