Web Apps Attack and Defense: Secure Coding (W49)

Who this course is for: 

• Security professionals, whatever color hat you’re wearing - if you want to pentest web apps, you need to know the things we talk about in this course. It will let you analyze the applications and underlying code with confidence in tests and reviews, and deepen your expertise.
• Security-minded developers and coders - if you want to learn how attackers target the code, or if you want to see how easy-to-fix mistakes can result in serious vulnerabilities, and are curious how to mitigate against them, this workshop will take you on a steep learning curve to achieve that. 
• Project managers in security and commercial software houses - if you want to learn what your project needs in order to stay secure after you deploy it, and if you want to communicate effectively with developers and security experts on your team, this training will give you a well-rounded view of secure coding practices for web applications, as well as a deep understanding of web app attacks and defences. 

Why now?

• Web applications are here to stay. If you’ve never had any structured training that would show you how code can create vulnerabilities, it’s high time to hop on that train. 
• More and more companies offer bug bounties for their products, which often include web applications. Learning how code works, how to find, exploit, and fix potential vulnerabilities is a great gateway into that world. 
• Knowing how secure coding works and how to fix vulnerable code, and not just exploit it, will put you a few steps ahead of other security professionals. 
• Web apps are ever-evolving and changing. This training will bring you up to date and lay out a foundation for you to face any changes that come in the future, as you will have a deep understanding of the logic behind the attacks.

Why this course? 

• The course will not only teach you all the skills, but will serve as your private reference and all-in-one resource in the future, with easy to access explanations of most common vulnerabilities with fixes right next to them, bad code examples, fixed code snippets, and a vulnerable web app to play with. 
• The materials focus on the why and how - why is this vulnerability present? How does it work? If you’re looking for deeper understanding than the simple “this is how the attack flows” of the most common security issues affecting the biggest number of web apps, look no further.

What skills will you gain? 

• How to implement security practices into coding
• How to code securely in PHP
• How to detect vulnerabilities in code
• How to exploit bad code during a pentest 
• How to use the OWASP Top 10 list in your testing
• How to fix, mitigate, and prevent known bugs in PHP applications
• How to counter scanners in web app development

What will you learn about? 

• What every pentester should know about software development
• What every software developer should know about security
• What vulnerabilities affect web apps most often
• Detailed understanding of the OWASP Top 10 list
• What attacks can be executed on web apps
• What is the logic and flow of these attacks
• Which attacks are determined by bad code
• What protection techniques are there
• What tools you can use to analyze code and defend against attacks on applications

Tools you’ll get familiar with: 

• Github
• Notepad++ / Visual studio IDE
• OWASP SKF
• Phar-based static analysis tools 
• XAMPP/WAMPP/LAMPP

DURATION: 18 hours

CPE POINTS: On completion you get a certificate granting you 18 CPE points. 

Course format: 

• Self-paced
• Pre-recorded
• Accessible even after you finish the course
• No preset deadlines
• Materials are video, labs, and text
• All videos captioned

What to bring with you;

• Machine with at least 1 GB RAM
• Internet connection
• Python 2.7/3
• XAMPP/WAMPP/LAMPP

Topics to brush up on before the course:

Basic knowledge of PHP programming is preferred as well as basic database knowledge with bias to MariaDB or MySQL.

In this module you will learn: 

• What is PHP and some key features
• Threat Landscape and OWASP Top 10
• Secure Software Development Lifecycle (SSDLC)
• ASVS and SAMM as methodologies to implement SSDLC
• Use of these features in PHP Applications

Module 1 Exercises:

• You will have 30 Multiple choice questions to gauge the part of theory above; the theory is necessary for the upcoming modules. 
• The exercise will test your understanding of concepts in SAMM, ASVS and an understanding of the OWASP top 10 threats to applications. 

Total module workload: ~ 4 hours

In this module you will learn about: 

• Filtering, validation and output escaping 
• Common attacks when filtering, validation, and escaping are missed
• Cross Site Scripting  attacks and prevention
• SQL Injection attacks and prevention
• XXE Attacks and Prevention
• Validating serialized data

Exercises: 

Exercises will involve a problem to identify and fix at least three SQL injections and XSS instances in code. The expectation will be a submission of code snippets detailing: 

• Vulnerable Page
• Vulnerable Code Snippet 
• Reason it is vulnerable 
• Fix for the code using PHP inbuilt filter, validation and escaping functions 

Total module workload: ~4.5 hours

In this module you will learn: 

• What is code execution
• Information disclosure to code execution
• Improper Access Controls and prevention
• Insufficient Authorization and prevention
• File upload handling 
• Command Injection and Prevention

Exercises:

Exercise will involve a problem to identify and fix at least two code injection instances in code. The expectation will be a submission of code snippets detailing: 

• Vulnerable Page
• Vulnerable Code Snippet 
• Reason it is vulnerable 
• Fix for the code to prevent the attack

Five multiple choice questions will accompany the application review to give proper view and understanding of the logical issues and how to fix them. 

Total module workload: ~ 4 hours

In this module you will learn: 

• Installing/Setting up OWASP SKF 
• Leveraging on OWASP SKF to develop secure PHP applications
• Automated and Semi-automated static analysis of PHP applications using tools like zaproxy, and PHP static analysis tools 
• Fooling attackers and vulnerability scanners
• Collecting attacker data and adapting application to it

Exercises:

Students will be given code to analyse with automated tools given or taught in the course; they will be expected to fix the code and provide snippets by page and expectation of fix using OWASP SKF.

Workload: 

Total module workload: ~4 hours