2015
Pluralsight
Troy Hunt
4:49
English
The security profile of web applications is enormously important when it comes to protecting sensitive customer data, financial records, and reputation. Yet, web applications are frequently the target of malicious actors who seek to destroy these things by exploiting vulnerabilities in the software. Most attacks against web applications exploit well known vulnerabilities for which tried and tested defenses are already well-established. Learning these patterns – both those of the attacker and the defender – is essential for building the capabilities required to properly secure applications on the web today. In this course, we'll look a range of different security paradigms within web applications both conceptually and in practice. They'll be broken down into detail, exploited, and then discussed in the context of how the attacks could have been prevented. This course is part of the Ethical Hacking Series. http://blog.pluralsight.com/learning-path-ethical-hacking
Understanding Security in Web Applications
Overview
The State of Web Application Security
Understanding Web Application Security
Query Strings, Routing, and HTTP Verbs
The Discoverability of Client Security Constructs
Protections Offered by Browsers
What the Browser Can't Defend Against
What's Not Covered in This Course
Summary
Reconnaissance and Footprinting
Overview
Spidering with NetSparker
Forced Browsing with Burp Suite
Directory Traversal
Banner Grabbing with Wget
Server Fingerprinting with Nmap
Discovery of Development Artefacts with Acunetix
Discovery of Services via Generated Documentation
Discovering Framework Risks
Identifying Vulnerable Targets with Shodan
Summary
Tampering of Untrusted Data
Overview
OWASP and the Top 10 Web Application Security Risks
Understanding Untrusted Data
Parameter Tampering
Hidden Field Tampering
Mass Assignment Attacks
Cookie Poisoning
Insecure Direct Object References
Defending Against Tampering
Summary
Attacks Involving the Client
Overview
Reflected Cross Site Scripting (XSS)
Persistent Cross Site Scripting (XSS)
Defending Against XSS Attacks
Identifying XSS Risks and Evading Filters
Client Only Validation
Insufficient Transport Layer Security
Cross Site Request Forgery (CSRF)
Summary
Attacks Against Identity Management and Access Controls
Overview
Understanding Weaknesses in Identity Management
Identity Enumeration
Weaknesses in the 'Remember Me' Feature
Resources Missing Access Controls
Insufficient Access Controls
Privilege Elevation
Summary
Denial of Service Attacks
Overview
Understanding DoS
Exploiting Password Resets
Exploiting Account Lockouts
Distributed Denial of Service (DDoS)
Automating DDoS Attacks with LOIC
DDoS as a Service
Features at Risk of a DDoS Attack
Other DDoS Attacks and Mitigations
Summary
Other Attacks on the Server
Overview
Improper Error Handling
Understanding Salted Hashes
Insecure Cryptographic Storage
Unvalidated Redirects and Forwards
Exposed Exceptions Logs with ELMAH
Vulnerabilities in Web Services
Summary
Download File Size:653.85 MB
|
