SlideShare una empresa de Scribd logo
1 de 5
Descargar para leer sin conexión
Web Application Security
      Course Overview




               Satish.B
               Email:
               satishb3@securitylearn.net
Course Content

History of web application
    Introduction to web application architecture

Uniform Resource Locator (URL)

HTTP
        Introduction
        HTTP Methods
        WEBDAV methods
        Request/Response analysis
        Security problems with http

HTTPS
        Handshake protocol
        Record protocol

Proxy
        Man in the middle attack
        Tools: Burp proxy, Paros proxy, web scarab

Encoding Techniques
      URL Encoding
      HTML Encoding
      Unicode Encoding
      Tools: Burp decoder

Profiling Application
        Spiders, crawlers
        Search engine discovery
        Banner Grabbing
        Robots.txt
        Analysis of error codes
        Tools: HttpPrint, netcraft

Attacking Authentication
       Authentication Types
       Brute force attacks
       Analyzing Auto complete options
       Insecure credential transmission
       Session puzzle attacks
       Authentication bypass techniques
       Shoulder surfing

 2                                                   http://www.securitylearn.net
CAPTCHA Rebinding attacks
       Countermeasures
       Tools: Bruter, Burp Repeater, Burp Intruder

Attacking Authorization
       Authorization types
       Parameter tampering
       Horizontal privilege escalation
       Vertical privilege escalation
       Referrer spoofing

Cryptography weakness
      Symmetric cryptography
      Asymmetric cryptography
      Substitution cipher
      Stream cipher
      Block cipher
      Steganography
      SSL cipher testing
      Cracking hashes
      Padding oracle attack
      Cracking ECB encryption
      Tools: SSLDigger, MD5 crack

Attacking Session management
       Introduction
       Secure flag
       HTTPOnly flag
       Cookie Domain & Path
       Session Token analysis
       Session fixation
       Cookie transmission mechanisms
       Tools: Burp sequencer
       Timeout issues

Cross site scripting attacks
       Same origin policy
       Reflective XSS
       Stored XSS
       DOM based XSS
       Anatomy of XSS
       Exploitation
       Impact of XSS
       XSS Shell

 3                                                   http://www.securitylearn.net
XSS & Metasploit
       Black list/White list
       Input validation
       Output encoding
       Remediation
       Tools: Beef

SQL injection
       Error based SQLi
       Blind SQLi
       SQLi exploitation
       Data extraction with UNION queries
       Data extraction with inference techniques
       Command execution with SQLi
       Impact of SQLi
       Remediation
       Stored procedures Vs Parameterized queries
       Tools: SQLMap, Absinthe

Cross site request forgery
       Anatomy of CSRF
       Remediation
       CAPTCHA Rebinding attack
       Tool: CSRFTester

URL Redirection attacks
      Phishing attacks
      Remediation

HTTP Response splitting
      Cache positioning
      Command execution

Input validation attacks
       File Uploads
       Path traversal attacks
       Local file inclusions
       Remote file inclusions
       Command Execution
       Remediation Techniques

Server Configuration issues
       WEBDAV methods
       Caching vulnerabilities
       Directory listing

 4                                                  http://www.securitylearn.net
Attacking Web Server
       Denial of service attacks
       Buffer over flows
       Remediation

OWASP Top10 web application risks

Scanners
      Usage of tools
      Pros, Cons & Problems with scanners
      IBM- AppScan
      HP- WebInspect

Risk Assessment
       OWASP Risk Rating methodology

Pentest Reports
      Executive reports
      Detailed reports

Web Application Security Checklist



Contact
Satish B
Email: satishb3@securitylearn.net
       satishb3@hotmail.com




 5                                          http://www.securitylearn.net

Más contenido relacionado

La actualidad más candente

Session3 data-validation-sql injection
Session3 data-validation-sql injectionSession3 data-validation-sql injection
Session3 data-validation-sql injectionzakieh alizadeh
 
Cross Site Request Forgery Vulnerabilities
Cross Site Request Forgery VulnerabilitiesCross Site Request Forgery Vulnerabilities
Cross Site Request Forgery VulnerabilitiesMarco Morana
 
