Security Testing Python Web ApplicationsSECT-PYWACYCydrillCY-SECT-PYWA1.0<ul>
<li>Getting familiar with essential cyber security concepts</li><li>Understanding Web application security issues</li><li>Detailed analysis of the OWASP Top Ten elements</li><li>Putting Web application security in the context of Python</li><li>Going beyond the low hanging fruits</li><li>Understanding security testing methodology and approaches</li><li>Getting familiar with common security testing techniques and tools</li><li>Managing vulnerabilities in third party components</li><li>Identify vulnerabilities and their consequences</li><li>Learn the security best practices in Python</li><li>Input validation approaches and principles</li></ul><p>General Python and Web development, testing and QA</p><p>Python developers and testers working on Web applications</p><ul>
<li>Cyber security basics</li><li>The OWASP Top Ten</li><li>Security testing</li><li>Common software security weaknesses</li><li>Wrap up</li></ul><p><strong>DAY 1</strong></p>
<p><strong>Cyber security basics</strong>
</p>
<ul>
<li>What is security?</li><li>Threat and risk</li><li>Cyber security threat types</li><li>Consequences of insecure software
<ul>
<li>Constraints and the market</li><li>The dark side</li></ul></li></ul><p><strong>The OWASP Top Ten</strong>
</p>
<ul>
<li>OWASP Top 10 – 2017</li><li>A1 – Injection
<ul>
<li>Injection principles</li><li>Injection attacks</li><li>SQL injection
<ul>
<li>SQL injection basics</li><li>Lab – SQL injection</li><li>Attack techniques</li><li>Content-based blind SQL injection</li><li>Time-based blind SQL injection</li><li>Case study – Hacking Fortnite accounts</li><li>Testing for SQL injection</li></ul></li><li>Code injection
<ul>
<li>Code injection via input()</li><li>OS command injection
<ul>
<li>Lab – Command injection</li><li>Case study – Shellshock</li><li>Lab – Shellshock</li><li>Case study – Command injection via ping</li><li>Testing for command injection</li></ul></li><li>Script injection
<ul>
<li>Server-side template injection (SSTI)</li><li>Lab – Template injection</li></ul></li></ul></li></ul></li><li>A2 – Broken Authentication
<ul>
<li>Authentication basics</li><li>Multi-factor authentication</li><li>Authentication weaknesses – spoofing</li><li>Spoofing on the Web</li><li>Testing for weak authentication</li><li>Case study – PayPal 2FA bypass</li><li>User interface best practices</li><li>Lab – On-line password brute forcing</li><li>Password management
<ul>
<li>Inbound password management
<ul>
<li>Storing account passwords</li><li>Password in transit</li><li>Lab – Is just hashing passwords enough?</li><li>Dictionary attacks and brute forcing</li><li>Salting</li><li>Adaptive hash functions for password storage</li><li>Password policy
<ul>
<li>NIST authenticator requirements for memorized secrets</li><li>Password length</li><li>Password hardening</li><li>Using passphrases</li></ul></li><li>Case study – The Ashley Madison data breach
<ul>
<li>The dictionary attack</li><li>The ultimate crack</li><li>Exploitation and the lessons learned</li><li>(Mis)handling None passwords</li><li>Testing for password management issues</li></ul></li></ul></li></ul></li></ul></li></ul><p><strong>DAY 2 </strong></p>
<p><strong>Security testing</strong>
</p>
<ul>
<li>Security testing vs functional testing</li><li>Manual and automated methods</li><li>Security testing methodology
<ul>
<li>Security testing – goals and methodologies</li><li>Overview of security testing processes</li><li>Identifying and rating assets
<ul>
<li>Preparation</li><li>Identifying assets</li><li>Identifying the attack surface</li><li>Assigning security requirements</li><li>Lab – Identifying and rating assets</li></ul></li><li>Threat modeling
<ul>
<li>SDL threat modeling</li><li>Mapping STRIDE to DFD</li><li>DFD example</li><li>Attack trees</li><li>Attack tree example</li><li>Lab – Crafting an attack tree</li><li>Misuse cases</li><li>Misuse case examples</li><li>Risk analysis</li><li>Lab – Risk analysis</li></ul></li><li>Security testing approaches
