SlideShare a Scribd company logo

Web security Contents

Z
zakieh alizadeh

This document describes a 24-hour specialized training course on web application security in PHP. The course syllabus covers topics such as web application architecture, HTTP protocol, common vulnerabilities, SQL injection, authentication strategies, authorization, XSS and CSRF prevention, session management, file uploads, threat modeling and more. The target audience are web application developers and the course will help participants learn how to develop secure PHP applications. It provides examples of vulnerable code and practices for securing code against common attacks.

1 of 4
Download to read offline
‫معرفی‬‫دوره‬‫آموزشی‬‫تخصصی‬ ‫برنامه‬ ‫امنیت‬‫وب‬ ‫تحت‬ ‫کاربردی‬ ‫های‬ : ‫دوره‬ ‫کد‬APA 121 24‫ساعت‬ http://cert.um.ac.ir cert@um.ac.ir ‫دوره‬‫آموزشی‬ ‫های‬ ‫تاب‬‫ســتــان‬9315
‫معرفی‬‫دوره‬‫آموزشی‬‫تخصصی‬‫امنیت‬‫برنامه‬‫های‬‫کاربردی‬‫تحت‬‫وب‬ ‫کد‬:‫دوره‬APA 121–‫تاب‬‫ستان‬9315 http://cert.um.ac.ir ‫صفحه‬2‫از‬4 :‫دوره‬ ‫مخاطبان‬‫برنامه‬‫توسعه‬ ‫و‬ ‫نویسان‬‫برنامه‬ ‫دهندگان‬‫وب‬ ‫تحت‬ ‫کاربردی‬ ‫های‬ ‫پیش‬:‫دوره‬ ‫نیازهای‬‫با‬ ‫آشنایی‬‫برنامه‬‫وب‬ ‫تحت‬ ‫نویسی‬‫(پیاد‬‫ه‬‫سازی‬‫ها‬‫زبان‬ ‫به‬PHP)‫بود‬ ‫خواهد‬ ‫ثبت‬ ‫روش‬:‫نام‬‫به‬‫وب‬ ‫طریق‬ ‫از‬ ‫و‬ ‫الکترونیکی‬ ‫صورت‬‫آزمایشگاه‬ ‫گاه‬‫مشهد‬ ‫فردوسی‬ ‫دانشگاه‬ ‫آپا‬ ‫تخصصی‬‫نشانی‬ ‫به‬ http://cert.um.ac.ir‫می‬ ‫انجام‬.‫گیرد‬ :‫دوره‬ ‫سرفصل‬ Row # Course Syllabus (Web Application Security in PHP) 1  Description of "Web Application Architecture"  Introducing HTTP Protocol  Web Applications ' Main Security Problem  Introducing Some Vulnerable Web Applications  Introducing Some Security Testing Firefox Extensions  Scenario : "Tampering HTTP Requests"  HTTP Requests and Responses  HTTP Methods  HTTP Proxies  Security Related HTTP Headers  Practice: Tampering Some Headers & Fields 2,3  Data Validation  Data Validation Strategies  Where to Include Validation  Preventing SQL Injection Attacks in PHP  Scenario : " Perform SQL Injection attacks in College Library Website"  Introduction to SQL Injection Attacks  Countermeasures Of SQL Injection  Interpreter Injection  HTTP Injection o HTTP Response Splitting  Practice : Implement 2 Simple Login Page For "PHP Test Application" :  vulnerable to the SQL Injection  Secure to the SQL Injection 4  Strategies For Strong Authentication in PHP  Scenario : " Providing An Appropriate Authentication for College Library Website "  Common Web Authentication Threats  Common Attacker Testing Authentication  Common Weak Web Authentication Strategies  Strategies For Strong Authentication in php o Strategies For Preventing Brute Force Attacks o Strategies For Preventing SQL Injection Attacks o Strategies For Check strength Of Username And Password
