Combined Java, PHP and Web Application Security

Even experienced programmers do not master by any Means the various Security Services Offered by Their development platforms, and are likewise not aware of the Different vulnerabilities That are Relevant to Their Development. This course targets developers usingboth Java and PHP, Providing Them Essential Skills Necessary to Make Their Applications resistant to contemporary attacks through the Internet.

Levels of Java Security Architecture are walked through village foul Access Control, Authentication and Authorization, secure communication and various cryptographic functions. Various APIs are overpriced Introduced That Can Be Used to secure your code in PHP, like OpenSSL cryptography or HTML Purifier for input validation. On server side, best practices are given for hardening and Configuring the operating system, the web container, the file system, the SQL server and the PHP itself, while a special focus is given to client-side Security Through Security Issues of JavaScript, Ajax and HTML5. 


Java, PHP and Web Application Developers 


Preparedness: Advanced Java, PHP and Web Application 

Course outline:

General Web vulnerabilities are Discussed by examples Aligned To The OWASP Top Ten, showing various injection attacks, script injections attacks against session action, insecure direct object references, issues with file uploads, and many others. The various Java and PHP-specific language problems and issues stemming from the runtime environment are Introduced Grouped Into the standard vulnerability types of missing or improper input validation, improper use of security features, incorrect error and Exception Handling, time- and state-related problems, code quality issues and mobile code-related vulnerabilities. Participants can try out the Discussed APIs, tools and The Effects of configurations for themeselves, while the introduction of vulnerabilities are all supported by a number of hands-on exercises Demonstrating the Consequences of successful attacks, showing how to correct the bugs and apply mitigation techniques , and Introducing The use of various extensions and tools.

  • Java security: 
    Java language securitysolutions, the Java Virtual Machine (JVM) and Java Runtime Environment (JRE); ByteCode Verifier and ClassLoader; Security Manager and Access Controller, managing permissions with the Policy Tool; Java Cryptography Architecture (JCA) and Java Cryptographic Extension (JCE), Java Secure Socket Extension (JSSE), the Java Authentication and Authorization Service (JAAS), Java Keystore (JKS) and The keytool.
  • PHP Security: 
    Functions to Be Used for input validation, PHP extension Input Validation (CType, Filter, HTML Purifier, OWASP ESAPI) Remote Code Execution, path traversal into PHP, MySQL validation errors, variable scopes problems, local variable pollution, filtering file uploads, environment manipulation. PHP environment - server configuration, the PHP configuration (php.ini settings), safemode, Appache Configuration, MIME Types. Hardening.
  • Client-Site Security: 
    JavaScript Sami original policy, global object, authentication and password management in JavaScript, obfuscating JavaScript code, history stealing, XSS DOM in JavaScript, clickjacking. Ajax Security, XSS and CSRF in Ajax, example: Explaining the MySpace worm. XSS and Clickjacking in HTML5, shape tampering, history tampering, cross-document messaging. PHP security services - using the hash, mcrypt, OpenSSL, CType, ext / filter, HTML Purifier, OWASP AntiSamy, OWASP ESAPI, Suhosin.
  • Web vulnerabilities: 
    OWASP Top 10 and Other frequent vulnerabilities: SQL Injection and Other Injection flaws, Including CSS injection, command injection and cookie injection, Cross-Site Scripting: persistent and Reflected XSS, XSS through HTML / CSS (base injection), Protections in browsers, Cross-Site Request Forgery (CSRF) vulnerabilities in session management, session action, malicious file execution, insecure direct object reference, uploading executable files.
  • PHP specific vulnerabilities: 
    Problems with Error and Exception Handling, PHP type comparison, improper use of cryptographic features, problems with random, weak PRNG, Challenges of Password Management, Cracking hashed passwords with search engines, File and SQL race conditions, concurrency and session document In PHP open_basedir race condition hacking, denial-of-service by magic float numbers, hashtable collision attack, and many more ..
  • Java specification vulnerabilities: 
    integer overflows in Java (eg the; Calendar / zoneinfo deserialization bug (CVE 2008-5353); The unsafe reflection; Web-related vulnerabilities like SQL Injection Command Injection, Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), HTTP Injection Insecure Direct Object Reference; The unsafe Java Native Interface (JNI); improper Error and Exception Handling; insecure randomness of java.util.Random; Object hijacking; Serialization of sensitive information; Dangers of mobile code; Denial-of-Service (DoS) in Java (the "2.2250738585072012e-308 bug"), problems with inner classes, and many more ...
  • Exercises: 
    exploiting SQL injection step-by-step; crafting cross-site scripting attacks through bothering reflective and persistent XSS; committing Cross-Site Request Forgery (CSRF); malicious file execution; insecure direct object reference; uploading and running executable code; Cracking hashed values ??with search engines; information leakage through the Error Reporting; setting and using permissions; Authentication and Authorization through JAAS; using the JCA / JCE providers for digital signing and encryption; leave for signed code; using JSSE - switching from HTTP to HTTPS; JavaScript obfuscation; exploiting clickjacking; XSS and CSRF into Ajax; shape tampering in HTML5; exploiting hashtable collision attack; exploiting preg_replace the PHP; Java crashing through the JNI; proof-of-concept exploit of Calendar / zoneinfo deserialization bug; using reflection to break accessibility modifiers; Object hijacking; Preventing serialization; Mobile code exploiting vulnerabilities; crashing Java and PHP with magic double values; exploiting the inner classes; and many more ...

Other relevant courses