<ul>
<li>Reporting, recommendations, and review</li></ul></li></ul></li></ul><p><strong>The OWASP Top Ten</strong>
</p>
<ul>
<li>A3 – Sensitive Data Exposure
<ul>
<li>Information exposure</li><li>Exposure through extracted data and aggregation</li><li>Case study – Strava data exposure</li><li>Error and exception handling principles</li><li>Information exposure through error reporting</li><li>Information leakage via error pages</li><li>Lab – Flask information leakage</li></ul></li><li>A4 – XML External Entities (XXE)
<ul>
<li>DTD and the entities</li><li>Entity expansion</li><li>Lab – Billion laughs attack</li><li>External Entity Attack (XXE)
<ul>
<li>File inclusion with external entities</li><li>Server-Side Request Forgery with external entities</li><li>Lab – External entity attack</li><li>Case study – XXE vulnerability in SAP Store</li><li>Preventing XXE</li></ul></li></ul></li><li>A5 – Broken Access Control
<ul>
<li>Access control basics</li><li>Failure to restrict URL access</li><li>Testing for authorization issues</li><li>Confused deputy
<ul>
<li>Insecure direct object reference (IDOR)</li><li>Lab – Insecure Direct Object Reference</li><li>Authorization bypass through user-controlled keys</li><li>Case study – Authorization bypass on Facebook</li><li>Lab – Horizontal authorization</li><li>Testing for confused deputy weaknesses</li></ul></li><li>File upload
<ul>
<li>Unrestricted file upload</li><li>Good practices</li><li>Lab – Unrestricted file upload</li><li>Testing for file upload vulnerabilities</li></ul></li></ul></li><li>A6 – Security Misconfiguration
<ul>
<li>Configuration principles</li><li>Configuration management</li><li>Python configuration best practices
<ul>
<li>Configuring Flask</li><li>Testing for misconfiguration issues</li></ul></li></ul></li><li>A7 – Cross-site Scripting (XSS)
<ul>
<li>Cross-site scripting basics</li><li>Cross-site scripting types
<ul>
<li>Persistent cross-site scripting</li><li>Reflected cross-site scripting</li><li>Client-side (DOM-based) cross-site scripting</li><li>Lab – Stored XSS</li><li>Lab – Reflected XSS</li><li>Case study – XSS in Fortnite accounts</li><li>Additional protection layers</li><li>Testing for XSS</li></ul></li></ul></li></ul><p><strong>DAY 3</strong></p>
<p><strong>The OWASP Top Ten</strong>
</p>
<ul>
<li>A8 – Insecure Deserialization
<ul>
<li>Serialization and deserialization challenges</li><li>Deserializing untrusted streams</li><li>Deserialization with pickle</li><li>Lab – Deserializing with Pickle</li><li>PyYAML deserialization challenges</li><li>Testing for insecure deserialization</li></ul></li><li>A9 – Using Components with Known Vulnerabilities
<ul>
<li>Using vulnerable components</li><li>Assessing the environment</li><li>Hardening</li><li>Untrusted functionality import</li><li>Malicious packages in Python</li><li>Importing JavaScript</li><li>Lab – Importing JavaScript</li><li>Case study – The British Airways data breach</li><li>Vulnerability management
<ul>
<li>Patch management</li><li>Bug bounty programs</li><li>Vulnerability databases</li><li>Vulnerability rating – CVSS</li><li>DevOps, the build process and CI / CD</li><li>Dependency checking in Python</li><li>Lab – Detecting vulnerable components</li></ul></li></ul></li><li>A10 – Insufficient Logging & Monitoring
<ul>
<li>Logging and monitoring principles</li><li>Insufficient logging</li><li>Plaintext passwords at Facebook</li><li>Firewalls and Web Application Firewalls (WAF)</li><li>Intrusion detection and prevention</li><li>Case study – The Marriott Starwood data breach</li></ul></li><li>Web application security beyond the Top Ten
<ul>
<li>Client-side security</li><li>Lab – Client-side security</li><li>Tabnabbing</li><li>Lab – Reverse tabnabbing</li><li>Frame sandboxing
<ul>