‫معرفی‬‫دوره‬‫آموزشی‬‫تخصصی‬‫امنیت‬‫برنامه‬‫های‬‫کاربردی‬‫تحت‬‫وب‬ ‫کد‬:‫دوره‬APA 121–‫تاب‬‫ستان‬9315 http://cert.um.ac.ir ‫صفحه‬3‫از‬4  Authorization  Scenario : " Providing An Appropriate Authorization for College Library Website "  Objectives  Authorization Strategies  Principle Of Least Privilege o How to Determine If Application Is Vulnerable o How to Protect Application  Centralized Authorization Routines  Client-Side Authorization Tokens  Access Control models o DAC o MAC o RBAC  Practice 1 : Complete "PHP Test Application" Login o Secure To Brute Force Attacks  Practice 2 : Implement Simple RBAC Access Control in Test Application 5,6  Preventing XSS and CSRF Attacks in PHP  Scenario 1 : " Preventing XSS in College Library Website "  Scenario 2 : " Stealing Cookies Using XSS "  Introduce XSS attacks  Strategies for Preventing of XSS  Scenario 3 : " Testing CSRF in College Library Website "  Introduce CSRF Attacks  Strategies For Preventing Of CSRF o Some Weak Strategies For Preventing Of CSRF  Web Browser Security Models  Same Origin/Domain Policy  Cookie Security Model  Flash Model Security  Clickjacking  Introduce Clickjacking Attacks  defending against Clickjacking  Practice: Implement News Management Page For "PHP Test Application" :  Vulnerable to XSS Attacks 7  Next Generation Web Application Attacks  Cross-Domain Attacks  Malicious JavaScript  Malicious AJAX  Scenario: "Intercepting And Modifying Ajax Requests" 8  AJAX Security  AJAX Types  AJAX Parameter Manipulation 9  Protecting Sensitive Data  Scenario : " Protecting Sensitive Data in College Library Website "  Encryption  Data Protection in Storage o Encryption vs. Encoding
‫معرفی‬‫دوره‬‫آموزشی‬‫تخصصی‬‫امنیت‬‫برنامه‬‫های‬‫کاربردی‬‫تحت‬‫وب‬ ‫کد‬:‫دوره‬APA 121–‫تاب‬‫ستان‬9315 http://cert.um.ac.ir ‫صفحه‬4‫از‬4 o Least Privilege o using ORM  Data Protection in Transit  Using SSL  Channel Security vs. Token Security 10  Secure Session Management  Scenario : " Providing Strong Session Management in College Library Website "  Description Mechanism of Sessions and Cookies  Common Attacker Testing Session Management  Introducing Session Management Attacks o Session Fixation o Session Brute-Forcing o Session Hijacking o Session Poisoning  Strategies Of Session Storage  Strategies For Providing Secure Session Management 11  Path traversal & File Inclusion  Scenario : " Preventing Path traversal & File Inclusion in College Library Website "  Introducing File Uploads Threats  Countermeasure Of File Uploads Threats  Strategies Of Secure File Upload  Practice: Implement Secure File Upload in Test Application:  Data integrity must be respected 12  Application Threat Modeling  Introducing Sample Application " College Library Website "  Scenario : " Producing The Threat Model For The College Library Website "  Decompose The Application  Threat Model Information o External Dependencies o Entry Points o Assets o Trust Levels  Determine And Rank Threats o Threat Categorization o Introducing STRIDE And ASF  Security Controls  Countermeasure Identification  Mitigation Strategies  Review of Other Vulnerabilities of Web Application  Security Missconfiguration in PHP o When Application Vulnerable to 'Security Misconfiguration  Invalidated Redirect and Forwards  Error handling And Logging  Introducing MVC Software Architecture  Introducing and Comparing PHP Framworks o Introducing " Yii " PHP Framework

Recommended

Phu appsec13
Phu appsec13Phu appsec13
Phu appsec13drewz lin
 
Web Security - CSP & Web Cryptography
Web Security - CSP & Web CryptographyWeb Security - CSP & Web Cryptography
Web Security - CSP & Web CryptographySamsung Open Source Group
 
