Mosse Cyber Security Web Application Security for Web Developers and Hackers


3 days


$3300.00 (inc GST)

This course teaches you the principles you need to know to find vulnerabilities across any and all web application programming languages. During this three day course you will be provided access to a penetration testing lab to practice identifying and patching realistic vulnerabilities.

Hardware Requirements:

  • The students are responsible for bringing their laptops to the course.
  • Internet is provided by the training provider.
  • Attendees will have to install a VPN client to connect to the security lab infrastructure.
  • Attendees are required to have an RDP client (installed by default on all Windows machines)

Software Requirements:

  • Windows XP SP2/3, Windows 7/8 or *Nix or OSX
  • Administrative privileges on your laptop
  • Virtualization Software
  • Custom VM labs will be provided for exploitation
  • SSH Client


Please be advised that this is a reseller course which is not held at DDLS. Students are expected to organise their own meals.

Skills Gained

The course provides in-depth knowledge on how to find and protect against the vast majority of web application vulnerabilities present in all web technologies and languages.  The examples used in the course have been built in ASP, .NET, JAVA and PHP.

During this course you will learn

  • The latest industry standards such as OWASP Top 10 and the SANS Top 25 Most Dangerous Software Errors
  • The latest web application security vulnerabilities
  • Security best practices
  • A real world analogy for each vulnerability
Key Topics

Introduction to Web Applications Security

  • Architectural and Design Vulnerabilities
  • Authentication Vulnerabilities
  • Authorisation Vulnerabilities
  • Session Management Vulnerabilities
  • Business Logic Vulnerabilities
  • Web Server Misconfiguration
  • Application Server Misconfiguration
  • Transport Layer Vulnerabilities
  • Default accounts
  • Information Leakage


Client Side Vulnerabilities

  • Cross Site Scripting
  • Cross Site Request Forgery
  • Session Fixation
  • CRLF Injection
  • Flash and Cross Domain Issues
  • HTTP Response Splitting
  • Session Fixation
  • Man-In-The-Middle Attacks
  • Access Control Enforced by Presentation Layer


Server Side Vulnerabilities

  • SQL Injection
  • XPath Injection
  • OS Command Execution
  • Code Injection
  • LDAP injection
  • File Uploads
  • Web Application Backdooring
  • Server Side Includes
  • File Inclusion
  • Direct Object Reference
  • Account lockout attack
  • Path Traversal
  • Full Path Disclosure
  • Simultaneous Session Logons
  • Session ID Guessing and Brute Force
  • Disclosure of Token in URL
  • Insecure ViewState
  • Account Lockout Attack
  • Guessed or Visible Temporary Files
  • Hardcoded Passwords
  • Leftover Debug Code
  • Log Injection


Source Code Auditing Principles

  • Identify attack surface
  • Identify global security policy
  • Identify resources and trust boundaries
  • Identify user roles and resource capabilities
  • Threat Modeling
  • Identify Business Impact


Security Best Practice

  • OWASP Top 10 And SANS Top 25
  • HTTP Strict Transport Security
  • Content Security Policy
  • Input Validation
  • Blocking Brute Force Attacks
  • Multi-factor Authentication
  • Single Sign On
  • Tokenizing
  • Cryptography
  • Logging and Auditing
  • Randomisation
  • HttpOnly and Secure Flag
  • Secure Sockets Layer
  • Static Code Analysis
  • Web Application Firewall
  • Secret Questions And Answers
  • Password Guidelines
  • Minimum Hash Strength
  • Principle of Least Privilege
  • Protecting Access to Static Resources
  • Session ID Secure Generation
  • Session ID Life Cycle
  • Session Expiration
  • Whitelisting and Blacklisting
  • Synchronizer Token Pattern
  • SQL Injection Prevention
  • Error and Exception Handling
  • Generic Error Messages
  • Defense in Depth
  • Avoid Security by Obscurity
  • Establish Secure Defaults
  • Fail Securely
  • Keep Security Simple
  • Detect Intrusions
  • Don't Trust User Inputs
Target Audience

Software developers, web developers, technical Project Managers/IT Managers penetration testers, security managers and anyone who wants to learn to develop software securely and find security vulnerabilities in web application by review source code


Intermediate knowledge in software development practices (coding, design, architecture) is required to attend this course. No particular programming language is required, but knowledge of high-level languages such as Java, Ruby, Python, Perl, or Scala will help. Basic understanding of penetration testing and application security.

No prior vulnerability discovery or exploitation experience is necessary.

The supply of this course by ACTE Pty Ltd (trading as DDLS) is governed by the booking terms and conditions. Please read the terms and conditions carefully before enrolling in this course, as enrolment in the course is conditional on acceptance of these terms and conditions.

Course Availability

Please call DDLS on 1800 U LEARN (1800 853 276) or register your interest below.

Pre-Course Requirements

DDLS offers this training through a third party. This arrangement requires DDLS to provide your details to our partner for course registration purposes.