Web Application Security for PCI DSS- Part 2 (WASEC-PD2) – Outline

Detailed Course Outline

DAY 1

The OWASP Top Ten 2021

  • A01 – Broken Access Control
    • Access control basics
    • Failure to restrict URL access
    • Confused deputy
      • Insecure direct object reference (IDOR)
      • Lab – Insecure Direct Object Reference
      • Authorization bypass through user-controlled keys
      • Case study – Authorization bypass on Facebook
      • Lab – Horizontal authorization
    • File upload
      • Unrestricted file upload
      • Good practices
      • Lab – Unrestricted file upload
    • Cross-site Request Forgery (CSRF)
      • Lab – Cross-site Request Forgery
      • CSRF best practices
      • CSRF defense in depth
      • Lab – CSRF protection with tokens
  • A02 – Cryptographic Failures
    • Information exposure
      • Exposure through extracted data and aggregation
      • Case study – Strava data exposure
      • System information leakage
        • Leaking system information
      • Information exposure best practices
    • Cryptography for developers
      • Cryptography basics
      • Elementary algorithms
        • Random number generation
          • Pseudo random number generators (PRNGs)
          • Cryptographically strong PRNGs
          • Using virtual random streams
          • Lab – Using random numbers
          • Case study – Equifax credit account freeze
      • Confidentiality protection
        • Symmetric encryption
          • Block ciphers
          • Modes of operation
          • Modes of operation and IV – best practices
          • Lab – Symmetric encryption
        • Asymmetric encryption
        • Combining symmetric and asymmetric algorithms

The OWASP Top Ten 2021

  • A03 – Injection
    • Injection principles
    • Injection attacks
    • SQL injection
      • SQL injection basics
      • Lab – SQL injection
      • Attack techniques
      • Content-based blind SQL injection
      • Time-based blind SQL injection
    • SQL injection best practices
      • Input validation
      • Parameterized queries
      • Lab – Using prepared statements
      • Case study – Hacking Fortnite accounts
    • Code injection
      • OS command injection
        • OS command injection best practices
        • Case study – Shellshock
        • Lab – Shellshock

DAY 2

The OWASP Top Ten 2021

  • A03 – Injection
    • HTML injection – Cross-site scripting (XSS)
      • Cross-site scripting basics
      • Cross-site scripting types
        • Persistent cross-site scripting
        • Reflected cross-site scripting
        • Client-side (DOM-based) cross-site scripting
      • Lab – Stored XSS
      • Lab – Reflected XSS
      • Case study – XSS in Fortnite accounts
      • XSS protection best practices
        • Protection principles – escaping
        • Lab – XSS fix / stored
        • Lab – XSS fix / reflected
        • Additional protection layers – defense in depth

The OWASP Top Ten 2021

  • A07 – Identification and Authentication Failures
    • Authentication
      • Authentication basics
      • Multi-factor authentication
      • Time-based One Time Passwords (TOTP)
      • Authentication weaknesses
      • Spoofing on the Web
      • Case study – PayPal 2FA bypass
      • User interface best practices
      • Case study – Information disclosure in Simple Banking for Android
      • Lab – On-line password brute forcing
    • Password management
      • Inbound password management
        • Storing account passwords
        • Password in transit
        • Lab – Is just hashing passwords enough?
        • Dictionary attacks and brute forcing
        • Salting
        • Adaptive hash functions for password storage
        • Password policy
          • NIST authenticator requirements for memorized secrets
          • Password hardening
          • Using passphrases
        • Case study – The Ashley Madison data breach
          • The dictionary attack
          • The ultimate crack
          • Exploitation and the lessons learned
        • Password database migration
          • (Mis)handling null passwords
      • Outbound password management
        • Hard coded passwords
        • Best practices
        • Lab – Hardcoded password
        • Protecting sensitive information in memory
          • Challenges in protecting memory
  • A08 – Software and Data Integrity Failures
    • Subresource integrity
      • Importing JavaScript
      • Lab – Importing JavaScript
      • Case study – The British Airways data breach
    • Insecure deserialization
      • Serialization and deserialization challenges
      • Integrity – deserializing untrusted streams
      • Integrity – deserialization best practices
      • Property Oriented Programming (POP)
        • Creating payload
        • Lab – Creating a POP payload
        • Lab – Using the POP payload
        • Summary – POP best practices

Security testing

  • Security testing techniques and tools
    • Code analysis
      • Static Application Security Testing (SAST)
    • Dynamic analysis
      • Security testing at runtime
      • Penetration testing
      • Stress testing
      • Dynamic analysis tools
        • Dynamic Application Security Testing (DAST)
        • Web vulnerability scanners
        • SQL injection tools
      • Fuzzing

Wrap up

  • Secure coding principles
    • Principles of robust programming by Matt Bishop
  • And now what?
    • Software security sources and further reading