Web Application Hacking, Testing, and Prevention in Practice
這堂課程主要上機操作熟習網站資訊安全測試的方法與工具。
其中包含 OWASP top 10 網站十大弱點攻擊、網站資安全測試範本 Verification Standard、Prevention CheatSheet、撰寫資訊安全測試報告、自動化測試以及如何驗證 HTTS/SSL 的弱點等。
上機使用的測試工具包含Fiddler, OWASP ZAP, Temper Data, WebGoat等
課程大綱
| Session |
Topic |
| Session 1 |
- Web Security testing methodology
- Hack thinks differently – Hacking and Penetration Testing Process
- HTTP Protocol Basics, Encoding, Cookies, Sessions
- Automated Security Testing Tools
|
| Session 2 |
- Turn your browser into Security testing tools
- Information Gathering
- Google Hacking
- Fingerprinting Custom Applications
|
| Session 3 |
- Prepare a Vulnerability Web Environment for in-house testing and learning
- SQL Injection
- Cross-Site Scripting (XSS)
- Broken Authentication and Session Management
|
| Session 4 |
- Fuzz and brute force attack
- Man in the Middle attack. i.e. HTTP traffic interception and manipulation
- Insecure Direct Object References
- Security Misconfiguration
|
| Session 5 |
- Sensitive Data Exposure – How to detect if password is transferred plaintext in memory/network.
- HTTPS/SSL vulnerability
- Missing Function Level Access Control
- Invalidated Redirects and Forwards
|
| Session 6 |
- Cross-Site Request Forgery (CSRF)
- Using Components with Known Vulnerabilities
- Investigation of Website when under attacks
- Application Security Verification Standard
|