<li>Cross-Frame Scripting (XFS) attack</li><li>Lab – Clickjacking</li><li>Clickjacking beyond hijacking a click</li></ul></li><li>Some further best practices
<ul>
<li>HTML5 security best practices</li><li>CSS security best practices</li><li>Ajax security best practices</li></ul></li></ul></li></ul><p><strong>Security testing</strong>
</p>
<ul>
<li>Security testing techniques and tools
<ul>
<li>Code analysis
<ul>
<li>Security aspects of code review</li><li>Static Application Security Testing (SAST)</li><li>Lab – Using static analysis tools</li></ul></li><li>Dynamic analysis
<ul>
<li>Security testing at runtime</li><li>Penetration testing</li><li>Stress testing</li><li>Dynamic analysis tools
<ul>
<li>Dynamic Application Security Testing (DAST)</li><li>Web vulnerability scanners</li><li>Lab – Using web vulnerability scanners</li><li>SQL injection tools</li><li>Lab – Using SQL injection tools</li><li>Proxy servers</li></ul></li><li>Fuzzing</li></ul></li></ul></li></ul><p><strong>Common software security weaknesses</strong>
</p>
<ul>
<li>Input validation
<ul>
<li>Input validation principles
<ul>
<li>Lab – Input validation</li><li>Encoding challenges</li><li>Lab – Encoding challenges</li><li>Validation with regex</li><li>Regular expression denial of service (ReDoS)</li><li>Lab – Regular expression denial of service (ReDoS)</li><li>Dealing with ReDoS</li></ul></li><li>Files and streams
<ul>
<li>Path traversal</li><li>Path traversal-related examples</li><li>Lab – Path traversal</li><li>Additional challenges in Windows</li><li>Path traversal best practices</li><li>Testing for path traversal</li><li>Format string issues</li></ul></li><li>Unsafe native code
<ul>
<li>Native code dependence</li><li>Lab – Unsafe native code</li><li>Best practices for dealing with native code</li></ul></li></ul></li></ul><p><strong>Wrap up</strong>
</p>
<ul>
<li>And now what?
<ul>
<li>Software security sources and further reading</li><li>Python resources</li><li>Security testing resources</li></ul></li></ul>- Getting familiar with essential cyber security concepts
- Understanding Web application security issues
- Detailed analysis of the OWASP Top Ten elements
- Putting Web application security in the context of Python
- Going beyond the low hanging fruits
- Understanding security testing methodology and approaches
- Getting familiar with common security testing techniques and tools
- Managing vulnerabilities in third party components
- Identify vulnerabilities and their consequences
- Learn the security best practices in Python
- Input validation approaches and principlesGeneral Python and Web development, testing and QAPython developers and testers working on Web applications- Cyber security basics
- The OWASP Top Ten
- Security testing
- Common software security weaknesses
- Wrap upDAY 1
Cyber security basics
- What is security?
- Threat and risk
- Cyber security threat types
- Consequences of insecure software
- Constraints and the market
- The dark side
The OWASP Top Ten
- OWASP Top 10 – 2017
- A1 – Injection
- Injection principles
- Injection attacks
- SQL injection
- SQL injection basics
- Lab – SQL injection
- Attack techniques
- Content-based blind SQL injection
- Time-based blind SQL injection
- Case study – Hacking Fortnite accounts
- Testing for SQL injection
- Code injection
- Code injection via input()
- OS command injection
- Lab – Command injection
- Case study – Shellshock
- Lab – Shellshock
- Case study – Command injection via ping
- Testing for command injection
- Script injection
- Server-side template injection (SSTI)
- Lab – Template injection
- A2 – Broken Authentication
- Authentication basics
- Multi-factor authentication
- Authentication weaknesses – spoofing
- Spoofing on the Web
- Testing for weak authentication
- Case study – PayPal 2FA bypass
- User interface best practices
- Lab – On-line password brute forcing
- Password management
- Inbound password management
- Storing account passwords
- Password in transit
- Lab – Is just hashing passwords enough?
