OWASP Top 10 Training Boot Camp

Transform your career in 2 days

In today’s interconnected world, web applications are everywhere, but they also pose significant security risks. By mastering the top ten vulnerabilities identified by the Open Worldwide Application Security Project (OWASP), you gain a valuable skill set in high demand across industries, from private to government sectors. Our OWASP Top 10 Training Boot Camp is your gateway to becoming a proficient web application security professional.

Course essentials

Boot camp at a glance

  • Method

    Live online, in-person or team onsite

  • Duration

    2 days

  • Experience

    1-3 years

  • Average salary

    $122,000

What you'll learn

Training overview

The OWASP Top 10 Boot Camp is a must for professionals seeking to enhance their expertise in web application security. This comprehensive course is primarily designed for individuals involved in creating web applications, such as web developers and web administrators.

By enrolling in this boot camp, you gain valuable insights into the 10 most critical web application security risks identified by OWASP. You’ll understand and experience:

  • Web application security risks: Gain an in-depth understanding of the 10 most critical security risks identified by OWASP.
  • Vulnerability identification: Learn how to identify common vulnerabilities in web applications, such as injection flaws, broken authentication, sensitive data exposure and more.
  • Risk impact evaluation: Understand the potential impact of exploiting web application vulnerabilities and the consequences for organizations.
  • Risk mitigation strategies: Explore best practices and techniques for mitigating web application security risks and implementing secure coding practices.
  • Hands-on labs: Engage in hands-on lab activities to practice identifying and exploiting common web application vulnerabilities.
  • Secure coding techniques: Acquire knowledge and skills to develop secure web applications by implementing secure coding techniques and practices.
  • Risk reporting and communication: Learn how to effectively communicate web application security risks to stakeholders and management.
  • Industry best practices: Stay updated with industry best practices for web application security and secure coding.

Award-winning training you can trust

What's included

Everything you need to know

  • 90-day extended access to Boot Camp components, including class recordings
  • 100% Satisfaction Guarantee
  • Free 90-day Infosec Skills subscription (access to 1,400+ additional courses and labs)
  • Knowledge Transfer Guarantee
  • Pre-study learning path

Before your boot camp

Prerequisites

There are no prerequisites. Infosec’s OWASP Top Ten Boot Camp applies to a broad audience. However, this training is primarily designed for professionals whose job function includes creating or evaluating web applications, so professional experience is beneficial for you to get the most from this boot camp.

Syllabus

Training schedule

Day 1
Morning session

A1 – Injection

Injection flaws, such as SQL, OS, XXE and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. Attackers send simple text-based attacks that exploit the syntax of the targeted interpreter. Injection can result in data loss or corruption, denial of access or lead to complete host takeover.

A2 – Broken authentication

Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys or session tokens, or to exploit other implementation flaws to assume other users’ identities (temporarily or permanently). Once successful, the attacker can do anything the victim could do. Privileged accounts are frequently targeted.

Afternoon session

A3 – Sensitive data exposure

The most common flaw is simply not encrypting sensitive data. When crypto is employed, weak key generation and management, and weak algorithm usage are common, particularly weak password hashing techniques. Attackers typically don’t break crypto directly. They break something else, such as stealing keys, performing man-in-the-middle attacks, or stealing clear text data off the server, while in transit or from the user’s browser. Failure frequently compromises all data that should have been protected. Typically, this information includes sensitive data such as health records, credentials, personal data and credit cards.

A4 – XML external entities (XXE)

By default, many older XML processors allow the specification of an external entity, a URI that is dereferenced and evaluated during XML processing. Attackers can exploit vulnerable XML processors if they can upload XML or include hostile content in an XML document, exploiting vulnerable code, dependencies or integrations. These flaws can be used to extract data, execute a remote request from the server, scan internal systems, perform a denial-of-service attack, as well as execute other attacks.

Evening session

A5 – Broken access control

Applications and APIs don’t always verify the user is authorized for the target resource. This results in an access control flaw. Attackers, who are authorized users, simply change a parameter value to another resource they aren’t authorized for. Such flaws can compromise all the functionality or data that is accessible.

Schedule may vary from class to class

Day 2
Morning session

A6 – Security misconfiguration

Good security requires having a secure configuration defined and deployed for the application, frameworks, application server, web server, database server and platform. Attackers access default accounts, unused pages, unpatched flaws, unprotected files and directories to gain unauthorized access to or knowledge of the system. Occasionally, such flaws result in a complete system compromise.

A7 – Cross-site scripting (XSS)

XSS flaws occur when an application updates a web page with attacker-controlled data without properly escaping that content or using a safe JavaScript API. Attackers can execute scripts in a victim’s browser to hijack user sessions, deface websites, insert hostile content, redirect users, hijack the user’s browser using malware and more.

Afternoon session

A8 – Insecure deserialization

Applications and APIs will be vulnerable if they deserialize hostile or tampered objects supplied by an attacker. This can result in object- and data structure-related attacks or data-tampering attacks, such as access-control-related attacks where existing data structures are used but the content is changed. Exploitation of deserialization is somewhat difficult, as off-the-shelf exploits rarely work without changes or tweaks to the underlying exploit code. The impact of deserialization flaws cannot be overstated. These flaws can lead to remote code execution attacks, one of the most serious attacks possible.

A9 – Using components with known vulnerabilities

Many applications and APIs have these issues because their development teams don’t focus on ensuring their components and libraries are up to date. In some cases, the developers don’t even know all the components they are using, never mind their versions. Attackers identify a weak component through scanning or manual analysis. They customize the exploit as needed and execute the attack. The impact could range from minimal to complete host takeover and data compromise.

Evening session

A10 – Insufficient logging & monitoring

Exploitation of insufficient logging and monitoring is the bedrock of nearly every major incident. Attackers rely on the lack of monitoring and timely response to achieve their goals without being detected. Most successful attacks start with vulnerability probing. Allowing such probes to continue can raise the likelihood of a successful exploit to nearly 100%. One strategy for determining if you have sufficient monitoring is to examine the logs following penetration testing. The testers’ actions should be recorded sufficiently to understand what damages they may have inflicted.

Schedule may vary from class to class

Guaranteed results

Our boot camp guarantees

100% Satisfaction Guarantee

100% Satisfaction Guarantee

If you’re not 100% satisfied with your training at the end of the first day, you may withdraw and enroll in a different online or in-person course.

Knowledge Transfer Guarantee

Knowledge Transfer Guarantee

If an employee leaves within three months of obtaining certification, Infosec will train a different employee at the same organization tuition-free for up to one year.

Unlock team training discounts

If you’re like many of our clients, employee certification is more than a goal — it’s a business requirement. Connect with our team to learn more about our training discounts.

You're in good company

KK

Amazing experience! The methods of teaching the material are right on spot. The presentation of the material made it easy for everyone in class to understand and the instructor's knowledge and practical experience supported all aspects of the training.

Kurt Kopf, Freddie Mac

WJ

I went to West Point for my bachelor's, Columbia for my master's and had multiple Army-led courses and this ranks as one of the best, most engaging courses that I have ever had.

William Jack, US Army

AG

I have been in this industry for over 10 years, and I have never seen or heard anyone explain complex ideas and systems in such an easy-to-digest manner.

Antonio Roberto Garcia, GRA Research