T1511

Ladda ner som PDF

Combined Java, PHP and Web application security

Even experienced programmers do not master by all means the various security services offered by their development platforms, and are likewise not aware of the different vulnerabilities that are relevant for their developments. This course targets developers using both Java and PHP, providing them essential skills necessary to make their applications resistant to contemporary attacks through the Internet.

Levels of Java security architecture are walked through by tackling access control, authentication and authorization, secure communication and various cryptographic functions. Various APIs are also introduced that can be used to secure your code in PHP, like OpenSSL for cryptography or HTML Purifier for input validation. On server side, best practices are given for hardening and configuring the operating system, the web container, the file system, the SQL server and the PHP itself, while a special focus is given to client-side security through security issues of JavaScript, Ajax and HTML5.

Audience

Java, PHP and Web application developers

Prior knowledge

Preparedness: Advanced Java, PHP and Web application

Language

The course is taught in English (Contact us if you prefer Swedish).

Courseware

Material in English

General Web vulnerabilities are discussed by examples aligned to the OWASP Top Ten, showing various injection attacks, script injections, attacks against session handling, insecure direct object references, issues with file uploads, and many others. The various Java- and PHP-specific language problems and issues stemming from the runtime environment are introduced grouped into the standard vulnerability types of missing or improper input validation, improper use of security features, incorrect error and exception handling, time- and state-related problems, code quality issues and mobile code-related vulnerabilities.

Participants can try out the discussed APIs, tools and the effects of configurations for themselves, while the introduction of vulnerabilities are all supported by a number of hands-on exercises demonstrating the consequences of successful attacks, showing how to correct the bugs and apply mitigation techniques, and introducing the use of various extensions and tools.

Java security:Java language security solutions, Java Virtual Machine (JVM) and Java Runtime Environment (JRE); ByteCode Verifier and Classloader; Security Manager and Access Controller, managing permissions with the PolicyTool; Java Cryptography Architecture (JCA) and Java Cryptographic Extension (JCE), Java Secure Socket Extension (JSSE), Java Authentication and Authorization Service (JAAS), Java... Läs mer

General Web vulnerabilities are discussed by examples aligned to the OWASP Top Ten, showing various injection attacks, script injections, attacks against session handling, insecure direct object references, issues with file uploads, and many others. The various Java- and PHP-specific language problems and issues stemming from the runtime environment are introduced grouped into the standard vulnerability types of missing or improper input validation, improper use of security features, incorrect error and exception handling, time- and state-related problems, code quality issues and mobile code-related vulnerabilities.

Participants can try out the discussed APIs, tools and the effects of configurations for themselves, while the introduction of vulnerabilities are all supported by a number of hands-on exercises demonstrating the consequences of successful attacks, showing how to correct the bugs and apply mitigation techniques, and introducing the use of various extensions and tools.

Java security:Java language security solutions, Java Virtual Machine (JVM) and Java Runtime Environment (JRE); ByteCode Verifier and Classloader; Security Manager and Access Controller, managing permissions with the PolicyTool; Java Cryptography Architecture (JCA) and Java Cryptographic Extension (JCE), Java Secure Socket Extension (JSSE), Java Authentication and Authorization Service (JAAS), Java Keystore (JKS) and the KeyTool.

PHP security:functions to be used for input validation, PHP extension for input validation (CType, Filter, HTML Purifier, OWASP ESAPI), remote code execution, path traversal in PHP, MySQL validation errors, variable scope problems, local variable pollution, filtering file uploads, environment manipulation. PHP environment – server configuration, PHP configuration (php.ini settings), safe mode, Appache configuration, mime types. Hardening.

Client-site security: JavaScript same origin policy, global object, authentication and password management in JavaScript, obfuscating JavaScript code, history stealing, XSS DOM in JavaScript, ClickJacking. Ajax security, XSS and CSRF in Ajax, example: explaining the MySpace worm. XSS and ClickJacking in HTML5, form tampering, history tampering, cross-document messaging. PHP security services – using hash, mcrypt, OpenSSL, CType, ext/filter, HTmL Purifier, OWASP AntiSamy, OWASP ESAPI, suhosin.

Web vulnerabilities:OWASP top 10 and other frequent vulnerabilities: SQL Injection and other injection flaws, including CSS injection, command injection and cookie injection, Cross-Site Scripting: persistent and reflected XSS, XSS through HTML/CSS (base injection), protections in browsers, Cross-Site Request Forgery (CSRF), vulnerabilities in session management, session handling, malicious file execution, insecure direct object reference, uploading executable files.

PHP specific vulnerabilities: problems with error and exception handling, PHP type comparison, improper use of cryptographic features, problems with random, weak PRNG, challenges of password management, cracking hashed passwords with search engines, file and SQL race conditions, concurrency and session handling in PHP, open_basedir race condition hacking, denial-of-service by magic float numbers, hashtable collision attack, and many more...

Java specific vulnerabilities:integer overflows in Java (e.g. in java.util.zip.CRC32); Calendar/ZoneInfo deserialization bug (CVE 2008-5353); unsafe reflection; Web-related vulnerabilities like SQL Injection, Command Injection, Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), HTTP Injection, Insecure Direct Object Reference; unsafe Java Native Interface (JNI); improper error and exception handling; insecure randomness of java.util.Random; object hijacking; serialization of sensitive information; dangers of mobile code; Denial-of-Service (DoS) in Java (the “2.2250738585072012e-308 bug”), problem with inner classes, and many more...

Exercises:exploiting SQL injection step-by-step; crafting Cross-Site Scripting attacks through both reflective and persistent XSS; committing Cross-Site Request Forgery (CSRF); malicious file execution; insecure direct object reference; uploading and running executable code; cracking hashed values with search engines; information leakage through error reporting; setting and using permissions; authentication and authorization through JAAS; using JCA/JCE providers for digital signing and encryption; permission for signed code; using JSSE – switching from HTTP to HTTPS; JavaScript obfuscation; exploiting clickjacking; XSS and CSRF in Ajax; form tampering in HTML5; exploiting hashtable collision attack; exploiting preg_replace in PHP; crashing Java through JNI; proof-of-concept exploit of Calendar/ZoneInfo deserialization bug; using reflection to break accessibility modifiers; object hijacking; preventing serialization; exploiting mobile code vulnerabilities; crashing Java and PHP with magic double values; exploiting inner classes; and many more...

Kurs-ID: T1511
Längd: 4 dagar
Kan betalas med:
TRAINING CARD

Lämna dina kontaktuppgifter om du önskar en företagsintern utbildning.

Tipsa