3. backup file artifacts - mazin ahmed
3. backup file artifacts - mazin ahmed3. backup file artifacts - mazin ahmed
3. backup file artifacts - mazin ahmedRashid Khatmey
 
A8 cross site request forgery (csrf) it 6873 presentation
A8 cross site request forgery (csrf)   it 6873 presentationA8 cross site request forgery (csrf)   it 6873 presentation
A8 cross site request forgery (csrf) it 6873 presentationAlbena Asenova-Belal
 
Cross-Site Request Forgery Vulnerability: “A Sleeping Giant”
Cross-Site Request Forgery Vulnerability: “A Sleeping Giant”Cross-Site Request Forgery Vulnerability: “A Sleeping Giant”
Cross-Site Request Forgery Vulnerability: “A Sleeping Giant”Capgemini
 
Session1-Introduce Http-HTTP Security headers
Session1-Introduce Http-HTTP Security headers Session1-Introduce Http-HTTP Security headers
Session1-Introduce Http-HTTP Security headers zakieh alizadeh
 
121 desarrollando aplicaciones-seguras_con_gene_xus
121 desarrollando aplicaciones-seguras_con_gene_xus121 desarrollando aplicaciones-seguras_con_gene_xus
121 desarrollando aplicaciones-seguras_con_gene_xusGeneXus
 
Cross Site Request Forgery
Cross Site Request ForgeryCross Site Request Forgery
Cross Site Request ForgeryTony Bibbs
 
Session10-PHP Misconfiguration
Session10-PHP MisconfigurationSession10-PHP Misconfiguration
Session10-PHP Misconfigurationzakieh alizadeh
 
Web application sec_3
Web application sec_3Web application sec_3
Web application sec_3vhimsikal
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryDaniel Miessler
 
Session2-Application Threat Modeling
Session2-Application Threat ModelingSession2-Application Threat Modeling
Session2-Application Threat Modelingzakieh alizadeh
 
Web 2.0 Hacking
Web 2.0 HackingWeb 2.0 Hacking
Web 2.0 Hackingblake101
 
Grey H@t - Cross-site Request Forgery
Grey H@t - Cross-site Request ForgeryGrey H@t - Cross-site Request Forgery
Grey H@t - Cross-site Request ForgeryChristopher Grayson
 
Introduction to CSRF Attacks & Defense
Introduction to CSRF Attacks & DefenseIntroduction to CSRF Attacks & Defense
Introduction to CSRF Attacks & DefenseSurya Subhash
 
Owasp security testing methodlogies –part2
Owasp security testing methodlogies –part2Owasp security testing methodlogies –part2
Owasp security testing methodlogies –part2robin_bene
 
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionVishal Kumar
 

La actualidad más candente (20)

Session3 data-validation-sql injection
Session3 data-validation-sql injectionSession3 data-validation-sql injection
Session3 data-validation-sql injection
 
S5-Authorization
S5-AuthorizationS5-Authorization
S5-Authorization
 
Cross Site Request Forgery Vulnerabilities
Cross Site Request Forgery VulnerabilitiesCross Site Request Forgery Vulnerabilities
Cross Site Request Forgery Vulnerabilities
 
3. backup file artifacts - mazin ahmed
3. backup file artifacts - mazin ahmed3. backup file artifacts - mazin ahmed
3. backup file artifacts - mazin ahmed
 
A8 cross site request forgery (csrf) it 6873 presentation
A8 cross site request forgery (csrf)   it 6873 presentationA8 cross site request forgery (csrf)   it 6873 presentation
A8 cross site request forgery (csrf) it 6873 presentation
 
Cross-Site Request Forgery Vulnerability: “A Sleeping Giant”
Cross-Site Request Forgery Vulnerability: “A Sleeping Giant”Cross-Site Request Forgery Vulnerability: “A Sleeping Giant”
Cross-Site Request Forgery Vulnerability: “A Sleeping Giant”
 
Session1-Introduce Http-HTTP Security headers
Session1-Introduce Http-HTTP Security headers Session1-Introduce Http-HTTP Security headers
Session1-Introduce Http-HTTP Security headers
 
