Securitum Web Lab: practical training in web application security.

Web application security training (2 days)

Get to know the subject of web application security in practice with a two-day workshop training.
During the training, we present a dozen or so vulnerable systems, the security of which is analyzed by participants. Each vulnerability is preceded by a theoretical introduction, and for the vulnerability, we also indicate methods of protection against attacks.

WHAT WILL YOU GAIN FROM THE TRAINING?

You will learn about current threats in the world of web applications.
You will learn how to protect against vulnerabilities.
You will learn the basics of testing application security.
You will learn key tools and documentation.

Framework training program

01.

01.Introduction to testing the security of web applications. Expand

What are web application penetration tests?
Presentation of an exemplary, real report on penetration tests.
Overview of OWASP Top Ten, OWASP ASVS (Application Security Verification Standard), OWASP Testing Guide.
Further sources of knowledge - on-line services, literature, tools.
Case Studies.
Reconnaissance.

02.

Detection, use and protection against vulnerabilities. Expand

Manipulation of XML files for unauthorized access to data on the server (XXE).
OS Command injection (several variants) - including a bug in one of the libraries.
JAVA, problems with upload mechanisms.
SQL injection.
XSS - taking over administrative access in the blog system / bypassing filters.
CSRF.
Application DoS attacks (ReDoS, XML Bomb, XML Bomb).

03.

Attacks on the authentication and authorization system. Expand

Examination of several security aspects of the login path.
Examination of the authorization mechanisms used.
Bruteforce techniques.

04.

The basics of secure code writing. Expand

How to define security requirements for an application?
Where to get knowledge about vulnerabilities?
Basics of static code analysis.
Security problems with libraries and how to fix them?

05.

A comprehensive safety test per application in the LAB, summarizing the knowledge. Expand

Detection of several classes of vulnerability.
Indication of protection methods.

We conduct the training regularly, there are many dates available throughout the year.

Ask for training for your company

We will organize the training at a convenient time for you. Only people from your company participate.

REST API security training (1 day)

Full-day training showing current security issues in the REST API. Training is a pure practice and over 200 interactive slides being a compendium on API security. Before the training, we send a 15-minute screencast with a practical online exercise that allows you to learn the basics of the burp suite tool, which is used during the course.

What will you gain from the training?

In a condensed way, you will learn the key problems in the security of the REST API.
You will learn how not to make security mistakes when creating a REST API.
You will learn REST API security testing.

Framework training program

01.

Introduction and case studies of real vulnerabilities in API REST. Expand

A brief overview of the methods: GET / POST / PUT / DELETE / PATCH / HEAD / MERGE / REDIRECT / ...
Case Studies have over 20 different vulnerabilities in real applications
API reconnaissance (passive / active / mobile API reconnaissance)

02.

Frequent vulnerabilities in REST API and methods of protection against them Expand

Bypassing access security for HTTP methods
Server-Side Request forgery (SSRF)
XML vulnerabilities
JSON vs. XML vs. YAML
Deserialization vs. API security
Remote Code Execution
Injection class vulnerabilities
Mass Assignment

03.

Authentication / authorization problems - in the context of the REST API Expand

Security of JWT (JSON Web Tokens)
OAuth2 security
API key leaks

We conduct the training regularly, there are many dates available throughout the year.

Ask for training for your company

We will organize the training at a convenient time for you. Only people from your company participate.

Frontend security training (2 days)

A two-day training that allows you to get to know security of the front-end of web applications. During training we discuss the most common frontend vulnerabilities, as well as the impact of web API and popular frameworks on security. All the examples are presented in live applications where participants can later solve tasks. In addition, the latest security mechanisms introduced in browsers to prevent attacks are discussed.

What will you gain from the training?

You will learn about the security vulnerabilities of the frontend world (such as XSS or CSRF) and how to protect against them.
You will learn how web APIs affect frontend security (CORS, postMessage or WebSockets).
You will learn to use frontend testing tools.
Access to training tasks remains active also after training.

