Combined Java, PHP and Web Application Security
Kursavgift: kr 20 900 | Varighet: 4 dager
Java, PHP and Web Application Developers
Preparedness: Advanced Java, PHP and Web Application
General Web vulnerabilities are Discussed by examples Aligned To The OWASP Top Ten, showing various injection attacks, script injections attacks against session action, insecure direct object references, issues with file uploads, and many others. The various Java and PHP-specific language problems and issues stemming from the runtime environment are Introduced Grouped Into the standard vulnerability types of missing or improper input validation, improper use of security features, incorrect error and Exception Handling, time- and state-related problems, code quality issues and mobile code-related vulnerabilities.
Participants can try out the Discussed APIs, tools and The Effects of configurations for themeselves, while the introduction of vulnerabilities are all supported by a number of hands-on exercises Demonstrating the Consequences of successful attacks, showing how to correct the bugs and apply mitigation techniques , and Introducing The use of various extensions and tools.
- Java security:
Java language securitysolutions, the Java Virtual Machine (JVM) and Java Runtime Environment (JRE); ByteCode Verifier and ClassLoader; Security Manager and Access Controller, managing permissions with the Policy Tool; Java Cryptography Architecture (JCA) and Java Cryptographic Extension (JCE), Java Secure Socket Extension (JSSE), the Java Authentication and Authorization Service (JAAS), Java Keystore (JKS) and The keytool.
- PHP Security:
Functions to Be Used for input validation, PHP extension Input Validation (CType, Filter, HTML Purifier, OWASP ESAPI) Remote Code Execution, path traversal into PHP, MySQL validation errors, variable scopes problems, local variable pollution, filtering file uploads, environment manipulation. PHP environment - server configuration, the PHP configuration (php.ini settings), safemode, Appache Configuration, MIME Types. Hardening.
- Client-Site Security:
- Web vulnerabilities:
OWASP Top 10 and Other frequent vulnerabilities: SQL Injection and Other Injection flaws, Including CSS injection, command injection and cookie injection, Cross-Site Scripting: persistent and Reflected XSS, XSS through HTML / CSS (base injection), Protections in browsers, Cross-Site Request Forgery (CSRF) vulnerabilities in session management, session action, malicious file execution, insecure direct object reference, uploading executable files.
- PHP specific vulnerabilities:
Problems with Error and Exception Handling, PHP type comparison, improper use of cryptographic features, problems with random, weak PRNG, Challenges of Password Management, Cracking hashed passwords with search engines, File and SQL race conditions, concurrency and session document In PHP open_basedir race condition hacking, denial-of-service by magic float numbers, hashtable collision attack, and many more ...
- Java specification vulnerabilities:
integer overflows in Java (eg the java.util.zip.CRC32); Calendar / zoneinfo deserialization bug (CVE 2008-5353); The unsafe reflection; Web-related vulnerabilities like SQL Injection Command Injection, Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), HTTP Injection Insecure Direct Object Reference; The unsafe Java Native Interface (JNI); improper Error and Exception Handling; insecure randomness of java.util.Random; Object hijacking; Serialization of sensitive information; Dangers of mobile code; Denial-of-Service (DoS) in Java (the "2.2250738585072012e-308 bug"), problems with inner classes, and many more ...