OWASP Serbia - A5 cross-site request forgery
OWASP Serbia - A5 cross-site request forgeryOWASP Serbia - A5 cross-site request forgery
OWASP Serbia - A5 cross-site request forgeryNikola Milosevic
 
Are you botching the security of your AngularJS applications? (DevFest 2016)
Are you botching the security of your AngularJS applications? (DevFest 2016)Are you botching the security of your AngularJS applications? (DevFest 2016)
Are you botching the security of your AngularJS applications? (DevFest 2016)Philippe De Ryck
 
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfDefeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfdrewz lin
 
Cross Site Attacks
Cross Site AttacksCross Site Attacks
Cross Site AttacksUTD Computer Security Group
 
PCI security requirements secure coding and code review 2014
PCI security requirements secure coding and code review 2014PCI security requirements secure coding and code review 2014
PCI security requirements secure coding and code review 2014Haitham Raik
 
CMS Website Security Threat Protection Oriented Analyzer System
CMS Website Security Threat Protection Oriented Analyzer SystemCMS Website Security Threat Protection Oriented Analyzer System
CMS Website Security Threat Protection Oriented Analyzer SystemEditor IJCATR
 

Recommended

Phu appsec13
Phu appsec13Phu appsec13
Phu appsec13drewz lin
 
Web Security - CSP & Web Cryptography
Web Security - CSP & Web CryptographyWeb Security - CSP & Web Cryptography
Web Security - CSP & Web CryptographySamsung Open Source Group
 
OWASP Serbia - A5 cross-site request forgery
OWASP Serbia - A5 cross-site request forgeryOWASP Serbia - A5 cross-site request forgery
OWASP Serbia - A5 cross-site request forgeryNikola Milosevic
 
Are you botching the security of your AngularJS applications? (DevFest 2016)
Are you botching the security of your AngularJS applications? (DevFest 2016)Are you botching the security of your AngularJS applications? (DevFest 2016)
Are you botching the security of your AngularJS applications? (DevFest 2016)Philippe De Ryck
 
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfDefeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfdrewz lin
 
Cross Site Attacks
Cross Site AttacksCross Site Attacks
Cross Site AttacksUTD Computer Security Group
 
PCI security requirements secure coding and code review 2014
PCI security requirements secure coding and code review 2014PCI security requirements secure coding and code review 2014
PCI security requirements secure coding and code review 2014Haitham Raik
 
CMS Website Security Threat Protection Oriented Analyzer System
CMS Website Security Threat Protection Oriented Analyzer SystemCMS Website Security Threat Protection Oriented Analyzer System
CMS Website Security Threat Protection Oriented Analyzer SystemEditor IJCATR
 
Antiviruxss
AntiviruxssAntiviruxss
AntiviruxssMarcusgcm
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelinesZakaria SMAHI
 
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities Braindev Kyiv
 
Analysis of web application penetration testing
Analysis of web application penetration testingAnalysis of web application penetration testing
Analysis of web application penetration testingEngr Md Yusuf Miah
 
OWASP TOP 10 & .NET
OWASP TOP 10 & .NETOWASP TOP 10 & .NET
OWASP TOP 10 & .NETDaniel Krasnokucki
 
Web application security I
Web application security IWeb application security I
Web application security IMd Syed Ahamad
 
How to Make Your NodeJS Application Secure (24 Best Security Tips )
How to Make Your NodeJS Application Secure (24 Best Security Tips )How to Make Your NodeJS Application Secure (24 Best Security Tips )
How to Make Your NodeJS Application Secure (24 Best Security Tips )Katy Slemon
 
Beyond OWASP Top 10 - Hack In Paris 2017
Beyond OWASP Top 10 - Hack In Paris 2017Beyond OWASP Top 10 - Hack In Paris 2017
Beyond OWASP Top 10 - Hack In Paris 2017Aaron Hnatiw
 
Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)Francois Marier
 
Web Application Firewall intro
Web Application Firewall introWeb Application Firewall intro
Web Application Firewall introRich Helton
 
