COURSE IS SELF-PACED, AVAILABLE ON DEMAND

DURATION: 24 hours

CPE POINTS: On completion you get a certificate granting you 24 CPE points. 

The course starts on the 3rd of November.

OWASP Top 10 is the standard awareness for web application security and developers; it covers a broad area of most critical security risks to web application security. Almost every company adopts OWASP Top 10 approach to secure web applications and minimize the risks. Any penetration testers going to work within an organization need to follow the Top 10 to ensure application security and minimize the risks to the organization. This course is going to do the same in the practical scenario of how you can test for OWASP Top 10 vulnerabilities in more effective ways.


Who is this course for?

  • Bug bounty hunters
  • Ethical hackers 
  • Penetration testers
  • Security analysts
  • Developers
  • Programmers 
  • CISO - Chief information security officer
  • Security administrators 
  • SOC Analysts - Security operations center

Why take it NOW?

OWASP Top 10 is updated every 2-3 years and it was updated in 2021, so this is the best time to get updated for the most critical vulnerabilities and which one is the most exploited so that you can conduct the security tests effectively.

Why this course?

As the OWASP Top 10 is the industry standard for web application security, you must have the knowledge to follow this approach.


Course benefits:

What skills will you gain?​​ ​​​ ​​ ​ ​​​​​

  • Web security testing 
  • Static application security testing - SAST
  • Dynamic application security testing - DAST
  • Automated security testing
  • Manual security testing
  • Bug hunting techniques

What will you learn about?

  • Latest OWASP Top 10 framework
  • Security testing Top 10 vulnerabilities
  • Learn how to test critical vulnerabilities 
  • Learn the ways to test low hanging fruits (bugs)
  • Standard approach for security testing

What tools will you use?

  • Burp Suite
  • OWASP ZAP
  • Some tools from Kali Linux OS

Course general information: 

Course format: 

  • Self-paced
  • Pre-recorded
  • Accessible even after you finish the course
  • No preset deadlines
  • Materials are video, labs, and text
  • All videos captioned

What will you need?

  • A computer system with 40GB of storage and min 4GB of RAM
  • Internet connectivity
  • Latest Kali Linux
  • Latest OWASPbwa
  • Latest Virtual Box

What should you know before you join?

  • Virtual box 
  • Linux 
  • Web applications architectures 
  • Basics of SQL
  • Familiar with web languages

YOUR INSTRUCTOR:  Atul Tiwari

Atul Tiwari has over 10 years in security training. He has trained more than 45k students across 162 countries in online mode. Atul has specialized in web security testing and has conducted hundreds of pentests, audits, and tests of web applications since 2013. He holds CISSP certifications with CEH, cyber laws, CCNA.  

He is the founder and CTO at gray hat | security (INDIA) www.grayhat.in

 


COURSE SYLLABUS


Module 0

Course Setup

An introductory module.

  • An overview of OWASP Top 10.

Module 1

Broken access control 

Access control enforces the policies to restrict a user to not go outside the limitations. In this module, we will go through common access control checks and test access control vulnerabilities.

  • Parameter tampering 
  • Forced browsing
  • Insecure direct object reference (IDOR) attacks
  • Cross-site request forgery (CSRF) attacks
  • Testing Open redirect
  • Path traversal testing
  • Accessing API with missing access control
  • Privilege escalation
  • Metadata manipulation
  • JWT tampering - JSON web token
  • Testing misconfigured CORS - Cross-origin resource sharing
  • Countermeasures

Practical graded assignments:

3-5 practical, hands-on exercises testing your understanding of the module.


Module 2

Cryptographic failures 

In this module, we will check for weak encryption, entropy, unsalted hashes, etc., by which we will test for weak (clear text) data transmission or TLS, such as EU's GDPR and PCI DSS that will be discussed for data safety.

  • Testing for weak TLS
  • Testing for padding Oracle 
  • Testing for sensitive information over unencrypted channel
  • Testing for weak encryption
  • Testing for HSTS
  • Countermeasures

Practical graded assignments:

3-5 practical, hands-on exercises testing your understanding of the module.


Module 3

Injection description

In this module, we will cover injection related vulnerabilities, such as SQL injection, NoSQL injection, OS commanding, source code review, automated testing of all parameters, and so on.

  • SQL injection
  • Automated testing of parameters
  • OS command injection
  • Manually testing and exploiting SQL injection 
  • LDAP injection
  • XPATH injection
  • XSS - Cross site scripting
  • ORM injection
  • Server side template injection SSTI
  • XEE injection - XML external entity 
  • Source code review impact
  • Countermeasures

Practical graded assignments:

3-5 practical, hands-on exercises testing your understanding of the module.


