<img height="1" width="1" src="https://www.facebook.com/tr?id=1879927395628828&amp;ev=PageView &amp;noscript=1">

Web Attack and Remediation (WAR) Course

“AsTech’s team are some of the most experienced and dedicated software security professionals I’ve ever come across. They are adept at quickly understanding the needs of the enterprise and producing results.”

Jeremiah Grossman

Chief of Security Strategy - SentinelOne

Founder - WhiteHat Security

Welcome to our Web Attack and Remediation (WAR)
Course for Applications

AsTech’s Web Attack and Remediation (WAR) courses are designed to help take your development team to the next level of executing on strong secure coding practices. This course is designed to launch your development staff from using small time prevention methods into leveraging full force advanced security protocols.

Here are the four concepts we will discuss in detail:

  1. Defining the OWASP Top 10 Vulnerabilities
  2. Discovering vulnerabilities in your own applications
  3. Understanding the effects of exploits based on these vulnerabilities
  4. Recovering from an attack and preventing new vulnerabilities from opening up in the future

AsTech's Hands On Approach

We have elected to take a hands on approach to this course, so your team will walk through these steps in a controlled lab environment. While other OWASP classes focus more on lecture, we believe that a lab-based course gives your team a firmer grasp of the concepts and processes presented here. Our experts are here to guide you through the process of identifying vulnerabilities, the attacks which exploit them, and how to fend them off using the absolute best technology available. As a team, AsTech has already helped thousands of companies step up their security game and fortify their applications against millions of attacks every year.

Day 1 - Laying the Groundwork

Before we can begin digging into the materials of this course, we want to ensure that all participants have attained a base level of understanding. We do this through a levelset program which will give your entire team a primer on OWASP Top 10 topics. This primer can be done online or can be taken as an in-person class. This is a great refresher for your team and will get everyone in the right mindset for the remainder of the course materials.

 

What We'll Cover

  1. Intro to Web Apps and OWASP Top 10?
  2. What is a Web App?
    • What is web app security?
    • OWASP Top 10 Introductions
      • Breakdown of all 10 categories
      • Examples of all 10 vulnerabilities 
  3. How Does One Find Flaws?
    • Static Code Analysis
      • 3rd Party products available
      • Methods used
    • Dynamic Code Analysis
      • 3rd Party products available
      • Methods used
    • Manual Code Review
      • Techniques and methods of review
    • Attack Proxy
      • 3rd Party products available
      • Methods used
  4. Buzzword Blitz
    • DevOps
    • DevSecOps
    • DevOps vs DevSecOps
    • CICD

Day 2 - The Art of the Attack

Day 2 is our first full day of hands-on instruction. Today we will answer any questions from the pre-requisite OWASP Primer course on Day 1. Then, we will get right into the heart of the matter: the attack. You will learn different methods of attacking applications and how those techniques can be applied in a variety of situations. You will have opportunities to test your knowledge in our lab exercises, as well as ask questions about the content matter and receive feedback immediately.

 

The Attack! (Morning)

  1. The Steps of a Successful Attack
    • Attack goals
    • Methods and types
    • Examples
  2. Recon
    • Information gathering
    • Screening and organizing data
    • Finding hidden gems
    • Identifying inconsistencies
    • Discovering injection and client side code
  3. Lab Setup
    • Bodgeit WAR installed on class server
    • Load source into dev environment
    • Get BURP running
    • Recon

Lab Exercises (Afternoon)

  1. Introduction to Injection
    • Lab: Injection
    • Authenticate as Admin
  2. Introduction to Broken Authentication and Session Management
    • Lab: Broken Authentication and Session Management
    • View Another Person's basket not authenticated
  3. Introduction to Cross-Site Scripting
    • Lab: Cross-site Scripting (XSS)
    • Find various XSS

Day 3 - Core Defense Strategy

On Day 2 we focused on defining and identifying different types of application vulnerabilities. In Day 3, we will see how and why these flaws work within an application, and examine remediation methods to fix them. This day is full of coding trial and error as you explore what it takes to overcome these vulnerabilities and harden your application code from these kinds of flaws.

 

Fixing the Code

  1. Lab: Setup
    • Bodgeit source available on server
    • Load source into dev environment
    • Working with the WAR file
    • Uploading to Apache
  2. Lab: Injection REDUX
    • Rerun the injection lab
    • Find in source the auth routine
    • How do we clean this up?
    • Rewrite code
    • Re-deploy WAR file
    • Re-Attempt injection
  3. Lab: Broken Authentication and Session Management REDUX
    • Rerun Session Management Lab
    • Fix Session management
    • Re-deploy
    • Test
  4. Lab: XSS Redux
    • Rerun the XSS Lab
    • Locate sanitization code
    • Fix XSS
    • Re-Deploy WAR file
  5. Wrap Up
  6. Additional References for further consideration
Web-Attack-Remediation-Course-statistics.jpg

By the end of Day 3, you should have a strong understanding of the OWASP Top 10 vulnerabilities including how to identify them promptly within applications and what techniques can be used to fix these flaws. Additional references will be made available for those who wish to learn more about how these vulnerabilities affect networks, and how industry leaders have been working to overcome them for years. 

For more information about this class and other IT courses from Astech, contact us today!