13 October 2017

SSi_Tr1 – Web Application Security

Réf : SSI_Tr1

Summary

This course will allow you to identify, understand and solve the security problems commonly found in web applications. Thus, the practical work will allow you to put yourself in the place of the attacker and the attacked in order to better understand the attack vectors and how to protect your applications.

Concerned public

  • Developers
  • Webmasters
  • Web project managers
  • Architects
  • Consultants

Pre-requisites

  • Master the basics of web development
  • Basic knowledge of TCP/IP networks and the Internet.

Aims

  • Understand the threats that target a web application
  • Understand and apply the strategies used to compromise a web application
  • Ensure the security of web applications
  • Understand and address design issues
  • Understand and address implementation issues
  • Injection flaws: SQLi/XSS…
  • Design flaws, CSRF, Auth…
  • Cryptography, storage, sessions…

Content

Introduction

  • Background and figures
  • Security concepts
  • Terminology

Injection

  • Definition
  • Examples of attack scenarios
  • Prevention
  • Practical work

Violation of authentication and session management

  • Definition
  • Advice and good practice

Cross-Site Scripting (XSS)

  • Definition and types of XSS
  • Examples of attack scenarios
  • Prevention
  • Practical exercises

Unsafe direct references to an object

  • Definition
  • Tips and good practice
  • Practical work

Incorrect security configuration

  • Examples of attacks
  • Prevention

Exposure of sensitive data

  • Risks
  • Cryptography
  • Storage of passwords and other data
  • Practical work

Lack of access control at functional level

  • Risks
  • Prevention

Cross-site request forgery (CSRF)

  • Definition
  • Risks
  • Prevention
  • Practical work

Use of components with known vulnerabilities

  • Risks
  • Prevention

Unvalidated redirects and referrals

  • Risks
  • Prevention
  • Practical work

Training environment

  • A training aid will be provided in paper format to each trainee.
  • A training room with a video projector, a whiteboard and 1 PC per trainee.
  • A virtual machine under Virtual Box will also be installed on the training machines in order to carry out the practical exercises.

Duration

2 days (the content can be adapted according to the technological context but also to the level of knowledge of the trainees).

  • The training can be provided both face-to-face and remotely
  • The training can take place on an inter-company or intra-company basis

More information ?

Please contact us on +33 6 70 16 46 35 or by email : formation@ablogix.fr for a quote.


The training activity of ABlogiX is "registered under number 52 72 01527 72. 
This registration is not equivalent to State approval",in accordance with Article L6322-48.

Find all our training courses here.