Web Application Security (WAS)
Training duration: 4 days (32 academic hours) of highly practical information heavily mixed with hands-on labs.
- 17-18 March & 24-25 March 2025 (in English, by Marko Belzetski)
Group size: 12 participants maximum
Target audience: WebApp developers, testers, QA, maintainers, team leads, project leads, web server or hosting providers / administrators, information security specialists and managers.
Web Application Security training consists of two modules:
- Client-Side Attacks (attacks that incorporate the victim’s browser).
- Server-Side Attacks (directly attacking the server itself)
The training is held by our partner Clarified Security.
Training methods
Our course employs a dynamic blend of theoretical concepts and hands-on application. Through interactive lectures, engaging discussions, and immersive labs, participants actively experience web application security. Everyone, regardless of their background, will successfully complete the labs, either independently or with guidance from our expert instructors. By placing you in the attacker’s shoes within our dedicated lab environment, we transform theoretical knowledge into practical skills. Instructors leverage real-world case studies and storytelling from penetration tests to provide a vivid and relatable learning experience. This approach ensures that participants not only grasp the intricacies of security principles but also gain the practical know-how to navigate and secure real-world scenarios.
Ideology of this training
At the core of our course is the belief that understanding the offensive side is paramount to effective defense. The “Attack to Defend” motto encapsulates this ideology, emphasizing the importance of practical knowledge. We go beyond traditional approaches, challenging outdated terms and providing insights into cutting-edge techniques. The course is designed not just to teach security principles but to instill a proactive mindset, empowering you to anticipate and thwart potential threats.
Contents of this training
Topics covered in the training course
Client-Side attacks module (2 days): • Browser security policies and terminology • Cross-Site Script (XSS) – what it is and what it is not • Web Content Injection attacks (HTML injection, JavaScript injection) • URL encoding, URL manipulation • Referrer, Referrer-Policy • Content Execution Attacks • Web Content Execution from uploaded files (HTML, XMl, SVG) • Serving files, Content-Disposition header • Using 3rd party content • HTTP response headers (Content-Security-Policy (CSP), X-Content-Type-Options, StrictTransport-Security) • Browser storages • Cookies, setup and parameter nuances • Web Storage API • Session, session hijacking and session fixation attacks • Client-Side Request Forgery attacks • Cross-Origin Resource Sharing (CORS), CORS-safelisted and pre-flight requests, related headers • UI Redress Attacks (ClickJacking) |
Server-Side attacks module (2 days): • Security, security related terminology • Factors for calculating risk • Information sources • The HTTP protocol and communication, using intercepting proxies • Web application architectures – REST vs “oldschool” • Building a defense (user input, input validation, encoding, sanitization, defense layers) • Authentication (passwords and hashes; rules, common misunderstandings and myths related to passwords) • Authorization (lacking access controls) • Unintended information leakage (using search engines, metadata from files) • Business logic issues • SQL injection – detection, query and database structure identification, blind and partially blind attacks, incorrect defenses and bypasses • Command injection • Web server configuration issues • Path traversal • File inclusion attacks (LFI, LFI2RCE) • File upload and processing (bypassing incorrect defenses, ZIP and XML features) • Server-Side Request Forgery (SSRF) • XML eXternal Entity (XXE) |
Intended outcome
By the end of this course, participants will possess the expertise to architect inherently secure software, integrating robust defense mechanisms seamlessly into the development process. Security will be ingrained as a proactive element, enabling participants to identify vulnerabilities early and build resilient applications from the ground up. Whether you’re a security enthusiast, developer, or IT professional, this program equips you to confidently create digital landscapes where security is not an addition but an integral part of the development lifecycle.
Technical requirements for the training
You will need to bring your own laptop.
Be sure to bring your laptop, charger and, if necessary, other things necessary (mouse, etc.). The laptop must have a network cable slot or the ability to connect to a Wi-Fi network and a screen resolution of at least 1920 x 1080. All operating systems are suitable, the main thing is to have a remote desktop client. All training activities take place in our training environment. If you want to install a remote desktop client on your computer in advance, our recommendations are:
- Linux: Remmina, rdesktop
- macOS: Microsoft Remote Desktop client (Available in Mac App Store)
- Windows: Windows 10 built-in
Trainer
-
Marko BelzetskiPentester (WebApps) and trainer
Marko joined the team in August 2016 as a Web Application Pentester. Although his previous work experience has mainly been in finance and business support, he has also done freelance web application development. Marko holds a bachelor in business administration from Northwood University and is currently obtaining a degree in IT Systems Development from Estonian Information Technology College.