OWASP Top 10 Training Boot Camp

The OWASP Top Ten is widely recognized as a powerful awareness document that represents a broad consensus among security experts from around the world about the most critical security risks to web applications. InfoSec Institute’s 2-day OWASP Top Ten course is designed to educate professionals whose responsibilities include developing, administering, or securing web applications about the most common web application security vulnerabilities, the potential impact of exploiting these weaknesses, and basic approaches to mitigating the web application security risks.

Course Objectives

This course follows the structure of the OWASP Top Ten list of the most critical web application security risks. For each risk, it provides its description, common examples of vulnerabilities and ways the attackers can use to exploit them, and explains potential consequences of a successful attack. Basic guidance on how to avoid each risk is also provided as part of the course, which is delivered in engaging, seminar-style lecture format with hands-on lab exercise that students complete. This hands-on approach keeps developers engaged and ensures knowledge transfer of critical secure coding techniques.

After successfully completing this course, you will:

• Recognize the causes behind and the consequences of common coding errors and mistakes
• Understand the methods for discovery and exploitation of these issues
• Understand the basic practices that help prevent the most common mistakes and lead to more secure software

The course is sectioned into ten modules, based on the latest release of the OWASP Top Ten list. The material is constantly being revised and is subject to change.

A1 – Injection

Injection flaws, such as SQL, OS, XXE, and LDAP injection occur when untrusted data is sent to an interpreter as part of a command or query. Attackers send simple text-based attacks that exploit the syntax of the targeted interpreter. Injection can result in data loss or corruption, denial of access, or lead to complete host takeover.

A2 – Broken Authentication and Session Management

Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities (temporarily or permanently). Once successful, the attacker can do anything the victim could do. Privileged accounts are frequently targeted.

A3 – Cross-Site Scripting (XSS)

XSS flaws occur when an application updates a web page with attacker controlled data without properly escaping that content or using a safe JavaScript API. Attackers can execute scripts in a victim’s browser to hijack user sessions, deface web sites, insert hostile content, redirect users, hijack the user’s browser using malware, etc.

A4 – Broken Access Control

Applications and APIs don’t always verify the user is authorized for the target resource. This results in an access control flaw. Attackers, who are authorized users, simply change a parameter value to another resource they aren’t authorized for. Such flaws can compromise all the functionality or data that is accessible.

A5 – Security Misconfiguration

Good security requires having a secure configuration defined and deployed for the application, frameworks, application server, web server, database server, platform, etc. Attackers access default accounts, unused pages, unpatched flaws, unprotected files and directories, etc. to gain unauthorized access to or knowledge of the system. Occasionally, such flaws result in a complete system compromise.

A6 – Sensitive Data Exposure

The most common flaw is simply not encrypting sensitive data. When crypto is employed, weak key generation and management, and weak algorithm usage is common, particularly weak password hashing techniques. Attackers typically don’t break crypto directly. They break something else, such as steal keys, do man-in-the-middle attacks, or steal clear text data off the server, while in transit, or from the user’s browser. Failure frequently compromises all data that should have been protected. Typically, this information includes sensitive data such as health records, credentials, personal data, credit cards, etc.

A7 – Insufficient Attack Protection

Applications and APIs are attacked all the time. Most applications and APIs detect invalid input, but simply reject it, letting the attacker attack again and again. Such attacks indicate a malicious or compromised user probing or exploiting vulnerabilities. Does the application or API detect the attack? How does it respond? Can it thwart attacks against known vulnerabilities?

A8 – Cross-Site Request Forgery (CSRF)

CSRF takes advantage of the fact that most web apps allow attackers to predict all the details of a particular action. Attackers create forged HTTP requests and trick a victim into submitting them via image tags, iframes, XSS, or various other techniques. If the user is authenticated, the attack succeeds. Attackers can trick victims into performing any state changing operation the victim is authorized to perform (e.g., updating account details, making purchases, modifying data).

A9 – Using Components with Known Vulnerabilities

Many applications and APIs have these issues because their development teams don’t focus on ensuring their components and libraries are up to date. In some cases, the developers don’t even know all the components they are using, never mind their versions. Attackers identify a weak component through scanning or manual analysis. They customize the exploit as needed and execute the attack. The impact could range from minimal to complete host takeover and data compromise.

A10 – Underprotected APIs

Modern web applications and APIs are increasingly composed of rich clients that connect to backend APIs (XML, JSON, RPC, GWT, custom). APIs (microservices, services, endpoints) can be vulnerable to the full range of attacks. The impact could range from minimal to complete host takeover and data compromise.

Hands-On Labs

The OWASP Top Ten Boot Camp features several hands-on labs, including:

• Exploiting SQL Injection
• Attacking Authentication
• Cross Site Scripting Exploitation
• Source Code Auditing
• CMS Identification
• Attacking Web Services
• Client Side Attacks
• Open Source Analysis & Google Hacking
• Exploiting Web Application with w3af

Who Should Attend

InfoSec Institute’s OWASP Top Ten course applies to a broad audience. Primarily designed for professionals whose job function includes creating web applications, it will also be highly beneficial for other IT and information security professionals, as well as managers who want know more about web application security risks and what they mean to an organization.

Pre-Class Preperation

Signing up for InfoSec Institute’s OWASP Top Ten course means more than just attending a 2-day program. The program starts with quality custom pre-study course, an interactive self-learning experience that combines reading materials, videos, practice questions, and other types of resources and guidance.