Web Application Security in Java (WASEC-J) – Outline

Detailed Course Outline

DAY 1

Cyber security basics

  • What is security?
  • Threat and risk
  • Cyber security threat types
  • Consequences of insecure software

The OWASP Top Ten

  • OWASP Top 10 – 2017
  • A1 – Injection
    • Injection principles
    • Injection attacks
    • SQL injection
      • SQL injection basics
      • Lab – SQL injection
      • Attack techniques
      • Content-based blind SQL injection
      • Time-based blind SQL injection
    • SQL injection best practices
      • Input validation
      • Parameterized queries
      • Additional considerations
      • Lab – Using prepared statements
      • Case study – Hacking Fortnite accounts
    • Code injection
      • OS command injection
        • OS command injection best practices
        • Using Runtime.exec()
        • Using ProcessBuilder
        • Case study – Shellshock
        • Lab – Shellshock
        • Case study – Command injection via ping
      • Script injection
    • General protection best practices
  • A2 – Broken Authentication
    • Authentication basics
    • Multi-factor authentication
    • Authentication weaknesses – spoofing
    • Spoofing on the Web
    • Case study – PayPal 2FA bypass
    • Password management
      • Inbound password management
        • Storing account passwords
        • Password in transit
        • Lab – Is just hashing passwords enough?
        • Dictionary attacks and brute forcing
        • Salting
        • Adaptive hash functions for password storage
        • Password policy
          • NIST authenticator requirements for memorized secrets
        • Case study – The Ashley Madison data breach
          • The dictionary attack
          • The ultimate crack
          • Exploitation and the lessons learned
        • Password database migration
          • (Mis)handling null passwords

DAY 2

The OWASP Top Ten

  • A2 – Broken Authentication
    • Session management
      • Session management essentials
      • Session ID best practices
      • Why do we protect session IDs – Session hijacking
      • Session fixation
      • Cross-site Request Forgery (CSRF)
        • Lab – Cross-site Request Forgery
        • CSRF best practices
        • CSRF defense in depth
        • Lab – CSRF protection with tokens
      • Cookie security
        • Cookie security best practices
        • Cookie attributes
  • A4 – XML External Entities (XXE)
    • DTD and the entities
    • Entity expansion
    • External Entity Attack (XXE)
      • File inclusion with external entities
      • Server-Side Request Forgery with external entities
      • Lab – External entity attack
      • Case study – XXE vulnerability in SAP Store
      • Preventing XXE
      • Lab – Prohibiting DTD expansion
  • A5 – Broken Access Control
    • Access control basics
    • Failure to restrict URL access
    • Confused deputy
      • Insecure direct object reference (IDOR)
      • Lab – Insecure Direct Object Reference
      • Authorization bypass through user-controlled keys
      • Case study – Authorization bypass on Facebook
      • Lab – Horizontal authorization
    • File upload
      • Unrestricted file upload
      • Good practices
      • Lab – Unrestricted file upload
  • A7 – Cross-site Scripting (XSS)
    • Cross-site scripting basics
    • Cross-site scripting types
      • Persistent cross-site scripting
      • Reflected cross-site scripting
      • Client-side (DOM-based) cross-site scripting
      • Lab – Stored XSS
      • Lab – Reflected XSS
      • Case study – XSS in Fortnite accounts
    • XSS protection best practices
      • Protection principles – escaping
      • XSS protection APIs in Java
      • XSS protection in JSP
      • Lab – XSS fix / stored
      • Lab – XSS fix / reflected
      • Additional protection layers
      • Client-side protection principles
  • A8 – Insecure Deserialization
    • Serialization and deserialization challenges
    • Deserializing untrusted streams
    • Deserialization best practices
    • Using ReadObject
    • Sealed objects
    • Look ahead deserialization
    • Property Oriented Programming (POP)
      • Creating payload
      • POP best practices
      • Lab – Creating a POP payload
      • Lab – Using the POP payload
  • A9 – Using Components with Known Vulnerabilities
    • Using vulnerable components
    • Assessing the environment
    • Hardening
    • Untrusted functionality import
    • Importing JavaScript
    • Lab – Importing JavaScript
    • Case study – The British Airways data breach
    • Vulnerability management
      • Patch management
      • Vulnerability databases
      • Lab – Finding vulnerabilities in third-party components

DAY 3

The OWASP Top Ten

  • Web application security beyond the Top Ten
    • Client-side security
    • Same Origin Policy
      • Tabnabbing
      • Lab – Reverse tabnabbing
    • Frame sandboxing
      • Cross-Frame Scripting (XFS) attack
      • Lab – Clickjacking
      • Clickjacking beyond hijacking a click
      • Clickjacking protection best practices
      • Lab – Using CSP to prevent clickjacking

Common software security weaknesses

  • Input validation
    • Input validation principles
      • Blacklists and whitelists
      • Data validation techniques
      • Lab – Input validation
      • What to validate – the attack surface
      • Where to validate – defense in depth
      • How to validate – validation vs transformations
      • Output sanitization
      • Encoding challenges
      • Lab – Encoding challenges
      • Validation with regex
    • Integer handling problems
      • Representing signed numbers
      • Integer visualization
      • Integer overflow
      • Lab – Integer overflow
      • Signed / unsigned confusion in Java
      • Case study – The Stockholm Stock Exchange
      • Integer truncation
      • Best practices
        • Upcasting
        • Precondition testing
        • Postcondition testing
        • Using big integer libraries
        • Integer handling in Java
        • Lab – Integer handling
    • Files and streams
      • Path traversal
      • Path traversal-related examples
      • Lab – Path traversal
      • Additional challenges in Windows
      • Path traversal best practices
    • Unsafe reflection
      • Reflection without validation
      • Lab – Unsafe reflection
    • Unsafe native code
      • Native code dependence
      • Lab – Unsafe JNI
      • Best practices for dealing with native code
  • Code quality
    • Data handling
      • Initialization and cleanup
        • Constructors and destructors
        • Class initialization cycles
        • Lab – Initialization cycles
      • Unreleased resource
        • The finalize() method – best practices
    • Object oriented programming pitfalls
      • Accessibility modifiers
        • Are accessibility modifiers a security feature?
        • Accessibility modifiers – best practices
        • Overriding and accessibility modifiers
      • Inheritance and overriding
      • Mutability
        • Lab – Mutable object
      • Cloning

Wrap up

  • Secure coding principles
    • Principles of robust programming by Matt Bishop
    • Secure design principles of Saltzer and Schröder
  • And now what?
    • Software security sources and further reading
    • Java resources