121 desarrollando aplicaciones-seguras_con_gene_xus
121 desarrollando aplicaciones-seguras_con_gene_xus121 desarrollando aplicaciones-seguras_con_gene_xus
121 desarrollando aplicaciones-seguras_con_gene_xus
 
Cross Site Request Forgery
Cross Site Request ForgeryCross Site Request Forgery
Cross Site Request Forgery
 
Session10-PHP Misconfiguration
Session10-PHP MisconfigurationSession10-PHP Misconfiguration
Session10-PHP Misconfiguration
 
Web application sec_3
Web application sec_3Web application sec_3
Web application sec_3
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request Forgery
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationship
 
Session2-Application Threat Modeling
Session2-Application Threat ModelingSession2-Application Threat Modeling
Session2-Application Threat Modeling
 
Cross site scripting
Cross site scripting Cross site scripting
Cross site scripting
 
Web 2.0 Hacking
Web 2.0 HackingWeb 2.0 Hacking
Web 2.0 Hacking
 
Grey H@t - Cross-site Request Forgery
Grey H@t - Cross-site Request ForgeryGrey H@t - Cross-site Request Forgery
Grey H@t - Cross-site Request Forgery
 
Introduction to CSRF Attacks & Defense
Introduction to CSRF Attacks & DefenseIntroduction to CSRF Attacks & Defense
Introduction to CSRF Attacks & Defense
 
Owasp security testing methodlogies –part2
Owasp security testing methodlogies –part2Owasp security testing methodlogies –part2
Owasp security testing methodlogies –part2
 
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL Injection
 

Similar a Web application security - Course overview

Pentesting web applications
Pentesting web applicationsPentesting web applications
Pentesting web applicationsSatish b
 
AppSec 2007 - .NET Web Services Hacking
AppSec 2007 - .NET Web Services HackingAppSec 2007 - .NET Web Services Hacking
AppSec 2007 - .NET Web Services HackingShreeraj Shah
 
Intro to Web Application Security
Intro to Web Application SecurityIntro to Web Application Security
Intro to Web Application SecurityRob Ragan
 
What's new in​ CEHv11?
What's new in​  CEHv11?What's new in​  CEHv11?
What's new in​ CEHv11?EC-Council
 
Assessment methodology and approach
Assessment methodology and approachAssessment methodology and approach
Assessment methodology and approachBlueinfy Solutions
 
Ceh certified ethical hacker
Ceh   certified ethical hackerCeh   certified ethical hacker
Ceh certified ethical hackerbestip
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Codingbilcorry
 
Hacking web applications
Hacking web applicationsHacking web applications
Hacking web applicationsphanleson
 
Fraud detection system
Fraud detection systemFraud detection system
Fraud detection systembaladutt
 
Owasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesOwasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesMarco Morana
 
Secure SDLC for Software
Secure SDLC for Software Secure SDLC for Software
Secure SDLC for Software Shreeraj Shah
 
Hack applications
Hack applicationsHack applications
Hack applicationsenrizmoore
 
Secure RESTful API Automation With JavaScript
Secure RESTful API Automation With JavaScriptSecure RESTful API Automation With JavaScript
Secure RESTful API Automation With JavaScriptJonathan LeBlanc
 
Altitude SF 2017: Security at the edge
Altitude SF 2017: Security at the edgeAltitude SF 2017: Security at the edge
Altitude SF 2017: Security at the edgeFastly
 
04. xss and encoding
04.  xss and encoding04.  xss and encoding
04. xss and encodingEoin Keary
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing TechniquesAvinash Thapa
 
2011 and still bruteforcing - OWASP Spain
2011 and still bruteforcing - OWASP Spain2011 and still bruteforcing - OWASP Spain
2011 and still bruteforcing - OWASP SpainChristian Martorella
 
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009Manindra kishore _incident_handling_n_log_analysis - ClubHack2009
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009ClubHack
 

Similar a Web application security - Course overview (20)

Romulus OWASP
Romulus OWASPRomulus OWASP
Romulus OWASP
 
Pentesting web applications
Pentesting web applicationsPentesting web applications
Pentesting web applications
 
AppSec 2007 - .NET Web Services Hacking
AppSec 2007 - .NET Web Services HackingAppSec 2007 - .NET Web Services Hacking
AppSec 2007 - .NET Web Services Hacking
 
Intro to Web Application Security
Intro to Web Application SecurityIntro to Web Application Security
Intro to Web Application Security
 
What's new in​ CEHv11?
What's new in​  CEHv11?What's new in​  CEHv11?
What's new in​ CEHv11?
 
