Training Objectives

This 3-day training session, derived from the mighty 7-day coursework at Ruhr-University in Bochum, aims to teach attendees about the most relevant parts of modern web security, from server-side layers all the way up to the browser and the DOM.

Starting at HTTP and the very basics, looking at HTTP Request Smuggling, understanding Cookies, simple and then more advanced injection techniques, and more, the trainer will guide the attendees through a journey covering all that is relevant in the realm of web penetration-testing, securing applications and spotting issues that others might just overlook.

Training level: Basic; Intermediate; Advanced

Training outline

Three days are not a long time for a complex and broad topic like this one, and it depends on many factors on how many topics can be covered.

We'll have the following items on our web security tasting menu and hope to look into as many as possible:

Chapter 1: His­to­ry & Ba­sics

• The His­to­ry of Web Se­cu­ri­ty and Web At­tacks
• The His­to­ry of Brow­sers
• HTML, Ja­va­Script, CSS

Chapter 2: HTTP, Ser­ver, SQLi

• At­tacks using HTTP and SSL/TLS
• SQL In­jec­tions
• Uploads
• SSRF, XXE & XEE

Chapter 3: Cook­ies, Ses­si­ons, XSS

• Cook­ies & Ses­si­ons
• Same Ori­gin Po­li­cy
• Au­then­ti­ca­ti­on & Autho­riza­t­i­on
• The Ba­sics of Cross-Si­te Script­ing

Chapter 4: Ad­van­ced XSS

• Ad­van­ced XSS
• mXSS and DOM Mu­ta­ti­ons

Chapter 5: Brow­sers & Bey­ond

• The DOM
• DOM Clob­be­ring & DOM XSS
• postM­es­sa­ge XSS