Secure Coding Training for Web Developers

13 October 2009

7Safe will be running a new training course from 15/16 Dec 2009 entitled Secure Coding for Web Developers.  In our work in the penetration testing world, it is clear that there is a real need for web developers to learn about the ways to prevent hackers from breaking into the applications they create.

Therefore, the following course outline was designed accordingly:

   Introduction to Web application:
        * Authentication
        * Authorization
        * cookies
        * HTTP protocol
        * overview of Google hacking.

  Attacking Authentication
        * Types of authentication
        * clear text http protocol
        * Username Enumeration
        * Security through Obscurity

  Web server Issues
        * IIS/Apache exploits and introduction to hacking tools such as metasploit
        * Insecure HTTP methods

  Cross Site Scripting
        * Types of XSS
        * Secure cookie, HTTP-only
        * Complicated XSS

  Cross Site Request Forgery
        * Complicated XSRF with POST requests
        * XSRF in web services

  Session Fixation

  CRLF injection
        * Proxy Poisoning, XSS with CRLF injection.
  SQL Injections(basic to advanced)
        * Introduction to SQL Injections
        * Authentication bypass
        * Extracting Data
        * O.S code execution
        * Overview of advanced sql injection

  Malicious File Uploads

  Vulnerable flash Applications

  Parameter manipulation attacks

  Business logic bypass
        * Authentication bypass
        * Other logical flaws

  SSL misconfigurations
        * SSL and Man in the middle attacks
  Security problems with thick client applications.

We’re expecting this to be a popular course.  Rather than attempt to cover all languages under the sun on one course, we focus on the important principles with examples in php and asp.NET.

Click on the following link for the official web page for the secure coding course.


« Back