- Dictionary attacks and brute forcing
- Salting
- Adaptive hash functions for password storage
- Password policy
- NIST authenticator requirements for memorized secrets
- Password length
- Password hardening
- Using passphrases
- Case study – The Ashley Madison data breach
- The dictionary attack
- The ultimate crack
- Exploitation and the lessons learned
- (Mis)handling None passwords
- Testing for password management issues
DAY 2
Security testing
- Security testing vs functional testing
- Manual and automated methods
- Security testing methodology
- Security testing – goals and methodologies
- Overview of security testing processes
- Identifying and rating assets
- Preparation
- Identifying assets
- Identifying the attack surface
- Assigning security requirements
- Lab – Identifying and rating assets
- Threat modeling
- SDL threat modeling
- Mapping STRIDE to DFD
- DFD example
- Attack trees
- Attack tree example
- Lab – Crafting an attack tree
- Misuse cases
- Misuse case examples
- Risk analysis
- Lab – Risk analysis
- Security testing approaches
- Reporting, recommendations, and review
The OWASP Top Ten
- A3 – Sensitive Data Exposure
- Information exposure
- Exposure through extracted data and aggregation
- Case study – Strava data exposure
- Error and exception handling principles
- Information exposure through error reporting
- Information leakage via error pages
- Lab – Flask information leakage
- A4 – XML External Entities (XXE)
- DTD and the entities
- Entity expansion
- Lab – Billion laughs attack
- External Entity Attack (XXE)
- File inclusion with external entities
- Server-Side Request Forgery with external entities
- Lab – External entity attack
- Case study – XXE vulnerability in SAP Store
- Preventing XXE
- A5 – Broken Access Control
- Access control basics
- Failure to restrict URL access
- Testing for authorization issues
- Confused deputy
- Insecure direct object reference (IDOR)
- Lab – Insecure Direct Object Reference
- Authorization bypass through user-controlled keys
- Case study – Authorization bypass on Facebook
- Lab – Horizontal authorization
- Testing for confused deputy weaknesses
- File upload
- Unrestricted file upload
- Good practices
- Lab – Unrestricted file upload
- Testing for file upload vulnerabilities
- A6 – Security Misconfiguration
- Configuration principles
- Configuration management
- Python configuration best practices
- Configuring Flask
- Testing for misconfiguration issues
- A7 – Cross-site Scripting (XSS)
- Cross-site scripting basics
- Cross-site scripting types
- Persistent cross-site scripting
- Reflected cross-site scripting
- Client-side (DOM-based) cross-site scripting
- Lab – Stored XSS
- Lab – Reflected XSS
- Case study – XSS in Fortnite accounts
- Additional protection layers
- Testing for XSS
DAY 3
The OWASP Top Ten
- A8 – Insecure Deserialization
- Serialization and deserialization challenges
- Deserializing untrusted streams
- Deserialization with pickle
- Lab – Deserializing with Pickle
- PyYAML deserialization challenges
- Testing for insecure deserialization
- A9 – Using Components with Known Vulnerabilities
- Using vulnerable components
- Assessing the environment
- Hardening
- Untrusted functionality import
- Malicious packages in Python
- Importing JavaScript
- Lab – Importing JavaScript
- Case study – The British Airways data breach
- Vulnerability management
- Patch management
- Bug bounty programs
- Vulnerability databases
- Vulnerability rating – CVSS
- DevOps, the build process and CI / CD
- Dependency checking in Python
- Lab – Detecting vulnerable components
- A10 – Insufficient Logging & Monitoring
- Logging and monitoring principles
- Insufficient logging
- Plaintext passwords at Facebook
- Firewalls and Web Application Firewalls (WAF)
- Intrusion detection and prevention
- Case study – The Marriott Starwood data breach
- Web application security beyond the Top Ten
- Client-side security
- Lab – Client-side security
- Tabnabbing
- Lab – Reverse tabnabbing
- Frame sandboxing
- Cross-Frame Scripting (XFS) attack
- Lab – Clickjacking
- Clickjacking beyond hijacking a click
- Some further best practices
- HTML5 security best practices
- CSS security best practices
- Ajax security best practices
Security testing
- Security testing techniques and tools
- Code analysis
- Security aspects of code review
- Static Application Security Testing (SAST)
- Lab – Using static analysis tools
- Dynamic analysis
- Security testing at runtime
- Penetration testing
- Stress testing
- Dynamic analysis tools
- Dynamic Application Security Testing (DAST)
- Web vulnerability scanners
- Lab – Using web vulnerability scanners
- SQL injection tools
- Lab – Using SQL injection tools
- Proxy servers
- Fuzzing
Common software security weaknesses
- Input validation
- Input validation principles
- Lab – Input validation
- Encoding challenges
- Lab – Encoding challenges
- Validation with regex
- Regular expression denial of service (ReDoS)
- Lab – Regular expression denial of service (ReDoS)
- Dealing with ReDoS
- Files and streams
- Path traversal
- Path traversal-related examples
- Lab – Path traversal
- Additional challenges in Windows
- Path traversal best practices
- Testing for path traversal
- Format string issues
- Unsafe native code
- Native code dependence
- Lab – Unsafe native code
- Best practices for dealing with native code
Wrap up
- And now what?
- Software security sources and further reading
- Python resources
- Security testing resources3 Tage2250.002250.002250.002250.002250.002250.002250.002250.002250.002250.002250.00