DeepSec2016 Workshop: Secure Web Development – Marcus Niemietz

The World Wide Web is everywhere. It has become the standard protocol for transferring data, accessing applications, configuring devices, controlling software, or even multimedia streaming. Most software development can’t be done without web applications. Despite the easy concept the technologies used in „HTTP/HTTPS“ have grown in very complex beasts. Few get it right, lots of developers make mistakes and end up at the wrong side of a security presentation at a conference. Fortunately there is help. We offer you a workshop at DeepSec 2016 to make your web software development great again!

The “Secure Web Development” training by Marcus Niemietz systematically covers the OWASP Top 10 threats as well as threats, which may be important in the future (e.g. HTML5 and AngularJS attacks). At the end of the training each attendee will be able to create her/his own check-list for avoiding security vulnerabilities.

On day one, Marcus is focusing on topics like Social Engineering, Logical Flaws, Cross-Site Request Forgery, and Cross-Site Scripting. As one of the authors of the attack technique called “Scriptless Attacks” Marcus will show you how to attack applications without even using scripts. Furthermore, Marcus will show you his newest research regarding the Same-Origin Policy; this includes at least one unpublished vulnerability in IE/Edge.

On day two, Marcus will introduce you to his favourite topic: UI redressing aka.clickjacking. After that you will learn attack and defense techniques from the server-side perspective: RCE, SQLi, and file inclusions. To sum it all up the day ends with a self-created security requirement.

This is what you can expect on the first day: Basic knowledge (HTTP, HTML, CSS, XML, and DOM), Social Engineering and Information Disclosure, Logical Flaws,  Same-Origin Policy, Cross-Site Request Forgery, Cross-Site Scripting (Reflective XSS, Stored XSS, DOM-based XSS, Self XSS, Mutation-based XSS), Session Hijacking and Session Fixation.

The second day will be all about: UI Redressing and Clickjacking, File Inclusions and Path Traversal, Remote Command and Code Execution, SQL Injections, Secure Coding, Security Requirements

The training includes approximately 60% of instructions and 40% of exercises (discussions, hands-on). You should definitely attend if you are a web developer. Depending on the level of knowledge, this workshop might also be interesting for penetration testers and security researchers (especially day 2!). You should know the basics about HTML, JavaScript, and SQL. Every participant needs an Internet connection and a laptop with Firefox. You will learn a lot – we promise!


marcus_niemietzMarcus Niemietz is the co-founder of Hackmanit and security researcher at the Ruhr-University Bochum in Germany. He is focusing on Web security related topics like HTML, JavaScript, and especially UI redressing. For security experts and web developers, Marcus Niemietz has published a book about the important OWASP topic UI redressing. Beside that he works as a security consultancy and gives OWASP security trainings for well-known companies. Marcus Niemietz has spoken on a large variety of international conferences (incl. Microsoft’s Blue Hat in Redmond, Black Hat in Singapore/ Abu Dhabi, and DeepSec).

Tags: , , , , , , , ,

6 Responses to "DeepSec2016 Workshop: Secure Web Development – Marcus Niemietz"