Combined Java, .NET and Web Application Security
Kursavgift: kr 17 900 | Varighet: 3 dager
Java and .NET developers, architects and testers
Preparedness: Basic Java, ASP.NET and Web Application
- Web vulnerabilities:
OWASP Top 10 and beyond: SQL Injection and Other Injection flaws, Cross-Site Scripting: persistent and Reflected XSS, session action challenges, using cookies, Remote Code Execution, Insecure Direct Object Reference, Cross-Site Request Forgery (CSRF) , Restricting the URL access.
- Java Security Technologies and Services:
Java Language Security Solutions, Java Virtual Machine (JVM) and Java Runtime Environment (JRE); ByteCode Verifier and ClassLoader; Security Manager and Access Controller, managing permissions with the Policy Tool; Java Cryptography Architecture (JCA) and Java Cryptographic Extension (JCE), Java Secure Socket Extension (JSSE), the Java Authentication and Authorization Service (JAAS), Java Keystore (JKS) and The keytool
- .NET And ASP.NET Security Technologies and Services:
Code Access Security, permissions, the stack walk, a trust levels; Role-Based Security; Cryptography in .NET; ASP.NET Authentication and Authorization solutions, windows and form authentication, Live SDK, roles; Session act; XSS protection, validation features, viewstate protection in ASP.NET.
- Java and .NET specified vulnerabilities:
input validation problems, integer overflows in Java, using the checked keyword in .NET, Calendar / zoneinfo deserialization bug (CVE 2008-5353) in Java, log forging; improper use of cryptographic features, insecure randomness in Java and .NET, Challenges of Password Management, Cracking hashed passwords with search engines; improper Error and Exception Handling, returning from the finally in Java; Time and state problems, race conditions, synchronization and mutual exclusion, deadlock, File and Database race conditions; General code quality issues, object hijacking, immutable objects, serialization of sensitive information; Denial-of-Service (DoS) in Java (the "2.2250738585072012e-308 bug") and .NET (hashtable collision), attacks against ASP.NET, string termination inconsistency; Dangers of mobile code, a critical public data, problems with inner classes, and many more ...
exploiting SQL injection; exploiting command injection; crafting reflective and persistent cross-site scripting attacks; HTML injection; Session fixation; uploading and running executable code; insecure direct object reference; committing Cross-Site Request Forgery (CSRF); setting and using Permissions in Java Authentication and Authorization through JAAS, using JCA / JCE providers for digital signing and encryption, leave for signed code, using JSSE - switching from HTTP to HTTPS; sandboxing .NET code, using roles, using cryptographic classes in .NET, Implementing the form authentication, input validation in ASP.NET; crashing the native code; The unsafe reflections; hash cracking by googling; using reflection to break accessibility modifiers; information leakage through the Error Reporting; Missing synchronization; wrong exclusion granularity; Avoiding deadlock; Overcoming file race conditions; Object hijacking; immutable string; Preventing serialization; crashing Java with magic double values; using hidden and disable controls; Value shadowing; Mobile code exploiting vulnerabilities; exploiting the inner classes.