Introduction to Web Application Security

For a limited time, save 25% on this course

* This offer expires October 6, 2014 at 11:59pm PT and cannot be combined with any other discounts.

In this course, you will learn fundamental principles of securing web applications using PHP.  As web applications have become more complex, threats due to cross-site scripting (XSS) and SQL injection attacks are increasingly problematic.  Designing and testing your web applications to protect against these threats is essential.

Upon completion of this course, you will be able to:

  • Identify common security flaws in web applications.
  • Investigate and repair application security flaws.
  • Encrypt passwords for safe storage.
  • Build an application that handles output encoding to protect against XPath injection, SQL injections, and cross-site scripting.
  • Securely authenticate and handle user sessions.
  • Intercept and modify web requests to discover new issues.

From beginning to end, you will learn by doing your own PHP-based projects and submitting them for instructor feedback. These projects, as well as the final project, will add to your portfolio and provide needed experience to design secure web applications. Besides a browser and Internet connection, all software is provided online by the O’Reilly School of Technology.

Prerequisites: Introduction to PHP, or equivalent skills. This course is meant for the beginning or intermediate programmer.

90 Clock-hours

 $398.00   $298.50 (plus fees)

Enroll in Course

Course Details and Syllabus

Course: Introduction to Web Application Security
Tuition:  $398.00   $298.50 (plus fees)
Time Frame: This course is online and self-paced. You can expect to work approximately 90 hours on this course.
Technical Requirements: As long as you have a web browser and internet connection, you can take this course from anywhere in the world.
Software: The Ellipse Learning Sandbox™ provided for you will contain all your lessons, projects, quizzes, account files, editors, and compiling tools necessary to build your skills from beginning to end, even beyond coursework. No other software is needed.
Instructor: You will have one instructor throughout the course who will evaluate your projects and quizzes, hand them back for improvement when necessary, and coach you throughout your skills advancement.
Book: All required course materials and software are included online within the Learning Sandbox™ However, after a week of being enrolled, you’ll receive the ebook Web Security Testing Cookbook as a reference resource from O’Reilly.Web Security Testing Cookbook
Certificates: This course does not current count towards a certificate.
Prerequisites: Introduction to PHP, or equivalent experience. This course is meant for the beginning or intermediate programmer.
Topics: Activities, views, navigation with data, drawables, lists, menus, saving data with an SQLite database, and threading, etc.
Syllabus: Lesson 1: Getting Started

  • Learning with O’Reilly School of Technology Courses
  • What is Web Application Security?
  • Website Communication
  • GET Requests – The Basic Request of the Web
  • Using the CodeRunner® Editor and Saving Your Page
  • Saving and Retrieving Your Page
  • Viewing Your Page
  • URLs: The Addresses of the Web
  • POSTs: How Forms Work
  • HTTPS/SSL: Securing the Communications
  • Getting Your Computer Set Up
  • Installing The Tamper-Data Plugin

Lesson 2: Adding Basic Authentication

  • Halt! Who Goes There?
  • Hmm….What to Test?
  • Wrapping Up

Lesson 3: Improving Authentication by Adding Session Management

  • What is Session Management?
  • Investigating Our Own Session Management
  • Halt! Who Goes There?
  • Let’s Make a Cookie!
  • Implementing Proper Session Management
  • Common Session Management Gotchas

Lesson 4: Handling a Form

  • Forms: A Building Block of Web Applications
  • Directory Entry Form
  • Testing
  • More on File Formats
  • Halt! Who Goes There? Scope Creep

Lesson 5: Client-Side Validation

  • Client-Side Validation
  • Hmm…what to Validate?
  • Validate, Validate, Validate
  • Five-Minute Crash Course on jQuery and JavaScript
  • Implementing the Validation
  • Validate the Validation!
  • We Don’t Need No Stinkin‘ Validation!
  • Halt! You need JavaScript
  • Those Dang Speedbumps!
  • Trying to Hide, Eh?
  • You Think You Can Stop Me?

Lesson 6: Input Validation: Server-Side, Whitelisting, and Blacklisting

  • Server-Side Validation
  • Adding Server-Side Validation
  • Does it Actually Validate?
  • Whitelist and Blacklist Validations
  • Whitelist Validations
  • Blacklist Validations
  • Hey! Stop Typing Those Characters!
  • You Can’t Stop Me!
  • Oh Yes, I Can Stop You
  • Validating vs. Sanitizing
  • In Conclusion

Lesson 7: Input Validation: Types and Headers

  • Welcome Back!
  • Regular Expression Overview
  • Adding a RegEx Check
  • Range Checking and Type Checking
  • Range Checking
  • Are You My Type?
  • Implementing Range and Type Checking
  • HTTP Headers
  • Header Checking

Lesson 8: Output Encoding

  • Introduction to Output Encoding
  • What is Encoding?
  • Displaying the .CSV File
  • The Downside to Displaying User Content
  • HTML Encoding: What is it?
  • htmlspecialchars vs. htmlentities
  • Cross-Site Scripting
  • Is There an Echo In Here?
  • Do You Want an Umlaut With That u?
  • Encoding for JavaScript

Lesson 9: Making Authentication More Robust

  • Introduction: Improving Authentication
  • One File to Rule Them All
  • XML and XPath Basics
  • Who Needs a Password?
  • Fixing The Login Script
  • Adding User Management

Lesson 10: Making the Passwords Secret

  • Introduction
  • Symmetric Encryption
  • A Cryptography Primer
  • More Details on Symmetric Encryption
  • More Details on Asymmetric Encryption
  • The Downside of Using Encryption
  • Why a Password Leak Matters
  • Moving Away From Encryption
  • What is Hashing?
  • Why Just Hashing Won’t Cut It
  • Would You Like a Little Salt With Your Hash?
  • Constant-Time Hashing

Lesson 11: Direct Browsing

  • Introduction
  • No, One Would Ever Know About X
  • Now You See Me…Now You Don’t
  • So, What We Can Access A File
  • Another Way To Find Files
  • Mishandling of File Types
  • Fun With Google

Lesson 12: SQL Injection

  • Introduction
  • Migrating to a Database
  • Database Setup
  • Populating the Database
  • Changing the User Class
  • Testing the Database
  • Fixing our Injection Issue
  • Parameterized Queries
  • Injections While Blind

Lesson 13: Cross-Site Request Forgery

  • Welcome Back!
  • The Same Origin Policy and You
  • SOP Workarounds
  • Cross-Site Request Forgery
  • GET vs POST
  • Fixing CSRF
  • Session vs. Per Instance Tokens

Lesson 14: Password Reset

  • Password Resets – Introduction
  • Password Reset v1
  • Abusing Password Reset v1
  • Password Reset v2
  • Just Sending An Email Doesn’t Cut It
  • Password Reset v3

Lesson 15: Information Disclosure

  • Welcome Back!
  • Wait..Don’t I Just Include You?
  • Exception Handling
  • PHP Errors
  • Client-Side Information Leakage
  • Server Information Leakage