WS - 6
Secure code audit - NINJA Edition
Workshop Objective:
Secure code audit is a highly effective process of identifying vulnerabilities in software. This process requires a more in-depth analysis of an application in order to find the security flaws.
This training will be hands on on how to do secure code analysis & review, so you need to bring your own laptop to perform different types of attacks on web based applications.
Course Content (ToC):
-
- Module 1: Introduction to Secure Source Code Practices (SSCP)
- What is SSCP
- Need for SSCP security solution
- Module 1: Introduction to Secure Source Code Practices (SSCP)
-
- Module 2: Parameter manipulation attack and Defenses
- Bypassing client-side validation
- Variable manipulation attacks
- Input validation types
- Black list vs White list filters
- File Upload attacks and best practices
- Insecure Direct Object References
- Exploit CSV based export features using formula injection
- Best practices and guidelines to avoid these Attacks
- Demo
- Module 2: Parameter manipulation attack and Defenses
-
- Module 3: SQL- Injection
- Blind & Second Order SQL injection
- Demo
- Module 3: SQL- Injection
-
- Module 4: Cross Site Scripting (XSS)
- Reflected, Stored and DOM based XSS
- Best practices and guidelines to avoid Cross Site Scripting Attack
- Demo
- Module 4: Cross Site Scripting (XSS)
-
- Module 5: Cryptography
- Encryption & Decryption
- Encoding & Decoding
- Hashing
- Salted hash technique
- Storage of critical information in backend side
- Demo
- Module 5: Cryptography
-
- Module 6: Cross Site Request Forgery (CSRF)
DAY 1
-
- Module 1: Broken Authentication and Session Management
- Best practices to manage session
- Proper cookies attributes set
- Proper implementation of OTP & CAPTCHA
- Demo
- Module 1: Broken Authentication and Session Management
-
- Module 2: Error Handling and Logging
- Proper implementation of log
- Proper error handling
- Demo
- Module 2: Error Handling and Logging
-
- Module 3: Code quality
- Language specific configuration check
- Hard coded information
- Critical information in comment
- Client side hardcoded information
- Best practices to check unused code
- Demo
- Module 3: Code quality
-
- Module 4: XML external Entity (XXE) Attack
-
- Module 5: Deserializing Objects
-
- Module 6: CTF challenge on vulnerable source code application for attendees
DAY 2
Pre-requisite
- Secure code audit is a highly effective process of identifying vulnerabilities in software. This process requires a more in-depth analysis of an application in order to find the security flaws.
- This training will be hands on on how to do secure code analysis & review, so you need to bring your own laptop to perform different types of attacks on web based applications.
- System Requirements:
- Windows/Linux/OsX Installed machine
- RAM – 8GB
- Free space in your machine – 20GB
- Installed VMware Player in your machine
- Visual Studio installed
- Notepad++
Who should attend:
- Those who want to build secure applications.
- Those having basic development background.
- Those who want to perform a manual secure source code review.
- Those who want to learn various secure code audit methodologies and approaches.
- Those who have very basic knowledge in OWASP Top 10.
What to expect:
- Exposure to different tools used for secure code audit
- Demo application to perform secure coding practices
- Hands on CTF challenges
What not to expect:
- Any professional tools
Speaker Profile:
Manoj Kumar has more than 6 years of experience in the field of Application Security and Secure coding process and a co-founder of h1hakz. He has Developed many Secure Application Projects using different languages and has Code reviewed a wide range of applications, from embedded systems to web applications including Retail Banking and E-commerce Application. Also given training on c0c0n XI, Bslides delaware, WOPR, HackMiami etc....
- Company/Organization: h1hakz
- Country: India
Ranjith Menon who has more than 8 years of experience. He is an active player on Bug bounty programs and specialized in Web application, Mobile, Cloud and a contributor to the Security Community and co-founder of h1hakz, an open platform for knowledge sharing through webcast series. Also, he has found many vulnerabilities for many organizations. Also given training on c0co XI, Bslides delaware, WOPR, HackMiami etc.Apart from hacking, he gets time for fitness from his work schedule.
- Company/Organization: h1hakz
- Country: India