Bonsai Information Security - Education

OWASP TOP 10 Based
Training Course *

Bonsai’s OWASP Top 10 Based Training Course focuses on the most risky Web vulnerabilities that can be found in the wild. During this one-day course you are going to attend a series of lectures followed by some hands-on practices and demonstrations. On each practice you will identify vulnerabilities and challenge your understanding on exploiting said vulnerabilities.

This course was developed so that participants with various levels of knowledge can benefit from it as much as possible.

Our training experience helped us create the best OWASP Top 10 Based Training Course, which is oriented in PCI Standard for Payment Applications.

Bonsai’s OWASP TOP 10 Based Training Course was specially designed to meet the essential security needs of Web application developers, QA testers and computer information security experts.


Provide the attendees with the knowledge, tools, resources and necessary techniques to understand the different types of Web vulnerabilities in the OWASP Top 10.

Understand the vulnerabilities in a theoretical and practical aspect to be able to identify and fully understand them.

Apply the tools and techniques used by the professionals in a controlled environment with a hands-on methodology an live demonstrations.

Course contents

  1. OWASP Top 10
    1. Introduction
    2. Risk management
    3. PCI Security Council & OWASP

  2. Basics for safe Web Application development
    1. Tainted variables
    2. Sensitive sinks
    3. Validation functions

  3. A1 - Injection
    1. Interpreters
    2. OS Commanding
    3. SQL Injection
    4. Login Bypass
    5. Blind SQL Injection
    6. SQL Injection Countermeasures
    7. LDAP Injection
    8. XPath / JSON Injection

  4. A2 - Cross-site Scripting (XSS)
    1. Reflexive and persistent
    2. Advanced techniques

  5. A3 - Broken authentication and session management
    1. Cookies
    2. Attacking session
    3. Session Fixation
    4. Session Prediction

  6. A4 - Insecure direct object reference
    1. Authorization control in objects
    2. Path Traversal
    3. Null byte

  7. A5 - Cross-site Request Forgery (XSRF)

  8. A6 - Security Misconfiguration
    1. Backup files
    2. Local databases
    3. Hidden HTML fields
    4. Directory Enumeration
    5. Directory Indexing

  9. A7 - Insecure Cryptographic Storage

  10. A8 - Failure to Restrict URL Access

  11. A9 - Insufficient Transport Layer Protection
    1. Digital Certificates
    2. HTTPS Protocol

  12. A10 - Unvalidated Redirects and Forwards


The training deliverables include:

  1. Booklet with training course slides
  2. Live CD with the Web Application Security tools used during the training
  3. VMware image with the training environment
  4. Certificate of completion
  5. OWASP Top 10 Cheat-sheet


The training will be delivered by Andres Riancho an expert in the Web Application Security field and Bonsai Information Security founder.

Additional information

* OWASP does not provide official trainings, this training is just based on the OWASP Top10 document.

If you have any other questions, contact us.

Train your developers with us, and we’ll give you back your weekends!

Get a Quotation for the best OWASP TOP 10 Based Training Course.