Several weeks ago we announced that we would be publishing the materials from our Web Application Security course and today we are happy to report that this work has been completed. All the slides and supporting materials have been uploaded and now available from here.
This course is typically delivered in 5 days so it is intense at all levels. Although the slides were designed to be easy to read and generally to guide you through the various topics, you will find a lot of tricks and techniques summarised almost like in a cheat-sheet.
Our personal favourite is the Data Validation part, which divides into three types of severe vulnerabilities: SQL Injection, Cross-site Scripting and File Includes. Each section methodically explains the vulnerability in the simplest possible way and then it goes into detail about exploitation. We also cover different attack techniques that are typically used to mitigate security controls.
The course is very well structured. It starts with a general introduction to HTTP and the various other Web technologies. After this it dives straight into the penetration testing process covering all areas such as Authentication, Session Management, Authorisation, Data Transport Security, Business Logic, Data Validation and so on. All in all, it takes you to a journey through the wonderful world of web application security.
As usual, your opinion is very welcome. We would like to know if you find the slides easy to read and covering enough information. We would also want to know if you are planning to use them for in-house training, which we may be able to help with.