Bonsai Information Security - Education

Web Application
Security Training

Bonsai's Web application security course focuses in teaching the attendees the different types of Web vulnerabilities and how to identify them in a manual or automated way. During the course the theoretical concepts are though, followed by hands-on practices performed in the labs that were specially developed for this course.

Our teaching experience helped us create the best Web Application Security Training, which is source code oriented: for each subject, a vulnerable source code snippet is introduced, and programming language agnostic: during the class, attendees will learn about vulnerabilities in Java, PHP, ASP.NET, ASP, Ruby and Python.

Play this video
Our training courses Video duration: 23 seconds

The training course was developed so that participants with varying knowledge levels can benefit from it as much as possible. During the first hour, basic HTTP concepts and generic techniques for vulnerability discovery are reviewed, gradually increasing the difficulty level until the most complex vulnerabilities are understood. Both Web application developers and computer information security experts will benefit from this training course.

For vulnerabilities like SQL injection and Remote File Inclusion, the speaker will explain and demonstrate the different exploitation techniques, in order to show the attendees the real risks related to these vulnerabilities.

To ensure the quality of our course, we have a maximum of sixteen attendees, each with its own computer provided by Bonsai, and connected to the training lab.


Objectives

Provide the attendees with the knowledge, tools, and necessary techniques to understand the different types of Web vulnerabilities in existence, so in the future they can identify them themselves.

Understand the vulnerabilities in a theoretical aspect to be able to identify them in the practical lab examples.

Apply in a controlled environment and with a hands-on methodology the tools used by the professionals in the field like w3af (developed by the speaker), burp and sqlmap; in order to learn about their main features.


Course contents

  1. Introduction to the HTTP protocol
    1. Requests and Responses
    2. HTTP Headers
    3. Secure Socket Layer (SSL)

  2. General concepts for the development of secure Web applications
    1. Tainted variables
    2. Sensitive sinks
    3. Validation functions

  3. Types of analysis:
    1. Static code análisis, black box testing and gray box testing
      1. Definitions
      2. Vulnerabilities that can be detected
      3. Vulnerabilities that can't be detected

  4. Common configuration and development errors
    1. HTML comments and versioning
    2. Backup files
    3. Local databases
    4. HTML hidden fields
    5. Directory enumeration
    6. Directory Indexing

  5. Web Application Vulnerabilities
    1. Error messages and exceptions
    2. Path Disclosure
    3. OS Commanding
    4. Local file read
    5. Local file inclusions
    6. Path Traversal and Null Bytes
    7. Remote file inclusions
    8. HTTP Response Splitting
    9. Uncommon attack vectors
    10. LDAP Injection
    11. PHP preg_replace vulnerabilities
    12. SQL Injection
    13. Blind SQL Injection
    14. Cross Site Scripting (XSS)
    15. Cross Site Request Forgeries / Session Riding

  6. Privilege escalation in Web applications

  7. Vulnerabilities in the application logic

  8. Object authorization controls

  9. Web Service security considerations

  10. Web 2.0 vulnerabilities



Deliverables

The training deliverables include:

  1. Booklet with training course slides
  2. Live CD with the Web Application Security tools used during the training
  3. VMware image with the training environment
  4. Certificate of completion

Trainer

The training will be delivered by Nahuel Grisolía, an expert in the Web Application Security field, with more than four years of on the field and research experience with the support of Andrés Riancho, Bonsai Information Security founder..


Additional information

The training is going to be delivered on July in Capital Federal, Buenos Aires - Argentina.

The payment methods available are: Cash, Bank transfer, Paycheck y Dinero Mail.

If you have any other questions, contact us.