The World Wide Web is everywhere. It has become the standard protocol for transferring data, accessing applications, configuring devices, controlling software, or even multimedia streaming. Most software development can’t be done without web applications. Despite the easy concept the technologies used in „HTTP/HTTPS“ have grown in very complex beasts. Few get it right, lots of developers make mistakes and end up at the wrong side of a security presentation at a conference. Fortunately there is help. We offer you a workshop at DeepSec 2016 to make your web software development great again!
The “Secure Web Development” training by Marcus Niemietz systematically covers the OWASP Top 10 threats as well as threats, which may be important in the future (e.g. HTML5 and AngularJS attacks). At the end of the training each attendee will be able to create her/his own check-list for avoiding security vulnerabilities.
On day one, Marcus is focusing on topics like Social Engineering, Logical Flaws, Cross-Site Request Forgery, and Cross-Site Scripting. As one of the authors of the attack technique called “Scriptless Attacks” Marcus will show you how to attack applications without even using scripts. Furthermore, Marcus will show you his newest research regarding the Same-Origin Policy; this includes at least one unpublished vulnerability in IE/Edge.
On day two, Marcus will introduce you to his favourite topic: UI redressing aka.clickjacking. After that you will learn attack and defense techniques from the server-side perspective: RCE, SQLi, and file inclusions. To sum it all up the day ends with a self-created security requirement.
This is what you can expect on the first day: Basic knowledge (HTTP, HTML, CSS, XML, and DOM), Social Engineering and Information Disclosure, Logical Flaws, Same-Origin Policy, Cross-Site Request Forgery, Cross-Site Scripting (Reflective XSS, Stored XSS, DOM-based XSS, Self XSS, Mutation-based XSS), Session Hijacking and Session Fixation.
The second day will be all about: UI Redressing and Clickjacking, File Inclusions and Path Traversal, Remote Command and Code Execution, SQL Injections, Secure Coding, Security Requirements