Assessment methodology and approach
Assessment methodology and approachAssessment methodology and approach
Assessment methodology and approach
 
Ceh certified ethical hacker
Ceh   certified ethical hackerCeh   certified ethical hacker
Ceh certified ethical hacker
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Coding
 
Hacking web applications
Hacking web applicationsHacking web applications
Hacking web applications
 
Practical web-attacks2
Practical web-attacks2Practical web-attacks2
Practical web-attacks2
 
Fraud detection system
Fraud detection systemFraud detection system
Fraud detection system
 
Owasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesOwasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root Causes
 
Secure SDLC for Software
Secure SDLC for Software Secure SDLC for Software
Secure SDLC for Software
 
Hack applications
Hack applicationsHack applications
Hack applications
 
Secure RESTful API Automation With JavaScript
Secure RESTful API Automation With JavaScriptSecure RESTful API Automation With JavaScript
Secure RESTful API Automation With JavaScript
 
Altitude SF 2017: Security at the edge
Altitude SF 2017: Security at the edgeAltitude SF 2017: Security at the edge
Altitude SF 2017: Security at the edge
 
04. xss and encoding
04.  xss and encoding04.  xss and encoding
04. xss and encoding
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing Techniques
 
2011 and still bruteforcing - OWASP Spain
2011 and still bruteforcing - OWASP Spain2011 and still bruteforcing - OWASP Spain
2011 and still bruteforcing - OWASP Spain
 
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009Manindra kishore _incident_handling_n_log_analysis - ClubHack2009
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009
 

Más de Satish b

Hacking and securing ios applications
Hacking and securing ios applicationsHacking and securing ios applications
Hacking and securing ios applicationsSatish b
 
Forensic analysis of iPhone backups (iOS 5)
Forensic analysis of iPhone backups (iOS 5)Forensic analysis of iPhone backups (iOS 5)
Forensic analysis of iPhone backups (iOS 5)Satish b
 
iPhone forensics course overview
iPhone forensics course overviewiPhone forensics course overview
iPhone forensics course overviewSatish b
 
iPhone forensics on iOS5
iPhone forensics on iOS5iPhone forensics on iOS5
iPhone forensics on iOS5Satish b
 
Pentesting iPhone applications
Pentesting iPhone applicationsPentesting iPhone applications
Pentesting iPhone applicationsSatish b
 
padding oracle attack
padding oracle attackpadding oracle attack
padding oracle attackSatish b
 

Más de Satish b (6)

Hacking and securing ios applications
Hacking and securing ios applicationsHacking and securing ios applications
Hacking and securing ios applications
 
Forensic analysis of iPhone backups (iOS 5)
Forensic analysis of iPhone backups (iOS 5)Forensic analysis of iPhone backups (iOS 5)
Forensic analysis of iPhone backups (iOS 5)
 
iPhone forensics course overview
iPhone forensics course overviewiPhone forensics course overview
iPhone forensics course overview
 
iPhone forensics on iOS5
iPhone forensics on iOS5iPhone forensics on iOS5
iPhone forensics on iOS5
 
Pentesting iPhone applications
Pentesting iPhone applicationsPentesting iPhone applications
Pentesting iPhone applications
 
padding oracle attack
padding oracle attackpadding oracle attack
padding oracle attack
 

Último

Philosophy of Education and Educational Philosophy
Philosophy of Education  and Educational PhilosophyPhilosophy of Education  and Educational Philosophy
Philosophy of Education and Educational PhilosophyShuvankar Madhu
 
PISA-VET launch_El Iza Mohamedou_19 March 2024.pptx
PISA-VET launch_El Iza Mohamedou_19 March 2024.pptxPISA-VET launch_El Iza Mohamedou_19 March 2024.pptx
PISA-VET launch_El Iza Mohamedou_19 March 2024.pptxEduSkills OECD
 
