Course

Overview of web architecture, Protocols, Client server architecture, P2P architecture, DNS etc. Understanding the browser : Same origin policy, Cookies, Cache, authentication. Website development basics, understanding server side languages like nodejs, Go, client side languages such as HTML, Javascript, ReactJS, VueJs and Database languages such as SQL and nosql. Understanding the frontend, backend, database paradigm of modern web application development. Injection attacks : SQL injection, OS Command injection., LDAP Injection File upload vulnerability : LFI, RFI, how to properly secure a file inclusion vulnerability. Request forgery vulnerability : Server side request forgery, Client side request forgery. Cross site scripting attacks : Reflected XSS, Stored XSS, Dom based XSS, Self XSS, Mutated XSS, how to properly secure against XSS attacks. Server side templates and template injection, DOS & DDOS attacks, Phishing attacks, OWASP Top 10 vulnerabilities, OAuth vulnerabilities. Automating vulnerabilities. OWASP Top 10: Broken Authentication, Sensitive Data Exposure, XML External Entities, Broken Access Control, Security Misconfiguration, Insecure Deserialization, Using Components with Known Vulnerabilities, Insufficient Logging & Monitoring. Privacy laws: GDPR etc Privacy in web: Trackers, Browser fingerprinting, tor/onion network, browser extensions. Responsible vulnerability disclosure : CVE’s, CVEmitre, Exploit-db, SearchSploit, bug bounty. Secure coding practices : blacklisting, whitelisting, user input validation, automated testing, trusted types, sanitizing HTML

1. Peter Yaworski, “Real-World Bug Hunting: A Field Guide to Web Hacking”
2. Michal Zalewski, “The Tangled Web: A Guide to Securing Modern Web Applications”
3. Dafydd Stuttard and Marcus Pinto, “The Web Application Hacker’s Handbook” Second

   edition, 2011

4. OWASP, “Web Security Testing Guide”, Fourth edition