With this course, you will learn how to use the basic building blocks of web applications to attack and defend them. Web apps function in complex environments, and their attack surface is huge - both as a hacker and a defender, you need to know what happens under the hood - this is where this course comes in. You will benchmark coding practices against the top 10 threats affecting web applications.
We focus on offensive and defensive approaches to the code that lies beneath the front-end. If you’ve worked in this field for a while, you know that’s where the problems hide, it’s just a matter of finding and either exploiting or fixing them! Whether they’re working for you (when you’re pentesting) or against you (when you’re defending) understanding exactly how these attacks work is crucial. You will get exposed to various tools and techniques that can be used to enable us to analyze and fix security bugs in a majority of our PHP applications.
This course is based on PHP, but the concepts presented are applicable across the board and can be easily translated or directly applied into other frameworks (just in case you find yourself pentesting a web-app that’s not based on PHP - those are a minority!).
Who this course is for:
- Security professionals, whatever color hat you’re wearing - if you want to pentest web apps, you need to know the things we talk about in this course. It will let you analyze the applications and underlying code with confidence in tests and reviews, and deepen your expertise.
- Security-minded developers and coders - if you want to learn how attackers target the code, or if you want to see how easy-to-fix mistakes can result in serious vulnerabilities, and are curious how to mitigate against them, this workshop will take you on a steep learning curve to achieve that.
- Project managers in security and commercial software houses - if you want to learn what your project needs in order to stay secure after you deploy it, and if you want to communicate effectively with developers and security experts on your team, this training will give you a well-rounded view of secure coding practices for web applications, as well as a deep understanding of web app attacks and defences.
- Web applications are here to stay. If you’ve never had any structured training that would show you how code can create vulnerabilities, it’s high time to hop on that train.
- More and more companies offer bug bounties for their products, which often include web applications. Learning how code works, how to find, exploit, and fix potential vulnerabilities is a great gateway into that world.
- Knowing how secure coding works and how to fix vulnerable code, and not just exploit it, will put you a few steps ahead of other security professionals.
- Web apps are ever-evolving and changing. This training will bring you up to date and lay out a foundation for you to face any changes that come in the future, as you will have a deep understanding of the logic behind the attacks.
Why this course?
- The course will not only teach you all the skills, but will serve as your private reference and all-in-one resource in the future, with easy to access explanations of most common vulnerabilities with fixes right next to them, bad code examples, fixed code snippets, and a vulnerable web app to play with.
- The materials focus on the why and how - why is this vulnerability present? How does it work? If you’re looking for deeper understanding than the simple “this is how the attack flows” of the most common security issues affecting the biggest number of web apps, look no further.
What skills will you gain?
- How to implement security practices into coding
- How to code securely in PHP
- How to detect vulnerabilities in code
- How to exploit bad code during a pentest
- How to use the OWASP Top 10 list in your testing
- How to fix, mitigate, and prevent known bugs in PHP applications
- How to counter scanners in web app development
What will you learn about?
- What every pentester should know about software development
- What every software developer should know about security
- What vulnerabilities affect web apps most often
- Detailed understanding of the OWASP Top 10 list
- What attacks can be executed on web apps
- What is the logic and flow of these attacks
- Which attacks are determined by bad code
- What protection techniques are there
- What tools you can use to analyze code and defend against attacks on applications
Tools you’ll get familiar with:
- Notepad++ / Visual studio IDE
- OWASP SKF
- Phar-based static analysis tools
Course general information:
COURSE IS SELF-PACED, AVAILABLE ON DEMAND
DURATION: 18 hours
CPE POINTS: On completion you get a certificate granting you 18 CPE points.
- Accessible even after you finish the course
- No preset deadlines
- Materials are video, labs, and text
- All videos captioned
- Machine with at least 1 GB RAM
- Internet connection
- Python 2.7/3
Topics to brush up on before the course:
Basic knowledge of PHP programming is preferred as well as basic database knowledge with bias to MariaDB or MySQL.
Munir is a Cyber security consultant, researcher, and developer with over 9 years experience based in Nairobi, Kenya. He is passionate about web security, malware analysis, and mobile application security.
He provides holistic information security assessments for customers, with 2 awards under WASPY (Web Application Security People of the Year - 2015) for contributions to the open source security community.
Module 1: Lay of the PHP Land
In this module, we will cover the basic concepts of PHP and get familiar with various features that PHP has to offer:
- What is PHP and some key features
- Threat Landscape and OWASP Top 10
- Secure Software Development Lifecycle (SSDLC)
- ASVS and SAMM as methodologies to implement SSDLC
- Use of these features in PHP Applications
Module 1 Exercises:
- You will have 30 Multiple choice questions to gauge the part of theory above; the theory is necessary for the upcoming modules.
- The exercise will test your understanding of concepts in SAMM, ASVS and an understanding of the OWASP top 10 threats to applications.
Module 2: The validation threat
This module will demonstrate to you three common coding strategies used in PHP applications used for security and causing problems. It also delves into actual input injection attacks where these three strategies are not doing their job well. Additionally, we will show how to identify, exploit and fix bad code in this regard.
- Filtering, validation and output escaping
- Common attacks when filtering, validation, and escaping are missed
- Cross Site Scripting attacks and prevention
- SQL Injection attacks and prevention
- XXE Attacks and Prevention
- Validating serialized data
Exercises will involve a problem to identify and fix at least three SQL injections and XSS instances in code. The expectation will be a submission of code snippets detailing:
- Vulnerable Page
- Vulnerable Code Snippet
- Reason it is vulnerable
- Fix for the code using PHP inbuilt filter, validation and escaping functions
Module 3: The code execution threat
This module will cover another aspect of PHP security, that not only leads to compromise of the application, but could extend to more serious attacks on the OS context through code execution. Additionally, it will cover threats that may have adverse effects on the logical perspective of access and authorization.
- What is code execution
- Information disclosure to code execution
- Improper Access Controls and prevention
- Insufficient Authorization and prevention
- File upload handling
- Command Injection and Prevention
Exercise will involve a problem to identify and fix at least two code injection instances in code. The expectation will be a submission of code snippets detailing:
- Vulnerable Page
- Vulnerable Code Snippet
- Reason it is vulnerable
- Fix for the code to prevent the attack
Five multiple choice questions will accompany the application review to give proper view and understanding of the logical issues and how to fix them.
Module 4: PHProactivity
This module will focus on modern tools and techniques that can help in making tasks learned in previous modules easier and more efficient; additionally, we will explore a number of tools to test automatically and semi-automatically for the issues shown in previous modules.
- Installing/Setting up OWASP SKF
- Leveraging on OWASP SKF to develop secure PHP applications
- Automated and Semi-automated static analysis of PHP applications using tools like zaproxy, and PHP static analysis tools
- Fooling attackers and vulnerability scanners
- Collecting attacker data and adapting application to it
Students will be given code to analyse with automated tools given or taught in the course; they will be expected to fix the code and provide snippets by page and expectation of fix using OWASP SKF.
The final exam will include practical and multiple choice questions and a practical assessment to identify and fix issues learned above.
Estimated time: 1.5 hours
If you have any questions, please contact our eLearning Manager Marta at [email protected].
No Reviews found for this course.