2011.5.30

Part 3. CERT Training Course on Web Security 

Date: 2011.6.3 ~ 4
Place: Dar es Salaam
Instructors:  Koichiro "Sparky" Komiyama and Suguru Yamaguchi, JPCERT/CC

Abstract:
Web services have become the vital information sharing and processing platform for the Internet today.  
With wider extensions of functions provided by the web services, the web platform is now working 
very tightly with the other information systems around the world.  
However, even with several standardization efforts of protocols and data structures, 
the web service servers are including more complicated components such as JavaScript, 
flash and pdf handlers for sophisticated services expected by their customers. 
This trend to including more complicated components to the web servers also gives us 
difficulties on operations and management of information security of the web services.
In this two days course, we learn intentionally on what are the modern web service and 
its protocols, what security issues in the web service platform are, and how we can deal 
with them as operators and managers.   This course requires the participant to have the 
basic knowledge about TCP/IP protocol suites, operating system architecture in the modern 
information systems, and digital presentations of wide variety of data handled in the internet.  

The components we learn here in this class are:
- - Web servers and HTTP protocol details
- - Basics for using web access analyzer
- - Integral components for web service such as contents encoding schemes, java script, and HTTP session managers
- - Web Application Firewalls (WAF)
- - Authentication and access control to the web servers
- - Modern attack techniques to the web servers including spoofing using web cookies, cross-site scripting, and tapping etc.
- - Basic techniques of Java script validations and tricks to bypass its validation procedures at the web servers.
- - Using SOAP
This class also provides you opportunities to learn more through hands-on sessions.


Goal:
After completing this course, participants will...
- - Understand why web app are so easily attacked
- - Be able to use security testing tools (like fiddler)
- - Know how to identify and avoid common vulnerability
- - Start to think like a hacker
- - Know how to conduct web app security hands-on

Schedule:


First Day(6.3)

   Session 1: (180 minutes)
              Lecture: HTTP Protocol, Web Server and Web Applications

   Session 2: (60 minutes)
              Lecture: Setup Exercise Tools

   Session 3: (90 minutes)
              Exercise 1: Web application security exercise

Second Day(6.4)

   Session 4: (240 minutes)
              Exercise 2: Web application security exercise

   Session 5: (90 minutes)
              Exercise 3: Web application security exercise

   Session 6: (90 minutes)
              Lecture: Tools for Trainers


Appendix: List of Exercises
             - HTTP basics
             - Basic authentication
             - Spoof an authentication cookie
             - Bypass client side JavaScript validation
             - Bypass a path based access control
             - Stored XSS attacks
             - Reflected XSS attcks
             - Fail open authentication scheme
             - Discover clues in HTML
             - Create a SOAP request