Web application security - Course overview
2 likes3,769 views
This document provides an overview of a web application security course. The course covers topics such as HTTP and HTTPS protocols, encoding techniques, profiling applications, attacking authentication and authorization, cryptography weaknesses, session management, cross-site scripting, SQL injection, cross-site request forgery, URL redirection attacks, input validation, server configuration issues, attacking the web server, OWASP Top 10 risks, security scanners, risk assessment, and pentest reports. The course aims to teach students how to identify vulnerabilities in web applications and secure them.
Web application security - Course overview
- 1. Web Application Security Course Overview Satish.B Email: [email protected]
- 2. Course Content History of web application Introduction to web application architecture Uniform Resource Locator (URL) HTTP Introduction HTTP Methods WEBDAV methods Request/Response analysis Security problems with http HTTPS Handshake protocol Record protocol Proxy Man in the middle attack Tools: Burp proxy, Paros proxy, web scarab Encoding Techniques URL Encoding HTML Encoding Unicode Encoding Tools: Burp decoder Profiling Application Spiders, crawlers Search engine discovery Banner Grabbing Robots.txt Analysis of error codes Tools: HttpPrint, netcraft Attacking Authentication Authentication Types Brute force attacks Analyzing Auto complete options Insecure credential transmission Session puzzle attacks Authentication bypass techniques Shoulder surfing 2 http://www.securitylearn.net
- 3. CAPTCHA Rebinding attacks Countermeasures Tools: Bruter, Burp Repeater, Burp Intruder Attacking Authorization Authorization types Parameter tampering Horizontal privilege escalation Vertical privilege escalation Referrer spoofing Cryptography weakness Symmetric cryptography Asymmetric cryptography Substitution cipher Stream cipher Block cipher Steganography SSL cipher testing Cracking hashes Padding oracle attack Cracking ECB encryption Tools: SSLDigger, MD5 crack Attacking Session management Introduction Secure flag HTTPOnly flag Cookie Domain & Path Session Token analysis Session fixation Cookie transmission mechanisms Tools: Burp sequencer Timeout issues Cross site scripting attacks Same origin policy Reflective XSS Stored XSS DOM based XSS Anatomy of XSS Exploitation Impact of XSS XSS Shell 3 http://www.securitylearn.net
- 4. XSS & Metasploit Black list/White list Input validation Output encoding Remediation Tools: Beef SQL injection Error based SQLi Blind SQLi SQLi exploitation Data extraction with UNION queries Data extraction with inference techniques Command execution with SQLi Impact of SQLi Remediation Stored procedures Vs Parameterized queries Tools: SQLMap, Absinthe Cross site request forgery Anatomy of CSRF Remediation CAPTCHA Rebinding attack Tool: CSRFTester URL Redirection attacks Phishing attacks Remediation HTTP Response splitting Cache positioning Command execution Input validation attacks File Uploads Path traversal attacks Local file inclusions Remote file inclusions Command Execution Remediation Techniques Server Configuration issues WEBDAV methods Caching vulnerabilities Directory listing 4 http://www.securitylearn.net
- 5. Attacking Web Server Denial of service attacks Buffer over flows Remediation OWASP Top10 web application risks Scanners Usage of tools Pros, Cons & Problems with scanners IBM- AppScan HP- WebInspect Risk Assessment OWASP Risk Rating methodology Pentest Reports Executive reports Detailed reports Web Application Security Checklist Contact Satish B Email: [email protected] [email protected] 5 http://www.securitylearn.net