Module 4

Insecure design

This category is the new addition to the OWASP Top 10 which discusses the different weaknesses, ineffective control design, etc.

  • Threat modeling
  • Secure design principles
  • Security architectures
  • Threat assessment
  • Countermeasures

Practical graded assignments:

3-5 practical, hands-on exercises testing your understanding of the module.


Module 5

Security misconfigurations

This topic is related to misconfiguration of the server, applications servers and application frameworks. In this module, we will test for various misconfigurations listed in OWASP Top 10 category (A05:2021-Security misconfiguration).

  • Testing for improper error handling 
  • Improper permission
  • Testing unnecessary features enabled  
  • Default accounts and passwords
  • Testing directory listing 
  • Testing for configuration and deployment management - This includes various misconfigurations testing from HTTP methods to subdomain takeover
  • Countermeasures

Practical graded assignments:

3-5 practical, hands-on exercises testing your understanding of the module.


Module 6

Vulnerable and outdated components

This module is simple in nature. We will find vulnerable and outdated servers, applications, APIs, containers and so on using both a manual approach and automated tools using the DAST method.

  • Automated testing 
  • Testing for outdated components
  • Testing for vulnerable applications 
  • Manual analysis of web servers components
  • Countermeasures

Practical graded assignments: 

3-5 practical, hands-on exercises testing your understanding of the module.


Module 7

Identification and authentication failures

This includes the authentication related attacks to test the identity and authentication mechanism. Session management is critical to protect against these attacks. Authentication failures can lead to serious issues, which is the part of how the application is going to authenticate and identify the user, manage the session, and so on. We will test for every topic listed in OWASP Top 10 category (A07-2021-Identification and authentication failures).

  • Testing for default password
  • Testing for brute force
  • Credential recovery - forgot password testing 
  • Multi factor authentication 
  • Session identifier in URL
  • Session fixation 
  • Credential stuffing
  • Automated testing for weak passwords
  • Testing for failed login attempts
  • Authentication testing from OWASP WSTG
  • Countermeasures

Practical graded assignments:

3-5 practical, hands-on exercises testing your understanding of the module.


Module 8

Software and data integrity failures

A new category for OWASP Top 10 2021 demonstrates how integrity failures can lead to serious issues and loss of organizational trust. All about integrity checks. Numerous home routers, IoT devices, and set top boxes do not verify firmware integrity, which can lead to complete take over.

  • Untrusted search path
  • Download of code without an integrity check
  • Insecure deserialisation testing
  • Update without signing
  • Inclusion of functionality from an untrusted source
  • SolarWinds attack - Case study
  • Countermeasures

Practical graded assignments:

3-5 practical, hands-on exercises testing your understanding of the module.


Module 9

Security logging and monitoring

Without logging and monitoring, breaches can’t be detected, even insufficient logging and monitoring are prone to such issues and undetectable attacks. This module covers all the issues that happen due to improper logging and monitoring.

  • Insufficient Logging
  • Improper output neutralization for logs
  • Insertion of sensitive information into logs
  • OPM hack - Case study 
  • Effective ways of logging 
  • Countermeasures

Practical graded assignments: 

3-5 practical, hands-on exercises testing your understanding of the module.


Module 10

Server-side request forgery

This is the attack type that can lead to critical issues for an organization. SSRF flaws occur when a web application is parsing a remote resource without validating the user supplied URL, hence allowing an attacker to craft their own payload to get internal access to the resources, such as Remote code execution (RCE), Denial of service attack (DoS), sensitive data exposure and so on.

  • As this is the SSRF topic itself, we will test for this kind of vulnerability in different situations and target types. We will use both automated and manual approaches to test for SSRF vulnerability.
  • Countermeasures

Practical graded assignments:

3-5 practical, hands-on exercises testing your understanding of the module.


Final exam

Quiz: 20 questions MCQ Test


QUESTIONS? 

If you have any questions, please contact our eLearning Manager at [email protected].

Course Reviews

N.A

ratings
  • 5 stars0
  • 4 stars0
  • 3 stars0
  • 2 stars0
  • 1 stars0

No Reviews found for this course.

© HAKIN9 MEDIA SP. Z O.O. SP. K. 2023
What certifications or qualifications do you hold?
Max. file size: 150 MB.
What level of experience should the ideal candidate have?
What certifications or qualifications are preferred?

Download Free eBook

Step 1 of 4

Name(Required)

We’re committed to your privacy. Hakin9 uses the information you provide to us to contact you about our relevant content, products, and services. You may unsubscribe from these communications at any time. For more information, check out our Privacy Policy.