With this course, if you're a security professional, it will make you more efficient and resourceful in expediting your security reviews on PHP applications. If you are a developer, you will become better at creating secure software rather than just functional software. 

In this course, we start with concepts of PHP and what it has to offer. We learn how to structure applications and consider fundamentals when designing an application. You need to have a solid base to later on ensure everything is nice and secured, and it is helpful to know how developers work if you want to review their code. We also look at various good practices in regard to PHP coding and benchmark them against the top 10 threats to web applications to see how to effectively build bullet proof applications. You don't want to get stuck with code vulnerable to one of the OWASP Top 10, do you? Finally, we get exposed to various tools and techniques that can be used to enable us to analyze and fix a majority of our PHP applications. 

Course benefits:

What will this course give you? 

  • It will get you up and running with the key concepts of PHP development and application protection. 
  • It will give you practical implementation of secure PHP development using different tools and techniques. 
  • You will master the art of detecting, mitigating, fixing, and preventing defects in PHP applications.
  • You will also learn the tricks to countering scanners in PHP development. 

You will be able to confidently speak about: 

  • Fundamentals of PHP development.
  • Various application protection techniques.
  • Using various tools to analyse and defend against attacks on applications. 
  • Fixing known bugs in PHP applications. 

Tools you’ll get familiar with: 

  • Github
  • Notepad++ / Visual studio IDE
  • Phar-based static analysis tools 

Course general information: 

DURATION: 18 hours

CPE POINTS: On completion you get a certificate granting you 18 CPE points. 

COURSE LAUNCH: November 21st 2019

Course format: 

  • Self-paced
  • Pre-recorded
  • Accessible even after you finish the course
  • No preset deadlines
  • Materials are video, labs, and text
  • All videos captioned

What to bring with you;

  • Machine with at least 1 GB RAM
  • Internet connection
  • Python 2.7/3

Topics to brush up on before the course:

Basic knowledge of PHP programming is preferred as well as basic database knowledge with bias to MariaDB or MySQL.

Instructed by Munir Njiru:

Munir is a Cyber security consultant, researcher, and developer with over 9 years experience based in Nairobi, Kenya. He is passionate about web security, malware analysis, and mobile application security.

He provides holistic information security assessments for customers, with 2 awards under WASPY (Web Application Security People of the Year - 2015) for contributions to the open source security community.





Module 1: Lay of the PHP Land

In this module, we will cover the basic concepts of PHP and get familiar with various features that PHP has to offer: 

In this module you will learn: 

  • What is PHP and some key features
  • Threat Landscape and OWASP Top 10
  • Secure Software Development Lifecycle (SSDLC)
  • ASVS and SAMM as methodologies to implement SSDLC
  • Use of these features in PHP Applications

Module 1 Exercises:

  • You will have 30 Multiple choice questions to gauge the part of theory above; the theory is necessary for the upcoming modules. 
  • The exercise will test your understanding of concepts in SAMM, ASVS and an understanding of the OWASP top 10 threats to applications. 

Total module workload: ~ 4 hours

Module 2: The validation threat

This module will demonstrate to you three common coding strategies used in PHP applications used for security and causing problems. It also delves into actual input injection attacks where these three strategies are not doing their job well. Additionally, we will show how to identify, exploit and fix bad code in this regard. 

In this module you will learn about: 

  • Filtering, validation and output escaping 
  • Common attacks when filtering, validation, and escaping are missed
  • Cross Site Scripting  attacks and prevention
  • SQL Injection attacks and prevention
  • XXE Attacks and Prevention
  • Validating serialized data


Exercises will involve a problem to identify and fix at least three SQL injections and XSS instances in code. The expectation will be a submission of code snippets detailing: 

  • Vulnerable Page
  • Vulnerable Code Snippet 
  • Reason it is vulnerable 
  • Fix for the code using PHP inbuilt filter, validation and escaping functions 

Total module workload: ~4.5 hours

Module 3: The code execution threat

This module will cover another aspect of PHP security, that not only leads to compromise of the application, but could extend to more serious attacks on the OS context through code execution. Additionally, it will cover threats that may have adverse effects on the logical perspective of access and authorization. 

In this module you will learn: 

  • What is code execution
  • Information disclosure to code execution
  • Improper Access Controls and prevention
  • Insufficient Authorization and prevention
  • File upload handling 
  • Command Injection and Prevention


Exercise will involve a problem to identify and fix at least two code injection instances in code. The expectation will be a submission of code snippets detailing: 

  • Vulnerable Page
  • Vulnerable Code Snippet 
  • Reason it is vulnerable 
  • Fix for the code to prevent the attack

Five multiple choice questions will accompany the application review to give proper view and understanding of the logical issues and how to fix them. 

Total module workload: ~ 4 hours

Module 4: PHProactivity

This module will focus on modern tools and techniques that can help in making tasks learned in previous modules easier and more efficient; additionally, we will explore a number of tools to test automatically and semi-automatically for the issues shown in previous modules. 

In this module you will learn: 

  • Installing/Setting up OWASP SKF 
  • Leveraging on OWASP SKF to develop secure PHP applications
  • Automated and Semi-automated static analysis of PHP applications using tools like zaproxy, and PHP static analysis tools 
  • Fooling attackers and vulnerability scanners
  • Collecting attacker data and adapting application to it


Students will be given code to analyse with automated tools given or taught in the course; they will be expected to fix the code and provide snippets by page and expectation of fix using OWASP SKF.


Total module workload: ~4 hours

Final exam:

The final exam will include practical and multiple choice questions and a practical assessment to identify and fix issues learned above.

Estimated time: 1.5 hours


If you have any questions, please contact our eLearning Manager Marta at [email protected].


Course Reviews


  • 5 stars0
  • 4 stars0
  • 3 stars0
  • 2 stars0
  • 1 stars0

No Reviews found for this course.

  • $249.00 $199.00
  • Course Certificate

Who’s Online

Profile picture of mbalhackgmail-com

Certificate Code

© HAKIN9 MEDIA SP. Z O.O. SP. K. 2013