EtusivuTietoturvallinen ohjelmistokehitysSecurity Testing Web Applications

Security Testing Web Applications


Testing plays a very important role in ensuring security and robustness of web applications. Various approaches – from high level auditing through penetration testing to ethical hacking – can be applied to find vulnerabilities of different types. However if you want to go beyond the easy-to-find low-hanging fruits, security testing should be well planned and properly executed. Remember: security testers should ideally find all bugs to protect a system, while for adversaries it is enough to find one exploitable vulnerability to penetrate into it.

Attending this course will prepare software testers to adequately plan and precisely execute security tests, select and use the most appropriate tools and techniques to find even hidden security flaws. Practical exercises will help understanding web application vulnerabilities and mitigation techniques, together with hands-on trials of various testing tools from security scanners, through sniffers, proxy servers, fuzzing tools to static source code analyzers, this course gives the essential practical skills that can be applied on the next day at the workplace.

Course outline

  • IT security and secure coding
  • Web application security (OWASP Top Ten 2017)
  • Client-side security
  • Denial of service
  • Security testing
  • Security testing techniques and tools
  • Knowledge sources




3 päivää


1990 €

Target Group

Web application testers


Participants attending this course will

  • Understand basic concepts of security, IT security and secure coding
  • Learn Web vulnerabilities beyond OWASP Top Ten and know how to avoid them
  • Learn about XML security
  • Learn client-side vulnerabilities and secure coding practices
  • Understand security concepts of Web services
  • Learn about JSON security
  • Learn about denial of service attacks and protections
  • Understand security testing approaches and methodologies
  • Get practical knowledge in using security testing techniques and tools
  • Get sources and further readings on secure coding practices


Preparedness: General Web application development and testing

Contents of Security Testing Web Applications

Day 1

Security basics

What is security?

Threat and risk

Types of threats against computer systems

Consequences of insecure software

Constraints and the market

The dark side
Categorization of bugs

  • The Seven Pernicious Kingdoms
  • Common Weakness Enumeration (CWE)
  • CWE/SANS Top 25 Most Dangerous Software Errors
  • Vulnerabilities in the environment and dependencies

The OWASP Top Ten

OWASP Top 10 – 2017

A1 - Injection

  • Injection principles
  • Injection attacks
  • SQL injection
    • SQL injection basics
    • Lab – SQL injection
    • Attack techniques
    • Content-based blind SQL injection
    • Time-based blind SQL injection
  • SQL injection best practices
    • Input validation
    • Parameterized queries
    • Additional considerations
    • Lab – Using prepared statements
    • Case study – Hacking Fortnite accounts
    • Testing for SQL injection
  • Code injection
    • OS command injection
      • Lab – Command injection
      • OS command injection best practices
      • Lab – Command injection best practices
      • Case study – Command injection via ping
      • Testing for command injection
  • Injection best practices

A2 - Broken Authentication

  • Authentication basics
  • Authentication weaknesses
  • Spoofing on the Web
  • Testing for weak authentication
  • Case study – PayPal 2FA bypass
  • User interface best practices
  • Password management
    • Inbound password management
      • Storing account passwords
      • Password in transit
      • Lab – Why is just hashing passwords not enough?
      • Dictionary attacks and brute forcing
      • Salting
      • Adaptive hash functions for password storage
      • (Mis)handling passwords
      • Password policy
      • NIST authenticator requirements for memorized secrets
      • Password length
      • Password hardening
      • Using passphrases
      • Lab – Applying a password policy
      • The Ashley Madison data breach
      • The dictionary attack
      • The ultimate crack
      • Exploitation and the lessons learned
      • Password database migration
      • Testing for password management issues
    • Outbound password management
      • Hard coded passwords
      • Password in configuration file
      • Lab – Hardcoded password
      • Protecting sensitive information in memory
      • Challenges in protecting memory
  • Session management
    • Session management essentials
    • Why do we protect session IDs – Session hijacking
    • Session ID best practices
    • Session expiration
    • Session fixation
    • Testing for session management issues
    • Cross-site Request Forgery (CSRF)
      • Lab – Cross-site Request Forgery
      • CSRF best practices
      • Lab – CSRF protection with tokens
      • Testing for CSRF
    • Cookie security
      • Cookie security best practices
      • Cookie attributes
      • Testing cookie security

Day 2

Security testing

Security testing methodology

  • Preparation
  • Identifying assets
  • Identifying the attack surface
  • Assigning security requirements
  • Lab – Identifying and rating assets
  • Attacker profiling
  • Threat modelling
    • SDL threat modelling
    • Data flow diagram elements
    • Mapping STRIDE to DFD
    • Lab – SDL threat modelling
    • Attack trees
    • Misuse cases
    • Risk analysis
    • Lab – Risk analysis
  • Security testing approaches
    • Review and recommendations
    • Standard and proprietary mitigations