OWASP Serbia - A3 broken authentication and session management
OWASP Serbia - A3 broken authentication and session managementOWASP Serbia - A3 broken authentication and session management
OWASP Serbia - A3 broken authentication and session managementNikola Milosevic
 
Vulnerability assessment of PHP Frameworks
Vulnerability assessment of PHP FrameworksVulnerability assessment of PHP Frameworks
Vulnerability assessment of PHP FrameworksValency Networks
 
Securing your AngularJS Application
Securing your AngularJS ApplicationSecuring your AngularJS Application
Securing your AngularJS ApplicationPhilippe De Ryck
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) securityNahidul Kibria
 
Why You Need A Web Application Firewall
Why You Need A Web Application FirewallWhy You Need A Web Application Firewall
Why You Need A Web Application FirewallPort80 Software
 
2015-04-25-content-security-policy
2015-04-25-content-security-policy2015-04-25-content-security-policy
2015-04-25-content-security-policySastry Tumuluri
 
Attques web
Attques webAttques web
Attques webTarek MOHAMED
 
OWASP TOP TEN 2017 RC1
OWASP TOP TEN 2017 RC1OWASP TOP TEN 2017 RC1
OWASP TOP TEN 2017 RC1Telefónica
 
Content Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at YahooContent Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at YahooBinu Ramakrishnan
 
DNS hijacking
DNS hijackingDNS hijacking
DNS hijackingMaarten Van Horenbeeck
 
Web design trends 2015
Web design trends 2015Web design trends 2015
Web design trends 2015pixel-arabia
 
دوازده روایت تصویری از کوچ طبیعت به پاییز
دوازده روایت تصویری از کوچ طبیعت به پاییزدوازده روایت تصویری از کوچ طبیعت به پاییز
دوازده روایت تصویری از کوچ طبیعت به پاییزAXPrint | عکس‌پرینت
 

More Related Content

What's hot

Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelinesZakaria SMAHI
 
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities Braindev Kyiv
 
Analysis of web application penetration testing
Analysis of web application penetration testingAnalysis of web application penetration testing
Analysis of web application penetration testingEngr Md Yusuf Miah
 
Web application security I
Web application security IWeb application security I
Web application security IMd Syed Ahamad
 
How to Make Your NodeJS Application Secure (24 Best Security Tips )
How to Make Your NodeJS Application Secure (24 Best Security Tips )How to Make Your NodeJS Application Secure (24 Best Security Tips )
How to Make Your NodeJS Application Secure (24 Best Security Tips )Katy Slemon
 
Beyond OWASP Top 10 - Hack In Paris 2017
Beyond OWASP Top 10 - Hack In Paris 2017Beyond OWASP Top 10 - Hack In Paris 2017
Beyond OWASP Top 10 - Hack In Paris 2017Aaron Hnatiw
 
Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)Francois Marier
 
Web Application Firewall intro
Web Application Firewall introWeb Application Firewall intro
Web Application Firewall introRich Helton
 
OWASP Serbia - A3 broken authentication and session management
OWASP Serbia - A3 broken authentication and session managementOWASP Serbia - A3 broken authentication and session management
OWASP Serbia - A3 broken authentication and session managementNikola Milosevic
 
Vulnerability assessment of PHP Frameworks
Vulnerability assessment of PHP FrameworksVulnerability assessment of PHP Frameworks
Vulnerability assessment of PHP FrameworksValency Networks
 
Securing your AngularJS Application
Securing your AngularJS ApplicationSecuring your AngularJS Application
Securing your AngularJS ApplicationPhilippe De Ryck
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) securityNahidul Kibria
 
Why You Need A Web Application Firewall
Why You Need A Web Application FirewallWhy You Need A Web Application Firewall
Why You Need A Web Application FirewallPort80 Software
 
2015-04-25-content-security-policy
2015-04-25-content-security-policy2015-04-25-content-security-policy
2015-04-25-content-security-policySastry Tumuluri
 
OWASP TOP TEN 2017 RC1
OWASP TOP TEN 2017 RC1OWASP TOP TEN 2017 RC1
OWASP TOP TEN 2017 RC1Telefónica
 
Content Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at YahooContent Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at YahooBinu Ramakrishnan
 

