AppSec Europe 2016 has ended
Back To Schedule
Monday, June 27 • 09:00 - 17:00
Day 1/3 - OWASP Top 10: Exploitation and Effective Safeguards

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Video presentation of this training

The OWASP Top 10 web application vulnerabilities has done a great job promoting awareness for the developers. Along with many cheat sheets, they provide valuable tools and techniques to web developers. But such a great source of information could be overwhelming for the programmer who wants to learn about security. This course aims at providing all web developers deep hands-on knowledge on the subject.

To achieve this goal, participants will first learn the technical details about each OWASP Top 10 vulnerability. Then the instructor will give demos on how attacks are performed against each of them. After that, participants will use virtual machines and follow step by step procedures to launch attacks against a vulnerable web site. This step is key in understanding how exploitation works so they can later implement effective safeguards in their systems. Our experience is that participants who have had hands-on experience at exploiting vulnerabilities will always remember how to prevent them.

We will conclude the class with a Capture the Flag (CTF) event, where participants will be able to apply the techniques they have learned in a fun and friendly environment.

The course will cover the following topics:
  1. OWASP Top 10 web application vulnerabilities:
    A1 - Injection Attacks (Command Injection and SQL Injection)
    A2 - Broken Authentication and Session Management
    A3 - Cross-Site Scripting (XSS)
    A4 - Insecure Direct Object References
    A5 - Security Misconfiguration
    A6 - Sensitive Data Exposure
    A7 - Missing Function Level Access Control
    A8 - Cross-Site Request Forgery (CSRF)
    A9 - Using Known Vulnerable Components
    A10- Unvalidated Redirects and Forwards
  2. SSL Certificates
  3. Password Management
  4. OWASP Application Security Verification Standard (ASVS)
  5. Securing AJAX and Web Services (REST and SOAP)
  6. Web Application Firewalls (WAF)
  7. Using a Vulnerability Scanner
  8. Effective Code Review Techniques
  9. OWASP Enterprise Security API (ESAPI)
  10. Secure Coding Best Practices
  11. Effective Security Safeguards

Demos from the instructor
  1. SQL Injection
  2. Cross-Site Scripting
  3. Insecure Direct Object References
  4. Sensitive Data Exposure
  5. Cross-Site Request Forgery
  6. Blind SQL Injection
  7. Remote File Injection
  8. Using Known Vulnerable Components
  9. Unvalidated Redirects and Forwards

Hands-on exercises
  1. Session Initialization and Client-Side Validation
  2. Sniffing Encrypted Traffic
  3. Online Password Guessing Attack
  4. Account Harvesting
  5. Command Injection Attacks
  6. Using a Web Application Vulnerability Scanner
  7. Create Self-Signed SSL certificates (Root CA and Server certificates)
  8. Capture the Flag (CTF) - A longer exercise at the end of the last day where participants try to find hidden vulnerabilities by themselves using techniques they have learned in the class.  
Who Should Take This Course?
This course is designed to help intermediate to expert web developers and security professionals understand how to secure web applications. Candidates are expected to have basic knowledge of web technologies, but no experience in security is required prior to taking this course. However, security professionals who want to learn more about web security will benefit from this class.

What Should Participants Bring?
Participants are required to bring a laptop (Windows, Mac or Linux) with at least 3 GB of RAM, 20 GB of free disk space along with either VMWare Workstation Player (free), VMWare Workstation, VMWare Fusion or Oracle VirtualBox (free) pre-installed. They must also have an administrator/root account on their laptop. At the beginning of the course, participants will receive a USB thumb drive containing a pre-configured virtual machine.

avatar for David Caissy

David Caissy

Penetration Tester, Bank of Canada
David Caissy is a web application penetration tester with in-depth developer and IT Security background spanning over 17 years. He has extensive experience in conducting vulnerability assessments and penetration tests as well as providing training globally, amongst numerous other... Read More →

Monday June 27, 2016 09:00 - 17:00 CEST
Bramante 05