Customizable Inhouse Trainings
Several times a year I enjoy conducting inhouse training courses on topics like web application security (focussing on Java) as well as penetration testing and SecurityDevOps. Aside from the one-day workshops, all trainings include lots of instructor-led exercises (over 75 percent of the time) based on demo applications written specifically for the trainings. Each training includes a digital handout (PDF) of the course contents full of information for the attendees.
Just send me a mail in case you wish to receive more detailed course information. Depending on the audience, the courses will be held in English or German language. The contents of the workshops can be customized to suit your individual needs and system environments as well as software development process model.
Java Web Hacking & Hardening
This intensive training focuses on securing Java web applications against malicious hacker attacks. During the complete hands-on course a Java web application (written specifically for this workshop) with lots of vulnerabilities is examined, attacked, and secured. We will start with common vulnerabilities found in web applications and continue to more specialized security holes. Also lots of secondary countermeasures are presented.
Topics covered include:
- Attack scenarios in modern web applications
- Browser protection attempts like same origin policy (SOP) etc. and how attackers try to circumvent them
- The OWASP organization (tools, papers, top 10)
- Finding vulnerabilities in the workshop's demo web application and hardening the application against the attack vectors:
- SQL-Injection including blind SQL-Injection
- Cross-Site Scripting (XSS): stored, reflected and DOM-based
- Cross-Site Request Forgery (CSRF)
- Authentication Bypasses and Privilege Escalations
- Session Fixation
- Path Traversal including ClassPath Traversal attacks
- Remote Code Executions (RCE) like Command Injections, Backdoor Uploads, Local or Remote File Inclusions, etc.
- XML attacks like XML eXternal Entities (XXE) and XPath Injection
- Typical Information Disclosures
- Header Injection and Open Redirects
- JSON Hijacking
- Forceful Browsing and Parameter Tampering
- Server-Side Request Forgery (SSRF)
- . . .
- WebService (SOAP and REST) based attacks
- HTML5 attacks and security considerations for WebSockets, Local Storage, etc.
- Other type of backend injections like LDAP Injection
- Using automated passive and active scanners
- Professional analysis and exploitation frameworks
- Implementing defense strategies (server & client)
- Output escaping (context-aware), Input validation, HTTP protection headers, Content Security Policy (CSP), Token based protection, Form value masking, URL hashing/signing, URL encryption, . . .
This training includes many hands-on exercises, like finding security holes in the demo application followed by fixing the vulnerabilities and hardening the application. Attendees will learn how to apply primary defenses and secondary hardening measures into the application. The course also includes offensive parts of real-world exploitation of the security holes in order to fully understand the individual impact on a complete software system, like stealthy session stealing, user impersonification, sensitive data exfiltration, remote filesystem access, attacker shells, server takeover, etc.
But as the main focus is the mitigation of security problems: At the end of the workshop, even prophylactic protection techniques and best practices (like tokens, url encryption etc.) are applied in the demo application. Each attack is covered in the demo application with multiple coding examples derived from my real-world pentesting and development experience as a freelance pentester and Java software developer. Attendees can use either Eclipse or IntelliJ IDEA for the coding exercises, depending on personal preference (pre-configured projects for both IDEs will be provided).
The main intention behind this course is to learn and practice web application hardening by stepwise finding security holes and closing them. As attendees assume both roles (attacker's point of view as well as developer's defense point of view) code-review and pentesting skills will be learned in addition to the defence strategies.
I had the chance to hold this training over hundred times during the last years (and constantly improved it) for national and international companies ranging from small IT startups to big enterprises. I also had the chance to present a special version of it as a public training at the OWASP AppSecEU 2013 conference in Hamburg as well as at the OWASP AppSecEU 2014 conference in Cambridge.