The web is a great software delivery platform, making your software available to users around the world with zero installation and easily deployed updates. Unfortunately, it also exposes you to an army of adversaries
some human, some bot - who have darker goals: to cause loss to your data or reputation, subvert your resources for their own gain or attack your user base.
This course helps you to develop a security-oriented mindset. It explores the way the web works, so you have a way to understand how various vulnerabilities arise. Then, with those foundations laid, it covers a range of common and less common vulnerabilities, how an attack based on them would be constructed, and how you can recognize and defend against them.
Audience:
This course is aimed at web developers.
Prerequisites:
You should have basic web development experience.
DAY1:
Introduction
The reality
What might an attacker want?
Social Engineering
HTTPS
Man-in-the-middle attacks
Certificates
Certificate pinning
Securing cookies
HTTP Strict Transport Security header
Encoding
Character encoding
Unicode
Encoding
Cross Site Scripting
Stored XSS
Reflected XSS
DOM Based XSS
XSS Preventions
Content Security Policy
Headers and directives
CSP Reporting
Cross site request forgery (CSRF)
CSRF Prevention
Synchronizer Token Pattern
Double Submit Cookies
Injections
SQL Injections
File path injections
Authentication & Authorisation
OAuth
OpenID Connect
Signed requests
Form based authentication
Securing the session
DAY2:
Denial-of-Service (DoS) attacks
Network attacks
Application level attacks
Regular Expression attacks
XML DoS attacks
Decompression bombs
Password management
Secure password storage
Hashing
Salt and pepper
Information leakage
Error handling
Source control leaks
SQL Timing attacks
Login timing attacks
Response header leakage
Search engine leakage
Server leaks
Logging & monitoring
Logging
Monitoring
Knowing when the site is under attack
Honey pots
Attacking our site
How can we start hacking our self
Hacking tools
Penetration testing
Hack your self