Framework training program

01.

Cross Site Scripting (XSS) - the most important vulnerability in the frontend. Expand

Effects of XSS
XSS contexts
Sources and sinks
XSS sanitization and filters to protect against XSS
How to protect applications against XSS?

02.

Other vulnerabilities of the frontend Expand

CSRF - Cross Site Request Forgery
Clickjacking
Dangling Markup
CSS attacks

03.

Web API security problems. Expand

PostMessage
CORS (Cross-Origin Resource Sharing)
Service Workers
Web Sockets

04.

Defensive mechanisms Expand

Content-Security-Policy - overview of the standard, implementation methods and possible workarounds
Other security headers (X-Frame-Options, Strict-Transport-Security, etc.)
Cookies flags
Security problems with libraries and how to fix them?

05.

JS libraries and application security Expand

Overview of libraries: jQuery, AngularJS, Angular, React, Knockout, Vue
Do libraries increase or decrease application security?
Discussion of the "template injection" vulnerability occurring in some templating engines.

We conduct the training regularly, there are many dates available throughout the year.

Ask for training for your comp

We will organize the training at a convenient time for you. Only people from your company participate.

Modular training

Modular training is a great opportunity to build your own curriculum. Thanks to this, you can supplement your knowledge in selected areas of IT security exactly in the topics that you are interested in.

What will you gain from the training?

You have full control over what exactly you want to learn.
Optimize the price and training material for yourself or your team.

Framework training program

01.

Introduction to testing the security of web applications. Expand

What are web application penetration tests?
Presentation of an exemplary, real report on penetration tests.
Overview of OWASP Top Ten, OWASP ASVS (Application Security Verification Standard), OWASP Testing Guide.
Further sources of knowledge - on-line services, literature, tools.
Case Studies.
Reconnaissance.

02.

Detection, use and protection against vulnerabilities. Expand

Manipulation of XML files for unauthorized access to data on the server (XXE).
OS Command injection (several variants) - including a bug in one of the libraries.
JAVA, problems with upload mechanisms.
SQL injection.
XSS - taking over administrative access in the blog system / bypassing filters.
CSRF.
Application DoS attacks (ReDoS, XML Bomb, XML Bomb).

03.

Attacks on the authentication and authorization system. Expand

Examination of several security aspects of the login path.
Examination of the authorization mechanisms used.
Bruteforce techniques.

04.

The basics of secure code writing. Expand

How to define security requirements for an application?
Where to get knowledge about vulnerabilities?
Basics of static code analysis.
Security problems with libraries and how to fix them?

05.

A comprehensive safety test per application in the LAB, summarizing the knowledge. Expand

Detection of several classes of vulnerability.
Indication of protection methods.

06.

Introduction and case studies of real vulnerabilities in API REST. Expand

A brief overview of the methods:
GET / POST / PUT / DELETE / PATCH / HEAD / MERGE / REDIRECT / ...
Case Studies have over 20 different vulnerabilities in real applications
API reconnaissance (passive / active / mobile API reconnaissance)

07.

Frequent vulnerabilities in REST API and methods of protection against them. Expand

Bypassing access security for HTTP methods
Server-Side Request forgery (SSRF)
XML vulnerabilities
JSON vs. XML vs. YAML
Deserialization vs. API security
Remote Code Execution
Injection class errors
Mass Assignment

08.

Authentication / authorization problems - in the context of the REST API. Expand

Security of JWT (JSON Web Tokens)
OAuth2 security
API key leaks

09.

Cross Site Scripting (XSS) - the most important vulnerability in the frontend world. Expand

Discussion of the effects of XSS
XSS contexts
Entry and exit points
XSS sanitization and filters to protect against XSS
How to defend yourself?

10.

Other vulnerabilities of the frontend world. Expand

CSRF - Cross Site Request Forgery
Clickjacking
Dangling Markup
CSS attacks

11.

Web API security problems. Expand

PostMessage
CORS (Cross-Origin Resource Sharing)
Service Workers
Web Sockets

12.

