Boot camp at a glance
Live online, in-person or team onsite
What you'll learn
The OWASP Top 10 Boot Camp is a must for professionals seeking to enhance their expertise in web application security. This comprehensive course is primarily designed for individuals involved in creating web applications, such as web developers and web administrators.
By enrolling in this boot camp, you gain valuable insights into the 10 most critical web application security risks identified by OWASP. You’ll understand and experience:
- Web application security risks: Gain an in-depth understanding of the 10 most critical security risks identified by OWASP.
- Vulnerability identification: Learn how to identify common vulnerabilities in web applications, such as injection flaws, broken authentication, sensitive data exposure and more.
- Risk impact evaluation: Understand the potential impact of exploiting web application vulnerabilities and the consequences for organizations.
- Risk mitigation strategies: Explore best practices and techniques for mitigating web application security risks and implementing secure coding practices.
- Hands-on labs: Engage in hands-on lab activities to practice identifying and exploiting common web application vulnerabilities.
- Secure coding techniques: Acquire knowledge and skills to develop secure web applications by implementing secure coding techniques and practices.
- Risk reporting and communication: Learn how to effectively communicate web application security risks to stakeholders and management.
- Industry best practices: Stay updated with industry best practices for web application security and secure coding.
Award-winning training you can trust
Everything you need to know
- 90-day extended access to Boot Camp components, including class recordings
- 100% Satisfaction Guarantee
- Free 90-day Infosec Skills subscription (access to 1,400+ additional courses and labs)
- Knowledge Transfer Guarantee
- Pre-study learning path
Before your boot camp
There are no prerequisites. Infosec’s OWASP Top Ten Boot Camp applies to a broad audience. However, this training is primarily designed for professionals whose job function includes creating or evaluating web applications, so professional experience is beneficial for you to get the most from this boot camp.
A1 – Injection
Injection flaws, such as SQL, OS, XXE and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. Attackers send simple text-based attacks that exploit the syntax of the targeted interpreter. Injection can result in data loss or corruption, denial of access or lead to complete host takeover.
A2 – Broken authentication
Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys or session tokens, or to exploit other implementation flaws to assume other users’ identities (temporarily or permanently). Once successful, the attacker can do anything the victim could do. Privileged accounts are frequently targeted.
A3 – Sensitive data exposure
The most common flaw is simply not encrypting sensitive data. When crypto is employed, weak key generation and management, and weak algorithm usage are common, particularly weak password hashing techniques. Attackers typically don’t break crypto directly. They break something else, such as stealing keys, performing man-in-the-middle attacks, or stealing clear text data off the server, while in transit or from the user’s browser. Failure frequently compromises all data that should have been protected. Typically, this information includes sensitive data such as health records, credentials, personal data and credit cards.
A4 – XML external entities (XXE)
By default, many older XML processors allow the specification of an external entity, a URI that is dereferenced and evaluated during XML processing. Attackers can exploit vulnerable XML processors if they can upload XML or include hostile content in an XML document, exploiting vulnerable code, dependencies or integrations. These flaws can be used to extract data, execute a remote request from the server, scan internal systems, perform a denial-of-service attack, as well as execute other attacks.
A5 – Broken access control
Applications and APIs don’t always verify the user is authorized for the target resource. This results in an access control flaw. Attackers, who are authorized users, simply change a parameter value to another resource they aren’t authorized for. Such flaws can compromise all the functionality or data that is accessible.
Schedule may vary from class to class
A6 – Security misconfiguration
Good security requires having a secure configuration defined and deployed for the application, frameworks, application server, web server, database server and platform. Attackers access default accounts, unused pages, unpatched flaws, unprotected files and directories to gain unauthorized access to or knowledge of the system. Occasionally, such flaws result in a complete system compromise.
A7 – Cross-site scripting (XSS)
A8 – Insecure deserialization
Applications and APIs will be vulnerable if they deserialize hostile or tampered objects supplied by an attacker. This can result in object- and data structure-related attacks or data-tampering attacks, such as access-control-related attacks where existing data structures are used but the content is changed. Exploitation of deserialization is somewhat difficult, as off-the-shelf exploits rarely work without changes or tweaks to the underlying exploit code. The impact of deserialization flaws cannot be overstated. These flaws can lead to remote code execution attacks, one of the most serious attacks possible.
A9 – Using components with known vulnerabilities
Many applications and APIs have these issues because their development teams don’t focus on ensuring their components and libraries are up to date. In some cases, the developers don’t even know all the components they are using, never mind their versions. Attackers identify a weak component through scanning or manual analysis. They customize the exploit as needed and execute the attack. The impact could range from minimal to complete host takeover and data compromise.
A10 – Insufficient logging & monitoring
Exploitation of insufficient logging and monitoring is the bedrock of nearly every major incident. Attackers rely on the lack of monitoring and timely response to achieve their goals without being detected. Most successful attacks start with vulnerability probing. Allowing such probes to continue can raise the likelihood of a successful exploit to nearly 100%. One strategy for determining if you have sufficient monitoring is to examine the logs following penetration testing. The testers’ actions should be recorded sufficiently to understand what damages they may have inflicted.
Schedule may vary from class to class
Our boot camp guarantees
100% Satisfaction Guarantee
If you’re not 100% satisfied with your training at the end of the first day, you may withdraw and enroll in a different online or in-person course.
Knowledge Transfer Guarantee
If an employee leaves within three months of obtaining certification, Infosec will train a different employee at the same organization tuition-free for up to one year.
Unlock team training discounts
If you’re like many of our clients, employee certification is more than a goal — it’s a business requirement. Connect with our team to learn more about our training discounts.
You're in good company
Amazing experience! The methods of teaching the material are right on spot. The presentation of the material made it easy for everyone in class to understand and the instructor's knowledge and practical experience supported all aspects of the training.
Kurt Kopf, Freddie Mac
I went to West Point for my bachelor's, Columbia for my master's and had multiple Army-led courses and this ranks as one of the best, most engaging courses that I have ever had.
William Jack, US Army
I have been in this industry for over 10 years, and I have never seen or heard anyone explain complex ideas and systems in such an easy-to-digest manner.
Antonio Roberto Garcia, GRA Research
Explore our top boot camps
More learning opportunities
Most popularBoot camp
CompTIA Security+ Training Boot Camp
Infosec’s CompTIA Security+ Boot Camp teaches you information security theory and reinforces that theory with hands-on exercises to help you learn by doing. You’ll learn how to configure and operate many different technical security controls — and leave prepared to pass your Security+ exam.
#1 FOR BEGINNERSBoot camp
Cisco CCNA Associate & CyberOps Associate Training Boot Camp with Dual Certification
Infosec’s authorized CCNA Dual Certification Boot Camp helps you build your knowledge of networking and provides hands-on experience installing, configuring and operating network devices — all while preparing you to earn two Cisco certifications.
Most requestedBoot camp
(ISC)² CISSP® Certification Training and Boot Camp
Take your career to the next level by earning one of the most in-demand cybersecurity certifications. Infosec’s CISSP training provides a proven method for mastering the broad range of knowledge required to become a Certified Information Systems Security Professional.