Developing Defensible Web Applications

Introduction

This class first demonstrates to developers how attackers create strategies to compromise applications in order to help students “think like an attacker.”

The class then moves into demonstrating how the Open Web Application Security Project (OWASP) provides developers with the tools to successfully develop applications that are difficult or near impossible to hack.

This class is rich in hands-on opportunities giving developers a chance to see for themselves how attackers think, how the framework protects the application, as well as where it falls short.

Course Outline

Common Attacks

  • Injection Flaws
  • Cross Site Scripting
  • Cross Site Request Forgery
  • Malicious File Execution
  • Security Configuration
  • Session Hijacking
  • Encryption
  • Unsecure Direct Object Reference
  • Failure to authorize/hidden URLs

Secure Design

  • Layered Design Concepts
  • Object Layer
  • Persistence Layer
  • Presentation Layer

Countermeasures

  • Validation
    • Validation Controls
    • Strong Typing
    • Regular Expressions
    • White list
    • Scrubbing
    • Black list
  • Encoding
  • CAPTCHA
  • Honey Pots
  • Avoiding SQL Injection
    • Parameterized Queries/Prepared Statements
    • Stored Procedures
    • Entity Framework/Hibernate
  • Avoiding Cross Site Request Forgeries
  • Authorization & Authentication
    • .Net Authentication
    • Basic & Digest
    • Forms
    • Windows Authentication
    • JAAS and other Java authentication services.
    • Authorization
    • Password Security
    • Brute Force attacks
    • Password Resets
    • Secret Questions/Answers
    • SSL

Session Security

  • Session IDs
  • Policies
  • Hijacking/Fixation Attacks

Resources

  • OWASP Tools
    • ESAPI
    • CSRF Tester
    • WebScarab
  • Other tools