The OWASP Top Ten

A3 - Sensitive Data Exposure

  • Information exposure
  • Exposure through extracted data and aggregation
  • System information leakage
    • Leaking system information
  • Information exposure best practices

A4 - XML External Entities (XXE)

  •  DTD and the entities
  • Entity expansion
  • External Entity Attack (XXE)
    • File inclusion with external entities
    • Server-Side Request Forgery with external entities
    • Lab – External entity attack
    • Case study – XXE vulnerability in SAP Store
    • Lab – Prohibiting DTE
    • Testing for XXE and XML entity-related vulnerabilities

A5 - Broken Access Control

  • Access control basics
  • Missing or improper authorization
  • Failure to restrict URL access
  • Testing for authorization issues
  • Confused deputy
    • Insecure direct object reference (IDOR)
    • Lab – Insecure Direct Object Reference
    • Authorization bypass through user-controlled keys
    • Case study – Authorization bypass on Facebook
    • Testing for confused deputy weaknesses
  • File upload
    • Unrestricted file upload
    • Good practices
    • Lab – Unrestricted file upload
    • Testing for file upload vulnerabilities

A6 - Security Misconfiguration

  • Configuration principles
  • Server misconfiguration
  • Configuration management

A7 - Cross-site Scripting (XSS)

  • Cross-site scripting basics
  • Cross-site scripting types
    • Persistent cross-site scripting
    • Reflected cross-site scripting
    • Client-side (DOM-based) cross-site scripting
    • Case study – XSS in Fortnite accounts
  • XSS protection best practices
    • Protection principles - escaping
    • Additional protection layers
    • Client-side protection principles
    • Lab – XSS fix / stored
    • Lab – XSS fix / reflected
    • Testing for XSS

A8 - Insecure Deserialization

  • Serialization and deserialization challenges
  • Deserializing untrusted streams
  • Deserializing best practices
  • Property Oriented Programming (POP)
    • POP best practices
    • Lab – Creating a POP payload
    • Lab – Using the POP payload
    • Testing for insecure deserialization

Day 3

Security testing

Security testing techniques and tools

  • Security testing vs functional testing
  • Manual and automated methods
  • Penetration testing
  • Stress testing
  • Code analysis
    • Security aspects of code review
    • Static analysis
  • Dynamic analysis
    • Security testing at runtime
    • Dynamic analysis tools
  • Testing web applications
    • Web vulnerability scanners
    • SQL injection tools
  • Man-in-the-middle sniffing and interference
    • Proxy servers
    • Lab – Using a proxy

The OWASP Top Ten

A9 - Using Components with Known Vulnerabilities

  • Using vulnerable components
  • Assessing the environment
  • Hardening
  • Untrusted functionality import
  • Importing JavaScript
  • Case study – The British Airways data breach
  • Vulnerability management
    • Patch management
    • Vulnerability databases and scanning tools
    • Vulnerability rating – CVSS

A10 - Insufficient Logging & Monitoring

  • Logging and monitoring principles
  • Insufficient logging
  • Plaintext passwords at Facebook
  • Logging best practices
  • Monitoring best practices

Web application security beyond the Top Ten

  • Client-side security
  • Same Origin Policy
    • Relaxing the Same Origin Policy
    • Relaxing with Cross-Origin Resource Sharing (CORS)
    • Simple request
    • Preflight request
    • Tabnabbing
  • Frame sandboxing
    • Cross-Frame Scripting (XFS) attack
    • Lab - Clickjacking
    • Clickjacking beyond hijacking a click
    • Clickjacking protection best practices
  • Testing for client-side security weaknesses

Common software security weaknesses

Input validation

  • Input validation principles
    • Blacklists and whitelists
    • Data validation techniques
    • What to validate – the attack surface
    • When to validate – validation vs transformations
    • Where to validate – defense in depth
    • Output sanitization
    • Encoding challenges
    • Validation with regex
  • Integer handling problems
    • Representing signed numbers
    • Integer visualization
    • Integer overflow
    • Integer truncation
    • Best practices
      • Upcasting
      • Precondition testing
      • Postcondition testing
    • Testing for numeric problems
  • Files and streams
    • Path traversal
    • Path traversal-related examples
    • Additional challenges in Windows
    • Virtual resources
    • Path traversal best practices
    • Testing for path traversal

JSON security

JSON injection

Dangers of JSONP

JSON/JavaScript hijacking

Best practices


ReactJS vulnerability in HackerOne

Wrap up

Secure coding principles

  • Principles of robust programming by Matt Bishop
  • Secure design principles of Saltzer and Schröder
  • Some more principles

And now what?

  • Further sources and readings


Course begins at 9.00 and ends at 16.-16.30. Breakfast is served from 8.15 onwards.

Saattaisit olla kiinnostunut myös näistä koulutuksista: