New Web application security

Sign up for our Web Application Security course and learn how to build a web application safely and what are the security-relevant mistakes that can occur when building a web application, how to protect against them and how to avoid them.

Accordingly, the course will provide a step-by-step tutorial on the security architecture of web applications, the correct use of each service and the cryptographic background of the solutions. On the other hand, the most common and dangerous vulnerabilities of web applications will be presented and explained. Each flaw will be demonstrated by showing the attack methods, followed in each case by a description of good practices and defenses.

The training is recommended for programmers, developers, software designers, testers, security professionals who want to learn techniques to create the most secure programs and applications for their web applications.

• From IT security to secure programming: the nature of security, What is risk? IT security vs. secure coding, from vulnerabilities to botnets and cybercrime, the nature of security flaws, from infected computers to targeted attacks, classifying security flaws.
• Web Application Security: Injection: basic principles, SQL injection (typical SQL injection attack methods, Blind and time-based SQL injection, SQL injection protection methods), other injection flaws (command injection). Broken authentication: session management threats, session management best practices, Cookie attribute configuration, Cross-site request forgery - CSRF (login CSRF and CSRF prevention). XML external entity (XXE): XML entity introduction, XML external entity (XXE) attack (resource involvement, URL invocation, parameter entity, prevention). Broken access control: typical access control weaknesses, insecure direct object reference (IDOR), protection against IDOR. Security misconfiguration: configuring the environment, insecure file uploads, filtering file uploads - validation and configuration. Cross-Site Scripting (XSS): persistent, reflected, DOM-based, CSS injection, injection the tag, XSS prevention. Insecure deserialization: basics of Serialization and deserialization, security challenges, issues with deserialization - JSON. Use of known vulnerability components: vulnerability attributes, Common Vulnerability Scoring System - CVSS. Inadequate logging and monitoring: detection and response, logging and log analysis, intrusion detection systems and web application firewalls.
• Client-side security: JavaScript security, same origin policy, simple requests, preflight requests, Javascript usage, threats and global object, client-side authentication and password management, Javascript code protection. Clickjacking (protection against clickjacking, protection against frame-busting - rejection of protection scripts, protection against frame-busting). AJAX security: XSS in AJAX, script injection attack in AJAX, XSS protection in AJAX, CSRF protection in AJAX, MySpace worm, AJAX security guidelines. HTML5 security: new XSS possibilities in HTML5, client-side persistent data storage, HTML5 clickjacking attack - text field injection and content extraction, form manipulation, cross-origin requests, HTML proxy with cross-origin requests.
• Practical cryptography: first rule of cryptography implementation, cryptosystems: elements of a cryptosystem. Symmetric-key cryptography: ensuring confidentiality, symmetric cryptography, symmetric encryption algorithms, modes of operation. Other cryptographic algorithms: hash or message digest, hash algorithms, SHAttered, Message Authentication Code (MAC), integrity and authenticity assurance with symmetric key, random number generation (random numbers and cryptography, cryptographically strong PRNGs, hardware-based TRNGs). Asymmetric (public key) cryptography: ensuring confidentiality with public key encryption, rule of thumb - private key ownership, the RSA algorithm: introduction, encryption with RSA, combining symmetric and asymmetric algorithms, digital signature with RSA. Public Key Infrastructure (PKI): Man-in-the-Middle (MitM) attack, digital certificates against MitM attack, certificate authorities in public key infrastructure, X.509 digital certificate.
• Security protocols: TLS protocol (SSL and TLS, usage options, security features of TLS, SSL/TLS handshake), protocol level vulnerabilities (BEAST, CRIME, IDŐ, IDŐ without MitM, BREACH, Protection against CRIME/TIME/BREACH, FREAK, FREAK - SSL/TLS attack, logjam attack), padding oracle attacks (adaptive arbitrary code text attacks, Padding oracle attack, CBC decryption, Padding oracle example, Lucky Thirteen, POODLE.
• Web services security: securing web services - two general approaches, SOAP - simple object access protocol, RESTful web services security (authentication of users in RESTful web services, authentication with JSON Web Tokens (JWT), authorization with REST, vulnerabilities related to REST), XML security (introduction, analysis, injection: (ab)using CDATA to store XSS payload in XML, protection with sanitization and XML validation, XML bomb). XML signature (introduction, architecture, hash collision with XML digital signature, canonicalization, document signing, Signature Wrapping (XSW) attack, Signature Wrapping countermeasures), JSON security: server-side embedding, injection, hijacking, XSS via forged JSON element.
• Common coding errors and vulnerabilities: incorrect use of security functions, typical problems with using security functions, password management (weaknesses of hashed passwords, password management and storage, brute forcing, special purpose hash algorithms for password storage, typical errors in password management), insufficient protection against automation (Captcha - vulnerabilities).
• Denial of service: introduction of DoS, asymmetric DoS, denial of service against ICDs (denial of service: battery drain), ReDos in Stack Exchange, Hashtable collision attack (use of hashtables to store data and collision).
• Principles of security and secure coding: Matt Bishop's principles of robust programming and Saltzer and Schroeder's security principles.

At least two years of experience in general web application development. A basic working knowledge of basic cryptographic concepts and methods is recommended. As the course is taught in English, a basic knowledge of English at document reading level is required. The lecture will be held in Hungarian.