Web Application Security Fundamentals training course

Module 1: Introductions, course overview & starting surveys                     

• targeted WebAppSec quizzes with instant feedback to activate delegates’ learning 
• connecting to & getting familiar with the course’s hands-on Linux lab environment
• previews of Day 1 & Day 2 content to prepare delegates to engage with WebAppSec
• Practicals: each delegate will access an individual cloud-hosted Linux VM via RDP or HTTPS

Module 2: Understanding Web Applications                                                   

• Exploring HTML, Cascading Style Sheets & JavaScript using Modern Web Browsers 
• understanding legal, ethical & data protection considerations related to WebAppSec
• inspecting HTTP verbs, Headers, Cookies & data using ZED Attack Proxy (ZAP)
• Practicals: delegates will perform all of this module’s activities in their Linux VM labs

Module 3: Information Security & Cybersecurity Fundamentals                 

• appreciating the significance of availability, confidentiality & integrity for Web Apps
• performing simulated phishing attacks using SE Toolkit & BEEF Project
• understanding the meaning of threats, vulnerabilities, exploits, incidents & controls
• Practicals: delegates will perform the simulated phishing activities in their Linux VM labs 

Module 4:  Remediating Common Web Application Vulnerabilities       

• identifying & remediating the “Click Jacking” (missing X-OPTIONS-HEADER) weakness
• identifying & remediating the Cross-Site Request Forgery (XSRF) vulnerability
• Securing Cookies with HttpOnly & Secure Flags
• Practicals: delegates will perform all of this module’s activities in their Linux VM labs

Module 5: Introducing WebAppSec Good Practices                     

• introducing OWASP & the OWASP Top 10 Web Application Threat model
• performing Threat Modelling of a Web Application using STRIDE 
• understanding relationships between OWASP, CWEs, CVEs, CVSS & MITRE ATT&CK
•  Practicals: important Threat Modelling group practicals will not rely on the Linux VM labs  

Module 6:  Secure Web App Development Lifecycles & Supporting Tools         

• reviewing 4 leading SSDLC models: Microsoft SDL, OpenSAMM, BSIMM, SafeCode
• understanding the value of OWASP’s Application Security Verification Standard (ASVS)
• considering how IAST tools (like ZAP & Burp Suite) differ from SAST & DAST tools
•  Practicals: SSDLC activities not Lab-based but Linux VM labs will be used for ZAP & BurpSuite
• OWASP Top 10:2021 Vulnerabilities & Mitigations

Module 7: A04 Insecure Design & A02 Cryptographic Failures                     

• reinforcing need for Threat Model driven WebAppSec lifecycle (as per Modules 5 & 6)
• breaking TLS security by installing untrusted Root Certificates in Firefox lab environment
• understanding the WebAppSec design challenges of secure cryptographic key management
• Practicals: delegates will perform cryptographic security activities in their Linux VM labs 

Module 8:  A03 Injection & A10 Server-Side Request Forgery                            

• appreciating how injection attacks occur from poor data/code separation & input validation 
• experiencing the significance of Cross-Site Scripting (XSS) attacks with hands-on examples
• how to identify & mitigate SQL Injection & SSRF vulnerabilities
• Practicals: delegates will perform XSS, SQL Injection & SSRF activities in their Linux VM labs 

Module 9:    A07 ID & Authentication Failures & A01 Broken Access Control     

• understanding the nature of Identification, Authentication & Access Control
• performing attacks on authentication using spoofing, cookie stealing & hash cracking
• how to design secure Web Apps based on proven Identity & Access Control methods
• Practicals: delegates will perform authentication attack activities in their Linux VM labs   

Module 10:  A05 Security Misconfiguration & A06 Outdated Components               

• using legal Open Source Intelligence (OSINT) methods to identify exposed vulnerabilities
• showing how DNS, Shodan & Certificate Transparency records can expose internal assets
• exploring good practices for hardening & patching Web Applications
• Practicals: OSINT activities may be performed either using Linux VM labs or own computer

Module 11: A08 Integrity Failures & A09 Logging & Monitoring Failures            

• examining the meaning & impacts of software integrity failures
• performing simulated attack using malicious file upload & insecure de-serialisation
• understanding the causes & impacts of the Log4J vulnerability
• Practicals: delegates will Log4J & Syslog monitoring activities in their Linux VM

Module 12:  Supporting continuous Web Application Security improvements    

• reflecting on learnings from this course & how to improve WebAppSec within the BBC
• signposting trusted sources of further relevant information about WebAppSec
• completing end-of-course feedback to improve future runs of this course
• Practicals: delegates will access online surveys & quizzes to reinforce their learning

Resources:

• Cloud Hosted Ubuntu Linux Virtual Machines – 1 per delegate (up to 10 delegates)
• Selected Kali Linux tools e.g. SE Toolkit, HashCat, BEEF Project, ZAP Proxy
• Selected elements of vulnerable apps e.g. OWASP Juice Shop, DVWA, Google XSS-Game & Gruyere.
• Selected Websites & OSINT sources e.g. OWASP, MITRE, NIST CVE, FIRST CVSS, SafeCode, Shodan