If you’ve always been curious about how hackers identify and exploit vulnerabilities in Web applications, look no further than this course. Loosely based on the OWASP Top 10, the course covers a wide range of Web-security issues, from well-known ones like cross-site scripting (XSS) to more obscure ones like subdomain takeover.

But you won’t just learn the mechanics of those vulnerabilities and the defenses that can thwart their exploitation; you’ll develop an attacker’s mindset while attacking multiple deliberately vulnerable Web applications using Caido, an increasingly popular intercepting proxy. Those practical labs (exceeding 80 in number) are complemented by case studies and personal stories from my experience as a security researcher and bug-bounty hunter.

Duration ¶

3 days (21 hours)

Prerequisites ¶

• Fluency in English
• Experience with Web development (frontend, backend, or both)
• A personal computer (preferably running macOS or Linux) on which the following tools have been installed (ahead of the course):
  • Caido
  • Firefox
• A stable Internet connection

Topics ¶

• lack of HTTPS
• insecure cookies
• sensitive-data exposure
• improper input validation/sanitization
• open redirects
• cross-site scripting (XSS)
• SQL injection
• broken registration, authentication & session management
• broken access control
• cross-site request forgery (CSRF)
• subdomain takeover
• clickjacking
• CORS misconfiguration
• insecure JSON-P
• file-related vulnerabilities
• server-side request forgery
• remote code execution
• vulnerable components

(OWASP® and the OWASP logo are trademarks of OWASP Foundation, Inc. This course is independent and is not affiliated with or endorsed by OWASP Foundation.)