OWASP Top 10 Essentials

Introduction
OWASP is a worldwide organization focused on improving software security. For this goal they have built a list of the top 10 most Critical Web Application Security Risks. In this workshop we will go through the list, focus on the risks important to your application and get some hands-on action by performing these exploits yourself.

Detailed description
The first part of the training will be an introduction into OWASP and their top 10. Next you will get the first assignments to get familiar with the online environment and the tasks to complete.

The main part of this course is then going to be a lot of fun. In an actual competition you are challenged to find and exploit vulnerabilities. The trainer will coach the attendees and the platform will hint the trainees on how to find weak spots. However: each hint will cost you points. This playful approach has proven to be an excellent way to think as an attacker and learns them to understand where these spots arise. This of course will help them design more safe applications in the future.

And finally you will compete with your fellows to get the highest score by completing increasingly difficult hacking challenges.

Target audience
This training is suitable for everyone who would like to know about web application vulnerabilities and how they work in practice. It is not required to be a software developer, but you should be somewhat comfortable with the developer console of the web browser.

Learning goals

• OWASP and the OWASP top10.
• Exploiting web app security vulnerabilities.
• Becoming more aware of security in software development.

Skills acquired in this training

• Performing attacks like:
  • Cross-site scripting
  • Cross-site request forgery
  • SQL injection
• Exploiting vulnerabilities like:
  • weak crypto
  • security misconfiguration
  • vulnerable default configuration

Topics

• Attacks & vulnerabilities described in the previous section
• Tooling for development and pipelines to detect potential vulnerabilities earlier
• Preventing vulnerabilities from requirements

Training outline

• Introduction/OWASP/top10 (1 hr)
• Getting familiar with the platform (30 min)
• Competition with the following aspects:
  • XSS
  • CSRF
  • SQL Injection
  • Exploiting Security misconfigurations
  • Exploiting weak cryptographic storage
  • Reverse engineering

The challenges will start off easier and gradually get more difficult. The first challenges will take a couple of minutes to track down and exploit, the harder challenges can take 30 minutes or more to solve.

Provided training material
Access to the platform during training.

About the trainer
Frank Walinga is a Software Engineer at OpenValue and focuses on Java and Security Awareness.

Note: This training can be given in Dutch or English at one of the OpenValue offices (Utrecht, Amsterdam, Rotterdam, Arnhem, Munich, Dusseldorf, Vienna, Zurich) or at your own location. Please contact us to discuss possibilities for a remote training and for training in German.