Defensive mechanisms. Expand

Content-Security-Policy - overview of the standard, implementation methods and possible workarounds
Other security headers (X-Frame-Options, Strict-Transport-Security, etc.)
Cookies flags
Security problems with libraries and how to fix them?

13.

JS libraries and application security. Expand

Overview of libraries: jQuery, AngularJS, Angular, React, Knockout, Vue
Do libraries increase or decrease application security?
Discussion of the "template injection" vulnerability occurring in some shaker engines.

Our trainers

Michał Sajdak

The creator of the sekurak.pl portal, the founder of Securitum
Author of security research published on Polish and foreign websites
He conducts training in the area of IT security in Poland and abroad. In the last 10 years, he has trained thousands of people; He has CEH, CISSP and CTT + certificates
Managing editor of the bestselling book Web Application Security
Speaker at conferences: Mega SHP (2019), Secure, Confidence, SEMAFOR, WTH, Securi-tybsides, SEConference, SecCon, OWASP @ Krakow, AIESEC, TestingCup, Security Case Study, KraQA, WrotQA
Nearly 20 years of experience in the IT industry

Michał Bentkowski

Writer at Sekurak, pentester and Securitum trainer, editor at research.securitum.com
He was on the TOP 10 Google bug bounty list from 2016 to 2019
He found numerous errors in browsers (Chrome, Firefox, Safari, Internet Explorer)
One of the editors of the book Web Application Security
Speaker at conferences: Mega SHP, Secure, Confidence, Semafor, WTH, OMH, The Hack Summit and others

Kamil Jarosiński

Security consultant at Securitum. With over five years of experience in penetration testing
As part of his professional duties, he tests the security of web applications, APIs, cloud environments and hardware. He tested security in the largest banks, mobile operators and the e-commerce industry
Web application security training trainer, API Rest, cloud environments
Speaker at the Mega Sekurak Hacking Party (2019) conference - wiretapping of a wireless keyboard
In his spare time, a participant of bug bounty programs with reported vulnerabilities in Sony, HCL Software or Telekom Deutschland

Maciej Szymczak

Ex-admin, he has been gathering over ten years of experience since high school, fulfilling orders as a freelancer. From patchcord to BGP, from Gentoo with stage1 to Ansible on thousands of servers ... and from 2017 officially as a pentester and trainer at SECURITUM.
Information security enthusiast with a passion for transferring knowledge. At Securitum, he conducts training in web application security, network security, preparation for CEH certification and cyber-awareness lectures for those less aware.
Speaker at MEGA Sekurak Hacking Party 2020 and Sekurak Hacking Party 2019 in Gdańsk.
On the Internet you can find him on LinkedIn and… IRC.

Why us

Professional

The trainings are conducted by experienced people with extensive practice in the implementation of application security tests. Some of the trainers are co-authors of Sekurak's best-selling book: Web Application Security.

Practical

The trainings, apart from the necessary theory, contain a large dose of practice. In addition to information about vulnerabilities, you will also learn about strategies to protect against them.

Engaging

We pay special attention to activating the course participants - through mini-tasks, live surveys and answering questions.

Modular

Closed training (for companies) can be completed from ready-made thematic modules. This allows the course to be adjusted to the specifics of the ordering party as much as possible (also in the context of the duration of the training).

Securitum Web Lab

Web application security training

Frontend
security training

REST API
security training

Build your perfect training

Web application security training (2 days)

WHAT WILL YOU GAIN FROM THE TRAINING?

Framework training program

REST API security training (1 day)

What will you gain from the training?

Framework training program

Frontend security training (2 days)

What will you gain from the training?

Framework training program

Modular training

What will you gain from the training?

Framework training program

Our trainers

Michał Sajdak

Michał Bentkowski

Kamil Jarosiński

Maciej Szymczak

Why us

Opinions of training participants

Contact

Securitum Szkolenia Sp. z o.o. Sp. k.