Web App Security - Build, Break & Learn

Trainer Name: Riddhi Shree
Title: Web App Security - Build, Break & Learn
Duration: 4 Days
Dates: 22^nd - 25^th March 2021
Time: 2:00 PM to 6:00 PM IST
Delivery Mode: via Zoom.us and Discord Platform

Overview

If you are a security enthusiast who learns well through hands-on experience, you will find this training useful. In this four days of guided training, you will receive training materials that will help you in setting up your own local lab environment for trying out various attack scenarios. The primary focus of this training would be on understanding the web vulnerabilities that are listed below.

Course Structure

Day 1 (4 Hrs.)

• Lab Setup
• Injection
  • SQL Injection
    • First Order Attacks
    • Second Order Attacks
  • OS Command Injection
  • Template Injection
  • CRLF Injection
• Cross-Site Scripting (XSS)
  • Reflected XSS
  • Stored XSS
  • DOM-based XSS
• A discussion around secure coding practices w.r.t. discussed issues

Day 2 (4 Hrs.)

• XML External Entities (XXE)
  • File Inclusion via XXE
  • Server-Side Request Forgery (SSRF) via XXE
  • Remote Code Execution (RCE) via XXE
  • Blind XXE
• Broken Authentication & Authorization
  • JWT Validation Bypass Techniques
  • OAuth 2.0 Authentication Vulnerabilities
  • Cross-Site Request Forgery (CSRF)
  • Insecure Direct Object Reference (IDOR)
  • Parameter Tampering
• A discussion around secure coding practices w.r.t. discussed issues

Day 3 (4 Hrs.)

• Insecure Deserialization
• Sensitive Data Exposure
  • Missing/Broken Cryptography
  • Hardcoded Secrets in JavaScript Files
  • Verbose Error Messages
  • Verbose Server Responses
• A discussion around secure coding practices w.r.t. discussed issues

Day 4 (4 Hrs.)

• Security Misconfigurations
  • Missing Security Headers
  • Missing Rate Limiting
  • Weak Password Policy
  • Use of Default Credentials
  • Missing Server Side Validations
• Recap & Doubt Clarification
• CTF

Target Audience

• Anyone interested, including beginners
• Should be comfortable running basic Linux commands

Software Pre-requisites & Preferences

• Linux Operating System / Linux Virtual Machine
• Flutter - https://flutter.dev/docs/get-started/install
• Chalice - https://aws.github.io/chalice/quickstart
• Google Chrome Browser
• Python3
• [Visual Studio Code] (https://flutter.dev/docs/development/tools/vs-code) or any other text editor
• [Burp Suite Community Edition] (https://portswigger.net/burp/communitydownload)
• [Docker] (https://docs.docker.com/engine/install/ubuntu/)
• Root access on your laptop

Expectations

• We are going to run a Flutter based web application locally on individual machines.
• We are also going to create and deploy REST APIs locally, using Chalice.
• All demos would involve a Linux operating system

About Trainer

Riddhi Shree is an information security enthusiast with professional experience in software testing, Web app pentesting, Android and iOS app pentesting. She also has experience in Web and mobile app development. She has created a cloud-based vulnerable Android app, called VyAPI, that demonstrates OWASP Mobile top 10 vulnerabilities. She has been chapter leader for null Bangalore chapter until recent past. Currently, she leads the community activities for Winja community. She has presented her work through talks and trainings at various security conferences, including BSides (Delhi), c0c0n (Kochi), Nullcon (Goa), ISC2 (Bangalore), HITB (Abu Dhabi).