- Goa-2021
- Training
- Web App Security - Build, Break & Learn
Trainer Name: Riddhi Shree
Title: Web App Security - Build, Break & Learn
Duration: 4 Days
Dates: 22nd - 25th March 2021
Time: 2:00 PM to 6:00 PM IST
Delivery Mode: via Zoom.us and Discord Platform
Overview
If you are a security enthusiast who learns well through hands-on experience, you will find this training useful. In this four days of guided training, you will receive training materials that will help you in setting up your own local lab environment for trying out various attack scenarios. The primary focus of this training would be on understanding the web vulnerabilities that are listed below.
Course Structure
Day 1 (4 Hrs.)
- Lab Setup
- Injection
- SQL Injection
- First Order Attacks
- Second Order Attacks
- OS Command Injection
- Template Injection
- CRLF Injection
- SQL Injection
- Cross-Site Scripting (XSS)
- Reflected XSS
- Stored XSS
- DOM-based XSS
- A discussion around secure coding practices w.r.t. discussed issues
Day 2 (4 Hrs.)
- XML External Entities (XXE)
- File Inclusion via XXE
- Server-Side Request Forgery (SSRF) via XXE
- Remote Code Execution (RCE) via XXE
- Blind XXE
- Broken Authentication & Authorization
- JWT Validation Bypass Techniques
- OAuth 2.0 Authentication Vulnerabilities
- Cross-Site Request Forgery (CSRF)
- Insecure Direct Object Reference (IDOR)
- Parameter Tampering
- A discussion around secure coding practices w.r.t. discussed issues
Day 3 (4 Hrs.)
- Insecure Deserialization
- Sensitive Data Exposure
- Missing/Broken Cryptography
- Hardcoded Secrets in JavaScript Files
- Verbose Error Messages
- Verbose Server Responses
- A discussion around secure coding practices w.r.t. discussed issues
Day 4 (4 Hrs.)
- Security Misconfigurations
- Missing Security Headers
- Missing Rate Limiting
- Weak Password Policy
- Use of Default Credentials
- Missing Server Side Validations
- Recap & Doubt Clarification
- CTF
Target Audience
- Anyone interested, including beginners
- Should be comfortable running basic Linux commands
Software Pre-requisites & Preferences
- Linux Operating System / Linux Virtual Machine
- Flutter - https://flutter.dev/docs/get-started/install
- Chalice - https://aws.github.io/chalice/quickstart
- Google Chrome Browser
- Python3
- [Visual Studio Code] (https://flutter.dev/docs/development/tools/vs-code) or any other text editor
- [Burp Suite Community Edition] (https://portswigger.net/burp/communitydownload)
- [Docker] (https://docs.docker.com/engine/install/ubuntu/)
- Root access on your laptop
Expectations
- We are going to run a Flutter based web application locally on individual machines.
- We are also going to create and deploy REST APIs locally, using Chalice.
- All demos would involve a Linux operating system
About Trainer
Riddhi Shree is an information security enthusiast with professional experience in software testing, Web app pentesting, Android and iOS app pentesting. She also has experience in Web and mobile app development. She has created a cloud-based vulnerable Android app, called VyAPI, that demonstrates OWASP Mobile top 10 vulnerabilities. She has been chapter leader for null Bangalore chapter until recent past. Currently, she leads the community activities for Winja community. She has presented her work through talks and trainings at various security conferences, including BSides (Delhi), c0c0n (Kochi), Nullcon (Goa), ISC2 (Bangalore), HITB (Abu Dhabi).