DUST OF SNOW_BY ROBERT FROST_EDITED BY_ TANMOY MISHRA
DUST OF SNOW_BY ROBERT FROST_EDITED BY_ TANMOY MISHRADUST OF SNOW_BY ROBERT FROST_EDITED BY_ TANMOY MISHRA
DUST OF SNOW_BY ROBERT FROST_EDITED BY_ TANMOY MISHRATanmoy Mishra
 
3.21.24 The Origins of Black Power.pptx
3.21.24  The Origins of Black Power.pptx3.21.24  The Origins of Black Power.pptx
3.21.24 The Origins of Black Power.pptxmary850239
 
CHUYÊN ĐỀ DẠY THÊM TIẾNG ANH LỚP 11 - GLOBAL SUCCESS - NĂM HỌC 2023-2024 - HK...
CHUYÊN ĐỀ DẠY THÊM TIẾNG ANH LỚP 11 - GLOBAL SUCCESS - NĂM HỌC 2023-2024 - HK...CHUYÊN ĐỀ DẠY THÊM TIẾNG ANH LỚP 11 - GLOBAL SUCCESS - NĂM HỌC 2023-2024 - HK...
CHUYÊN ĐỀ DẠY THÊM TIẾNG ANH LỚP 11 - GLOBAL SUCCESS - NĂM HỌC 2023-2024 - HK...Nguyen Thanh Tu Collection
 
Presentation on the Basics of Writing. Writing a Paragraph
Presentation on the Basics of Writing. Writing a ParagraphPresentation on the Basics of Writing. Writing a Paragraph
Presentation on the Basics of Writing. Writing a ParagraphNetziValdelomar1
 
Drug Information Services- DIC and Sources.
Drug Information Services- DIC and Sources.Drug Information Services- DIC and Sources.
Drug Information Services- DIC and Sources.raviapr7
 
Easter in the USA presentation by Chloe.
Easter in the USA presentation by Chloe.Easter in the USA presentation by Chloe.
Easter in the USA presentation by Chloe.EnglishCEIPdeSigeiro
 
How to Add Existing Field in One2Many Tree View in Odoo 17
How to Add Existing Field in One2Many Tree View in Odoo 17How to Add Existing Field in One2Many Tree View in Odoo 17
How to Add Existing Field in One2Many Tree View in Odoo 17Celine George
 
Ultra structure and life cycle of Plasmodium.pptx
Ultra structure and life cycle of Plasmodium.pptxUltra structure and life cycle of Plasmodium.pptx
Ultra structure and life cycle of Plasmodium.pptxDr. Asif Anas
 
How to Solve Singleton Error in the Odoo 17
How to Solve Singleton Error in the  Odoo 17How to Solve Singleton Error in the  Odoo 17
How to Solve Singleton Error in the Odoo 17Celine George
 
How to Make a Field read-only in Odoo 17
How to Make a Field read-only in Odoo 17How to Make a Field read-only in Odoo 17
How to Make a Field read-only in Odoo 17Celine George
 
Education and training program in the hospital APR.pptx
Education and training program in the hospital APR.pptxEducation and training program in the hospital APR.pptx
Education and training program in the hospital APR.pptxraviapr7
 
In - Vivo and In - Vitro Correlation.pptx
In - Vivo and In - Vitro Correlation.pptxIn - Vivo and In - Vitro Correlation.pptx
In - Vivo and In - Vitro Correlation.pptxAditiChauhan701637
 
AUDIENCE THEORY -- FANDOM -- JENKINS.pptx
AUDIENCE THEORY -- FANDOM -- JENKINS.pptxAUDIENCE THEORY -- FANDOM -- JENKINS.pptx
AUDIENCE THEORY -- FANDOM -- JENKINS.pptxiammrhaywood
 
How to Use api.constrains ( ) in Odoo 17
How to Use api.constrains ( ) in Odoo 17How to Use api.constrains ( ) in Odoo 17
How to Use api.constrains ( ) in Odoo 17Celine George
 
How to Add a New Field in Existing Kanban View in Odoo 17
How to Add a New Field in Existing Kanban View in Odoo 17How to Add a New Field in Existing Kanban View in Odoo 17
How to Add a New Field in Existing Kanban View in Odoo 17Celine George
 

