Réf : SSI_Tr1
Summary
This course will allow you to identify, understand and solve the security problems commonly found in web applications. Thus, the practical work will allow you to put yourself in the place of the attacker and the attacked in order to better understand the attack vectors and how to protect your applications.
Concerned public
- Developers
- Webmasters
- Web project managers
- Architects
- Consultants
Pre-requisites
- Master the basics of web development
- Basic knowledge of TCP/IP networks and the Internet.
Aims
- Understand the threats that target a web application
- Understand and apply the strategies used to compromise a web application
- Ensure the security of web applications
- Understand and address design issues
- Understand and address implementation issues
- Injection flaws: SQLi/XSS…
- Design flaws, CSRF, Auth…
- Cryptography, storage, sessions…
Content
Introduction
- Background and figures
- Security concepts
- Terminology
Injection
- Definition
- Examples of attack scenarios
- Prevention
- Practical work
Violation of authentication and session management
- Definition
- Advice and good practice
Cross-Site Scripting (XSS)
- Definition and types of XSS
- Examples of attack scenarios
- Prevention
- Practical exercises
Unsafe direct references to an object
- Definition
- Tips and good practice
- Practical work
Incorrect security configuration
- Examples of attacks
- Prevention
Exposure of sensitive data
- Risks
- Cryptography
- Storage of passwords and other data
- Practical work
Lack of access control at functional level
- Risks
- Prevention
Cross-site request forgery (CSRF)
- Definition
- Risks
- Prevention
- Practical work
Use of components with known vulnerabilities
- Risks
- Prevention
Unvalidated redirects and referrals
- Risks
- Prevention
- Practical work
Training environment
- A training aid will be provided in paper format to each trainee.
- A training room with a video projector, a whiteboard and 1 PC per trainee.
- A virtual machine under Virtual Box will also be installed on the training machines in order to carry out the practical exercises.
Duration
2 days (the content can be adapted according to the technological context but also to the level of knowledge of the trainees).
- The training can be provided both face-to-face and remotely
- The training can take place on an inter-company or intra-company basis
More information ?
Please contact us on +33 6 70 16 46 35 or by email : formation@ablogix.fr for a quote.
The training activity of ABlogiX is "registered under number 52 72 01527 72. This registration is not equivalent to State approval",in accordance with Article L6322-48.
