Trainer Name: Riddhi Shree

Title: Web Application Security - Build, Break, and Learn

Duration: 3 Days

Dates: Sept. 25, 2023 To Sept. 27, 2023

Training Objectives

This 3-day hands-on web security training will cover the fundamentals of web security, including common web security vulnerabilities such as SQL injection, cross-site scripting, CSRF, and more. Participants will learn how to set up a virtual lab environment to simulate web vulnerabilities and practice exploiting them. The training will also cover web application vulnerability scanning techniques and topics such as authentication and authorization, session management, and secure coding practices. Additionally, the training will cover supply chain attacks and their impact on web security. Throughout the training, there will be case studies and examples of real-world web security breaches to illustrate the importance of web security and the impact of vulnerabilities. The lab exercises will provide hands-on experience with identifying and exploiting vulnerabilities, as well as implementing best practices to prevent them.

Training level: Basic; Intermediate

Training Outlines

Day 1: Introduction to Web Security

  • Introduction to web security and common web vulnerabilities
  • Understanding HTTP protocol and web server architecture
  • Hands-on:
  • SQL Injection (SQLi)
  • Cross-Site Scripting (XSS)
  • Cross-Site Request Forgery (CSRF)
  • Broken Authentication and Session Management
  • Security Misconfiguration
  • Insecure Cryptographic Storage
  • Insufficient Transport Layer Protection
  • Unvalidated Redirects and Forwards
  • File Inclusion Vulnerabilities
  • Insecure Direct Object References
  • Authentication Bypass
  • Remote Code Execution (RCE)
  • Path Traversal
  • Insecure Deserialization
  • Business Logic Vulnerabilities
  • XML External Entity (XXE)
  • Server-Side Request Forgery (SSRF)
  • Remote File Inclusion (RFI)
  • Server-Side Template Injection (SSTI)
  • Case study 1: Target's 2013 data breach due to SQL injection and weak password policies
  • Q&A

Day 2: Web Application Vulnerability Scanning

  • Introduction to vulnerability scanning
  • Burp Suite, OWASP ZAP, and Nessus
  • Hands-on: Running a vulnerability scan using OpenVAS and analyzing scan results
  • Understanding client-side vulnerabilities through examples
  • DOM-Based XSS
  • Local Storage XSS
  • Cross-Origin Resource Sharing (CORS) Misconfiguration
  • Clickjacking
  • Discussion on OWASP API Security Top 10 (2023)
  • Broken object level authorization
  • Broken authentication
  • Broken object property level authorization
  • Unrestricted resource consumption
  • Broken function level authorization
  • Server-side request forgery
  • Security misconfiguration
  • Lack of protection from automated threats
  • Improper assets management
  • Unsafe consumption of APIs
  • Case study 2: Equifax Data Breach due to an unpatched vulnerability in Apache Struts
  • Q&A

Day 3: Threat Modeling & Supply Chain Attacks

  • Introduction to Threat Modeling
  • Understanding the Web Application Architecture
  • Front-end, Back-end, and Database components
  • Data flow and access control
  • Identifying Threats and Vulnerabilities in Web Applications
  • Threat identification techniques
  • Hands-on: Threat modeling using Microsoft Threat Modeling Tool (MTMT)
  • Introduction to supply chain attacks
  • A brief introduction to Software Composition Analysis (SCA) tools (e.g., OWASP Dependency-Check, Snyk, SPDX, WhiteSource, Black Duck, and Sonatype Nexus)
  • Hands-on: Use SCA tools to identify vulnerable components in the software supply chain
  • Scan a project using an SCA tool and interpret the results
  • Create a Software Bill of Materials (SBOM) using tools like CycloneDX, SPDX, and SWID to track the components used in the software project
  • Use SBOM to identify vulnerable components in the supply chain
  • Identify any security vulnerabilities
  • Mitigating supply chain risks
  • Case study 3: SolarWinds attack
  • Case study 4: NotPetya malware attack
  • Best practices for implementing web security in real-world scenarios
  • Secure coding practices
  • Input validation and sanitization
  • Authentication and Access Control
  • Session management
  • Encryption and Cryptography
  • Secure communication protocols (HTTPS)
  • Implementation of Content Security Policy (CSP)
  • Recap and Q&A

What to Bring?

  • A laptop with a minimum of 4GB of RAM (8GB or more is recommended)
  • A dual-core processor or better
  • A stable Internet connection
  • Pendrive (For your convenience, in case the network is slow and software needs to be distributed)

Training Prerequisite

It would be nice if you can install the following software on your laptop, in advance. This will allow you to check if your laptop supports the listed software.

  • A web browser (Google Chrome or Mozilla Firefox)
  • VirtualBox
  • Virtualization software (Docker)
  • The free version of Burp Suite
  • Robot Framework

Who Should Attend?

Anyone with an interest in Information Security and who's not averse to Docker or Robot Framework can choose to attend the session.

What to Expect?

Expect that some amount of time will be spent on understanding the minimum required basics for Docker, Robot Framework, and other tools (e.g., intercepting proxy). All of this knowledge will help you in setting up your own lab and understanding the nature of various security vulnerabilities.

What attendees will get

You will receive a well-documented instruction manual that will cover details of the training contents.

What not to expect?

Do not expect the trainer to resolve Internet issues or laptop configuration issues. Please do NOT bring very old laptops that do not support the latest technologies/software.

About the Trainer

Riddhi Shree, is an information security enthusiast, currently working as technical lead for the product security team at Qualcomm. She has professional experience in software testing, Web app pen testing, and Android and iOS app pen testing. Other than information security, she also has experience in Web and mobile app development. She has created a cloud-based vulnerable Android app, called VyAPI, that demonstrates OWASP Mobile's top 10 vulnerabilities. In the past, she was leading community activities for open security communities like the null Bangalore chapter and Winja. Having an interest in capture-the-flag events, she has organized and led a team of passionate volunteers for several Winja CTF events, both, online and offline. She has given talks and training at various security conferences, including BSides (Delhi), c0c0n (Kochi), Nullcon (Goa), ISC2 (Bangalore), HITB (Abu Dhabi), Wicked6, and Texas Cyber Summit.