Último (20)

Philosophy of Education and Educational Philosophy
Philosophy of Education  and Educational PhilosophyPhilosophy of Education  and Educational Philosophy
Philosophy of Education and Educational Philosophy
 
PISA-VET launch_El Iza Mohamedou_19 March 2024.pptx
PISA-VET launch_El Iza Mohamedou_19 March 2024.pptxPISA-VET launch_El Iza Mohamedou_19 March 2024.pptx
PISA-VET launch_El Iza Mohamedou_19 March 2024.pptx
 
DUST OF SNOW_BY ROBERT FROST_EDITED BY_ TANMOY MISHRA
DUST OF SNOW_BY ROBERT FROST_EDITED BY_ TANMOY MISHRADUST OF SNOW_BY ROBERT FROST_EDITED BY_ TANMOY MISHRA
DUST OF SNOW_BY ROBERT FROST_EDITED BY_ TANMOY MISHRA
 
3.21.24 The Origins of Black Power.pptx
3.21.24  The Origins of Black Power.pptx3.21.24  The Origins of Black Power.pptx
3.21.24 The Origins of Black Power.pptx
 
CHUYÊN ĐỀ DẠY THÊM TIẾNG ANH LỚP 11 - GLOBAL SUCCESS - NĂM HỌC 2023-2024 - HK...
CHUYÊN ĐỀ DẠY THÊM TIẾNG ANH LỚP 11 - GLOBAL SUCCESS - NĂM HỌC 2023-2024 - HK...CHUYÊN ĐỀ DẠY THÊM TIẾNG ANH LỚP 11 - GLOBAL SUCCESS - NĂM HỌC 2023-2024 - HK...
CHUYÊN ĐỀ DẠY THÊM TIẾNG ANH LỚP 11 - GLOBAL SUCCESS - NĂM HỌC 2023-2024 - HK...
 
Presentation on the Basics of Writing. Writing a Paragraph
Presentation on the Basics of Writing. Writing a ParagraphPresentation on the Basics of Writing. Writing a Paragraph
Presentation on the Basics of Writing. Writing a Paragraph
 
Drug Information Services- DIC and Sources.
Drug Information Services- DIC and Sources.Drug Information Services- DIC and Sources.
Drug Information Services- DIC and Sources.
 
Easter in the USA presentation by Chloe.
Easter in the USA presentation by Chloe.Easter in the USA presentation by Chloe.
Easter in the USA presentation by Chloe.
 
How to Add Existing Field in One2Many Tree View in Odoo 17
How to Add Existing Field in One2Many Tree View in Odoo 17How to Add Existing Field in One2Many Tree View in Odoo 17
How to Add Existing Field in One2Many Tree View in Odoo 17
 
Ultra structure and life cycle of Plasmodium.pptx
Ultra structure and life cycle of Plasmodium.pptxUltra structure and life cycle of Plasmodium.pptx
Ultra structure and life cycle of Plasmodium.pptx
 
How to Solve Singleton Error in the Odoo 17
How to Solve Singleton Error in the  Odoo 17How to Solve Singleton Error in the  Odoo 17
How to Solve Singleton Error in the Odoo 17
 
How to Make a Field read-only in Odoo 17
How to Make a Field read-only in Odoo 17How to Make a Field read-only in Odoo 17
How to Make a Field read-only in Odoo 17
 
Prelims of Kant get Marx 2.0: a general politics quiz
Prelims of Kant get Marx 2.0: a general politics quizPrelims of Kant get Marx 2.0: a general politics quiz
Prelims of Kant get Marx 2.0: a general politics quiz
 
Education and training program in the hospital APR.pptx
Education and training program in the hospital APR.pptxEducation and training program in the hospital APR.pptx
Education and training program in the hospital APR.pptx
 
Finals of Kant get Marx 2.0 : a general politics quiz
Finals of Kant get Marx 2.0 : a general politics quizFinals of Kant get Marx 2.0 : a general politics quiz
Finals of Kant get Marx 2.0 : a general politics quiz
 
Personal Resilience in Project Management 2 - TV Edit 1a.pdf
Personal Resilience in Project Management 2 - TV Edit 1a.pdfPersonal Resilience in Project Management 2 - TV Edit 1a.pdf
Personal Resilience in Project Management 2 - TV Edit 1a.pdf
 
In - Vivo and In - Vitro Correlation.pptx
In - Vivo and In - Vitro Correlation.pptxIn - Vivo and In - Vitro Correlation.pptx
In - Vivo and In - Vitro Correlation.pptx
 
AUDIENCE THEORY -- FANDOM -- JENKINS.pptx
AUDIENCE THEORY -- FANDOM -- JENKINS.pptxAUDIENCE THEORY -- FANDOM -- JENKINS.pptx
AUDIENCE THEORY -- FANDOM -- JENKINS.pptx
 
How to Use api.constrains ( ) in Odoo 17
How to Use api.constrains ( ) in Odoo 17How to Use api.constrains ( ) in Odoo 17
How to Use api.constrains ( ) in Odoo 17
 
How to Add a New Field in Existing Kanban View in Odoo 17
How to Add a New Field in Existing Kanban View in Odoo 17How to Add a New Field in Existing Kanban View in Odoo 17
How to Add a New Field in Existing Kanban View in Odoo 17
 

Web application security - Course overview

  • 1. Web Application Security Course Overview Satish.B Email: satishb3@securitylearn.net
  • 2. Course Content History of web application Introduction to web application architecture Uniform Resource Locator (URL) HTTP Introduction HTTP Methods WEBDAV methods Request/Response analysis Security problems with http HTTPS Handshake protocol Record protocol Proxy Man in the middle attack Tools: Burp proxy, Paros proxy, web scarab Encoding Techniques URL Encoding HTML Encoding Unicode Encoding Tools: Burp decoder Profiling Application Spiders, crawlers Search engine discovery Banner Grabbing Robots.txt Analysis of error codes Tools: HttpPrint, netcraft Attacking Authentication Authentication Types Brute force attacks Analyzing Auto complete options Insecure credential transmission Session puzzle attacks Authentication bypass techniques Shoulder surfing 2 http://www.securitylearn.net
  • 3. CAPTCHA Rebinding attacks Countermeasures Tools: Bruter, Burp Repeater, Burp Intruder Attacking Authorization Authorization types Parameter tampering Horizontal privilege escalation Vertical privilege escalation Referrer spoofing Cryptography weakness Symmetric cryptography Asymmetric cryptography Substitution cipher Stream cipher Block cipher Steganography SSL cipher testing Cracking hashes Padding oracle attack Cracking ECB encryption Tools: SSLDigger, MD5 crack Attacking Session management Introduction Secure flag HTTPOnly flag Cookie Domain & Path Session Token analysis Session fixation Cookie transmission mechanisms Tools: Burp sequencer Timeout issues Cross site scripting attacks Same origin policy Reflective XSS Stored XSS DOM based XSS Anatomy of XSS Exploitation Impact of XSS XSS Shell 3 http://www.securitylearn.net
  • 4. XSS & Metasploit Black list/White list Input validation Output encoding Remediation Tools: Beef SQL injection Error based SQLi Blind SQLi SQLi exploitation Data extraction with UNION queries Data extraction with inference techniques Command execution with SQLi Impact of SQLi Remediation Stored procedures Vs Parameterized queries Tools: SQLMap, Absinthe Cross site request forgery Anatomy of CSRF Remediation CAPTCHA Rebinding attack Tool: CSRFTester URL Redirection attacks Phishing attacks Remediation HTTP Response splitting Cache positioning Command execution Input validation attacks File Uploads Path traversal attacks Local file inclusions Remote file inclusions Command Execution Remediation Techniques Server Configuration issues WEBDAV methods Caching vulnerabilities Directory listing 4 http://www.securitylearn.net
  • 5. Attacking Web Server Denial of service attacks Buffer over flows Remediation OWASP Top10 web application risks Scanners Usage of tools Pros, Cons & Problems with scanners IBM- AppScan HP- WebInspect Risk Assessment OWASP Risk Rating methodology Pentest Reports Executive reports Detailed reports Web Application Security Checklist Contact Satish B Email: satishb3@securitylearn.net satishb3@hotmail.com 5 http://www.securitylearn.net