About course

This course helps to understand the fundamental security principles of modern web. The course provides an overview of the most common attacks and illustrates fundamental countermeasures that every web application should implement.

The course features real cases from pentesting practice and resourses like hacker1, OWASP but not limited to them. Each lesson includes identification and exploitation tasks as well as code correction tasks checked by the bot.

In essence, this course offers unique knowledge and skills to build better and more secure applications on all modern frameworks. Successful participants will get knowledge and experience of web application security specialist and will be ready to stand against real world web vulnerabilities. The course will be usefull for testers, developers, IT security specialists, system administartors and devops.

You will learn

  • Knowledge of modern web vulnerabilities
  • Techniques of modern web application code audit
  • Secure code development
  • Creative thinking and problem solving

Course material

Lessons

  • Lesson 0. Useful information and tools description

    Description:

    Main commands and set of tools to be used for successful completion of the course.

    Practice tasks: 0
  • Lesson 1. Directories and files brute-forcing. Learning the platform’s basics

    Description:

    The lesson covers security problems related to sensitive files and directories stored on the server in open access.

    Practice tasks: 5
  • Lesson 2. Code and command injections

    Description:

    The most dangerous vulnerabilities from OWASP Top 10. Command injection (A1) allows executing arbitrary OS commands on the server.

    Practice tasks: 10
  • Lesson 3. Directory traversal, LFI/RFI

    Description:

    The vulnerability allows manipulating with files (source code, app data, back-end credentials, OS files).

    Practice tasks: 6
  • Lesson 4. SQL and NoSQL injections

    Description:

    Why do SQL and NoSQL injections arise, how to find them and how to prevent them.

    Practice tasks: 10
  • Lesson 5. CSRF and XSS

    Description:

    CSRF is an attack that tricks a logged-in user into sending a forged request to the web application. Learn what causes CSRF and XSS, how to find and prevent them, and what risks do they have.

    Practice tasks: 15
  • Lesson 6. XXE and SSRF

    Description:

    XXE is an attack that exploits a certain feature of XML parsers. SSRF is a vulnerability that allows initiating server-side requests to the internal network of a vulnerable app.

    Practice tasks: 8
  • Lesson 7. SSTI

    Description:

    Learn about the vulnerability that is caused by unsafe embedding of user input in server templates.

    Practice tasks: 5
  • Lesson 8. Serialization vulnerabilities

    Description:

    Learn about the typical errors that may happen during deserialization and how they can be exploited.

    Practice tasks: 5
  • Lesson 9. IDOR and Authorization and authentication bypass.

    Description:

    IDOR (insecure direct object references) is a vulnerability that allows a user to access pages, data, or files that they should not have access to. Authentication problems may arise at all stages of application development lifecycle. Carelessness and inadequate treatment of security threats may lead to authentication bypass.

    Practice tasks: 8
  • Lesson 10. Misconfigurations and components with known vulnerabilities

    Description:

    Learn about security problems like unpatched vulnerabilities, default accounts, unprotected files, etc.

    Practice tasks: 5