Academy

Web Security Workshop

2-day course | Group course (6-12 people) | Learn web security by hacking yourself! Understand vulnerabilities, exploit them, and apply effective countermeasures to secure your applications.

Subjects that will be discussed:

  • Backend Security (Broken Access Control, SQL Injection, ...)
  • Frontend Security (XSS, CSRF, ...)
  • Secure Development and DevSecOps

Course overview

This course teaches participants the typical vulnerabilities in modern web applications as well as the tricks of secure web programming. The most common security issues are explained in detail and demonstrated with live sessions. The OWASP Top 10 are an important part of it. 


The new understanding will be applied directly to an insecure web application (OWASP Juice Shop). For this purpose, current security tools such as the OWASP ZAP Attack Proxy or SQLMap are used.


Participants will also learn how to implement countermeasures. The course is deliberately technology-independent and is therefore suitable for any web developer.

Course duration: 2 days

Course details

  • Course objectives

    Participants know the current vulnerabilities of modern web applications (including OWASP Top 10) and can recognize and exploit them. They understand which protective measures exist and how to implement them. Participants also learn about necessary tools to analyze & secure a web application and they can put themselves in the role of a hacker.

  • Course structure

    Day 1

    The first part of the course focuses on the aspects of server-side security. It alternates between theory, demonstrations, and practical exercises. Participants will be able to attack an application in a protected environment and identify existing vulnerabilities. Common tools are presented, and training is given on how to use them.

    Topics covered are:

    • Setup Hacking Lab (OWASP ZAP)
    • Risks and Threats
    • Broken Access Control
    • SQL Injection
    • Authentication, Federated Logins
    • JWT Vulnerabilities
    • Misconfiguration & Known Vulnerabilities
    • Server-Side Request Forgery

    Day 2

    The second day focuses on the client (desktop browser, mobile browser) and participants practice the weak points at the OWASP Juice Shop.

    Topics covered are: 

    • XSS (Reflected-, Stored-, Dom-XSS, Mutation-XSS)
    • Same Origin Policy
    • CSRF Attacks
    • CORS & Cookie Security
    • Secure Development (Security Testing Pyramid, Threat Modeling)
    • DevSecOps (Static Analysis, Dependency Checks, Vulnerability Scanner)
       

    Secure development and DevSecOps are also new topics covered in the course. Participants will receive practical tips on how to improve security in their own software project.

    Day 3 - Fireside Chat (optional)

    Approximately two weeks after the course, you will have the opportunity to participate in a 'Fireside Chat'. During this follow-up coaching, the trainers answer open questions and provide valuable tips and suggestions. Participation in the one-hour Fireside Chat is optional and takes place online.

  • Target group

    The workshop is aimed at software developers and architects who are involved in web technologies.

  • Course prerequisites

    Participants need a solid basic knowledge of HTML5, JavaScript, and HTTP.

Interested in a company workshop?

As an independent training provider, we offer hands-on company courses tailored to your specific requirements. Find out how we can shape the perfect Web Security Workshop for you and your team to maximise learning benefit.

Get a free offer