Register For
Upcoming Events
March
- SANS 2009
- Register Now!
- Orlando, FL
- March 1 - March 9, 2009
April
- SANS@Home - Security 422 - Tanya Baccam
- Register Now!
- SANS@Home SEC422-200904, VA
- April 14 - April 30, 2009 - RSA Conference 2009
- Register Now!
- San Francisco, CA
- April 19 - April 20, 2009
Developer 422 ::
Web Application Security Essentials
Overview
Web Application Security Essentials is a three-day hands-on, action-packed course covering the defensive strategies for Web applications against current and future attacks. This course will help you understand the fundamental reasons behind the Web vulnerabilities which will then enable you to properly defend your organization's Web assets. Mitigation strategies from an infrastructure, architecture, and coding perspective will be discussed alongside real-world implementations that really work. The key security problem areas of Web applications will be covered, as well as new technology areas such as AJAX and Web Services.
To maximize the benefit for a wider range of audiences, the discussions in this course will be programming language agnostic. Focus will be maintained on security strategies rather than coding level implementation. This course is intended for anyone tasked with implementing secure Web applications.
Web Application Security Essentials is particularly well suited to application security analysts, developers, application architects, pen testers who are interested in recommending proper mitigations to security issues, and infrastructure security professionals who have an interest in better defending their Web applications.
Who Should Attend
- Web application developers
- Application architects
- Application security analysts
- Penetration testers who are interested in recommending proper mitigations to security issues
- Securing Web Application Infrastructures
- Cryptography
- Authentication
- Access Control
- Session Mechanism Protection
- Web Application Logging
- Input Issues and Proper Validation
- SQL Injection Defense
- Cross-Site Scripting Defense
- Phishing Defense
- HTTP Response Splitting and Defense
- Cross-Site Request Forgery Defense
- AJAX Security
- Web Services Security
Sampling of Topics
- Topics
- Introduction to Web Services and Related Technologies
- XPATH Injection
- XML Schema Related Attacks
- XML Parsing and Related Security Issues
- AJAX Security Overview
- AJAX Security Effects on Web Applications
Laptop
Laptop RequiredStudents attending this course are required to bring their own laptops that are properly configured. There is not enough time in class to help you install your laptop; your laptop must be properly installed and configured before you come to class.
Minimum hardware requirements:
- 1GHz processor
- 512MB RAM (1GB highly recommended)
- 3GB free hard disk space
- CD-ROM drive
- An unused USB slot
A laptop with Windows 2000, XP, or Vista is required with the latest Service Packs and patches. Install the following software on the computer:
- Java Runtime Environment (JRE) - please download from http://www.sun.com
- Firefox browser (version 2) - DO NOT install version 3
- Install Switchproxy extension in Firefox (see below)
Please install VMware Player or VMware Workstation on the laptop. (GSX and ESX will not work.) VMware player can be downloaded for free at http://www.vmware.com.
Switchproxy is a Firefox extension and can be installed from https://addons.mozilla.org/en-US/firefox/addon/125. Surf to the URL with Firefox 2 and then click on the "Add to Firefox" button on the page.
At the beginning of class you will be given a Linux bootable CD. This CD will be booted within VMware as a virtual image. You must have ability to disable the host firewall (Windows firewall or other third party firewall) and anti-virus running on your desktop. This usually means you need to have administrative privilege on the machine. The Windows host and Linux host need to talk to each other through the VMware network interface. A firewall could disallow such communication and render some of the exercises unsuccessful.
Day Information
Day 1
Web Application Security EssentialsWe begin day 1 with a brief overview of the technologies that are at play in Web applications. You can't win the battle if you don't understand what you are trying to defend. Then, we dive straight into the infrastructure security in Web applications, cover mistakes in the infrastructure and configuration of Web servers, and discuss the various mitigation techniques leveraging infrastructure, such as Web application firewalls.
Since the Internet does not provide a guarantee of secrecy of information being transferred on it, encryption is commonly used to protect the integrity and secrecy of information on the Web. We delve into the encryption technologies that are used to guard information while in transit or sitting on the server.
The question that follows is, who should you allow into your application? We’ll discuss the best practice for authenticating users and the common vulnerabilities around authentication.
Authorization is the last topic of discussion for the day. Making sure the application properly controls access to the appropriate resources is the goal of the discussion. You will learn the right way of planning for access during the development lifecycle and the common pitfalls with access control.
- Topics
- Defense-in-Depth Architecture
- Web Application Firewall
- SSL and Database Encryption
- Various Web Application Authentication Method
- Authentication and Related Vulnerabilities
- Authorization and Related Vulnerabilities
Day 2
Web Application Security EssentialsIn day two, we start off with a discussion about session management in Web applications. We will go over a hacker's technique in attacking the session mechanism and related defense strategies. The best practice of session security will be discussed to ensure your application's session management is as strong as possible.
There is a heavy focus on the input-related flaws, such as Cross-Site Scripting, SQL injection, and response splitting. The basic mechanics of these vulnerabilities are covered, followed by the real-world attack trends. Most importantly, we delve into the mitigation of these vulnerabilities and the best practice in avoiding these critical vulnerabilities.
At the end of day, we finish with phishing mitigation and techniques to put a honeypot in the production environment in order to prevent attacks.
- Topics
- Session Best Practices
- Cross-Site Request Forgery
- Input Handling and Validation in an Application
- SQL Injection
- Cross-Site Scripting
- HTTP Response Splitting
- Honeypot
Day 3
Web Application Security EssentialsDay three of the course is dedicated to AJAX and Web Services security. Asynchronous JavaScript and XML (AJAX) and Web Services are currently the most active areas in Web application development. Security issues continue to arise as organizations are diving head first into insecurely implementing new Web technologies without first understanding them.
We cover the security issues, mitigation strategies, and general best practices for implementing AJAX and Web Services. We also examine real-world attacks and trends to give you a better understanding of exactly what you're protecting against. Discussion focuses on the Web services in the morning and AJAX technologies in the afternoon.
- Topics
- Introduction to Web Services and Related Technologies
- XPATH Injection
- XML Schema Related Attacks
- XML Parsing and Related Security Issues
- AJAX Security Overview
- AJAX Security Effects on Web Applications