What's hot (20)

Antiviruxss
AntiviruxssAntiviruxss
Antiviruxss
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
 
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities
 
Analysis of web application penetration testing
Analysis of web application penetration testingAnalysis of web application penetration testing
Analysis of web application penetration testing
 
OWASP TOP 10 & .NET
OWASP TOP 10 & .NETOWASP TOP 10 & .NET
OWASP TOP 10 & .NET
 
Web application security I
Web application security IWeb application security I
Web application security I
 
How to Make Your NodeJS Application Secure (24 Best Security Tips )
How to Make Your NodeJS Application Secure (24 Best Security Tips )How to Make Your NodeJS Application Secure (24 Best Security Tips )
How to Make Your NodeJS Application Secure (24 Best Security Tips )
 
Beyond OWASP Top 10 - Hack In Paris 2017
Beyond OWASP Top 10 - Hack In Paris 2017Beyond OWASP Top 10 - Hack In Paris 2017
Beyond OWASP Top 10 - Hack In Paris 2017
 
Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)
 
Web Application Firewall intro
Web Application Firewall introWeb Application Firewall intro
Web Application Firewall intro
 
OWASP Serbia - A3 broken authentication and session management
OWASP Serbia - A3 broken authentication and session managementOWASP Serbia - A3 broken authentication and session management
OWASP Serbia - A3 broken authentication and session management
 
Vulnerability assessment of PHP Frameworks
Vulnerability assessment of PHP FrameworksVulnerability assessment of PHP Frameworks
Vulnerability assessment of PHP Frameworks
 
Securing your AngularJS Application
Securing your AngularJS ApplicationSecuring your AngularJS Application
Securing your AngularJS Application
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) security
 
Why You Need A Web Application Firewall
Why You Need A Web Application FirewallWhy You Need A Web Application Firewall
Why You Need A Web Application Firewall
 
2015-04-25-content-security-policy
2015-04-25-content-security-policy2015-04-25-content-security-policy
2015-04-25-content-security-policy
 
Attques web
Attques webAttques web
Attques web
 
OWASP TOP TEN 2017 RC1
OWASP TOP TEN 2017 RC1OWASP TOP TEN 2017 RC1
OWASP TOP TEN 2017 RC1
 
Content Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at YahooContent Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at Yahoo
 
DNS hijacking
DNS hijackingDNS hijacking
DNS hijacking
 

Viewers also liked

Web design trends 2015
Web design trends 2015Web design trends 2015
Web design trends 2015pixel-arabia
 
دوازده روایت تصویری از کوچ طبیعت به پاییز
دوازده روایت تصویری از کوچ طبیعت به پاییزدوازده روایت تصویری از کوچ طبیعت به پاییز
دوازده روایت تصویری از کوچ طبیعت به پاییزAXPrint | عکس‌پرینت
 
کاج وب دیزاین (سامانه سایت ساز کاج) چیست؟
کاج وب دیزاین (سامانه سایت ساز کاج) چیست؟کاج وب دیزاین (سامانه سایت ساز کاج) چیست؟
کاج وب دیزاین (سامانه سایت ساز کاج) چیست؟Kaaj Web design
 
How to get noticed at the trade show
How to get noticed at the trade showHow to get noticed at the trade show
How to get noticed at the trade showIryna Nezhynska
 
بالا بردن آمار بازدید و دریافت بک لینک
بالا بردن آمار بازدید و دریافت بک لینکبالا بردن آمار بازدید و دریافت بک لینک
بالا بردن آمار بازدید و دریافت بک لینکراهنمای نرم افزار
 
توسعه، از وب تا پلتفرم‌های دیگر
توسعه، از وب تا پلتفرم‌های دیگرتوسعه، از وب تا پلتفرم‌های دیگر
توسعه، از وب تا پلتفرم‌های دیگرWeb Standards School
 
Designing for Emotions
Designing for EmotionsDesigning for Emotions
Designing for EmotionsJames Farnell
 
آینده برنامه‌های تحت وب و Mobile Web
آینده برنامه‌های تحت وب و Mobile Webآینده برنامه‌های تحت وب و Mobile Web
آینده برنامه‌های تحت وب و Mobile WebWeb Standards School
 
عرض تطبيقات
عرض تطبيقاتعرض تطبيقات
عرض تطبيقاتsh1435
 
سخنرانی جناب مهندس جهانگرد در همایش آینده وب و موبایل
سخنرانی جناب مهندس جهانگرد در همایش آینده وب و موبایلسخنرانی جناب مهندس جهانگرد در همایش آینده وب و موبایل
سخنرانی جناب مهندس جهانگرد در همایش آینده وب و موبایلWeb Standards School
 
راهنمای سریع گذار به وب ۳ از منظر کلان داده
راهنمای سریع گذار به وب ۳ از منظر کلان دادهراهنمای سریع گذار به وب ۳ از منظر کلان داده
راهنمای سریع گذار به وب ۳ از منظر کلان دادهWeb Standards School
 
انفجار تجربه‌کاربری
انفجار تجربه‌کاربریانفجار تجربه‌کاربری
انفجار تجربه‌کاربریWeb Standards School
 
تصميم مواقع | الملف التعريفي لشركة بكسل العربية لتصميم مواقع الوب
تصميم مواقع | الملف التعريفي لشركة بكسل العربية لتصميم مواقع الوبتصميم مواقع | الملف التعريفي لشركة بكسل العربية لتصميم مواقع الوب
تصميم مواقع | الملف التعريفي لشركة بكسل العربية لتصميم مواقع الوبpixel-arabia
 
(WEB TRACKING) ردیابی کاربران در وب و متدهای دفاعی در برابرآن
(WEB TRACKING) ردیابی کاربران در وب و متدهای دفاعی در برابرآن(WEB TRACKING) ردیابی کاربران در وب و متدهای دفاعی در برابرآن
(WEB TRACKING) ردیابی کاربران در وب و متدهای دفاعی در برابرآنshekoofe bahrami
 

Viewers also liked (20)

Web design trends 2015
Web design trends 2015Web design trends 2015
Web design trends 2015
 
دوازده روایت تصویری از کوچ طبیعت به پاییز
دوازده روایت تصویری از کوچ طبیعت به پاییزدوازده روایت تصویری از کوچ طبیعت به پاییز
دوازده روایت تصویری از کوچ طبیعت به پاییز
 
Steps of buy
Steps of buySteps of buy
Steps of buy
 
کاج وب دیزاین (سامانه سایت ساز کاج) چیست؟
کاج وب دیزاین (سامانه سایت ساز کاج) چیست؟کاج وب دیزاین (سامانه سایت ساز کاج) چیست؟
کاج وب دیزاین (سامانه سایت ساز کاج) چیست؟
 
فارسی در پهنه وب
فارسی در پهنه وبفارسی در پهنه وب
فارسی در پهنه وب
 
How to get noticed at the trade show
How to get noticed at the trade showHow to get noticed at the trade show
How to get noticed at the trade show
 
بالا بردن آمار بازدید و دریافت بک لینک
بالا بردن آمار بازدید و دریافت بک لینکبالا بردن آمار بازدید و دریافت بک لینک
بالا بردن آمار بازدید و دریافت بک لینک
 
توسعه، از وب تا پلتفرم‌های دیگر
توسعه، از وب تا پلتفرم‌های دیگرتوسعه، از وب تا پلتفرم‌های دیگر
توسعه، از وب تا پلتفرم‌های دیگر
 
Brand Identity System
Brand Identity SystemBrand Identity System
Brand Identity System
 
عصر چت بات‌ها
عصر چت بات‌هاعصر چت بات‌ها
عصر چت بات‌ها
 
Designing for Emotions
Designing for EmotionsDesigning for Emotions
Designing for Emotions
 
بهره وری فناوری اطلاعات و ارتباطات
بهره وری فناوری اطلاعات و ارتباطاتبهره وری فناوری اطلاعات و ارتباطات
بهره وری فناوری اطلاعات و ارتباطات
 
آینده برنامه‌های تحت وب و Mobile Web
آینده برنامه‌های تحت وب و Mobile Webآینده برنامه‌های تحت وب و Mobile Web
آینده برنامه‌های تحت وب و Mobile Web
 
عرض تطبيقات
عرض تطبيقاتعرض تطبيقات
عرض تطبيقات
 
سخنرانی جناب مهندس جهانگرد در همایش آینده وب و موبایل
سخنرانی جناب مهندس جهانگرد در همایش آینده وب و موبایلسخنرانی جناب مهندس جهانگرد در همایش آینده وب و موبایل
سخنرانی جناب مهندس جهانگرد در همایش آینده وب و موبایل
 
النشرة الإلكترونية الشهرية - العدد 26 - أيلول/ 2016 - جمعية الإرشاد والإصلاح
النشرة الإلكترونية الشهرية - العدد 26 - أيلول/ 2016 - جمعية الإرشاد والإصلاحالنشرة الإلكترونية الشهرية - العدد 26 - أيلول/ 2016 - جمعية الإرشاد والإصلاح
النشرة الإلكترونية الشهرية - العدد 26 - أيلول/ 2016 - جمعية الإرشاد والإصلاح
 
راهنمای سریع گذار به وب ۳ از منظر کلان داده
راهنمای سریع گذار به وب ۳ از منظر کلان دادهراهنمای سریع گذار به وب ۳ از منظر کلان داده
راهنمای سریع گذار به وب ۳ از منظر کلان داده
 
انفجار تجربه‌کاربری
انفجار تجربه‌کاربریانفجار تجربه‌کاربری
انفجار تجربه‌کاربری
 
تصميم مواقع | الملف التعريفي لشركة بكسل العربية لتصميم مواقع الوب
تصميم مواقع | الملف التعريفي لشركة بكسل العربية لتصميم مواقع الوبتصميم مواقع | الملف التعريفي لشركة بكسل العربية لتصميم مواقع الوب
تصميم مواقع | الملف التعريفي لشركة بكسل العربية لتصميم مواقع الوب
 
(WEB TRACKING) ردیابی کاربران در وب و متدهای دفاعی در برابرآن
(WEB TRACKING) ردیابی کاربران در وب و متدهای دفاعی در برابرآن(WEB TRACKING) ردیابی کاربران در وب و متدهای دفاعی در برابرآن
(WEB TRACKING) ردیابی کاربران در وب و متدهای دفاعی در برابرآن
 

Similar to Web security Contents

Securing your EmberJS Application
Securing your EmberJS ApplicationSecuring your EmberJS Application
Securing your EmberJS ApplicationPhilippe De Ryck
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxFernandoVizer
 
Testing Web Application Security
Testing Web Application SecurityTesting Web Application Security
Testing Web Application SecurityTed Husted
 
EC-Council Secure Programmer Java
EC-Council Secure Programmer JavaEC-Council Secure Programmer Java
EC-Council Secure Programmer JavaBOOSTurSKILLS
 
EC-Council secure programmer. net
EC-Council secure programmer. netEC-Council secure programmer. net
EC-Council secure programmer. netBOOSTurSKILLS
 
Ec-Council secure programmer. net
Ec-Council secure programmer. netEc-Council secure programmer. net
Ec-Council secure programmer. netBOOSTurSKILLS
 
Owasp web application security trends
Owasp web application security trendsOwasp web application security trends
Owasp web application security trendsbeched
 
[2.1] Web application Security Trends - Omar Ganiev
[2.1] Web application Security Trends - Omar Ganiev[2.1] Web application Security Trends - Omar Ganiev
[2.1] Web application Security Trends - Omar GanievOWASP Russia
 
Penetration testing dont just leave it to chance
Penetration testing dont just leave it to chancePenetration testing dont just leave it to chance
Penetration testing dont just leave it to chanceDr. Anish Cheriyan (PhD)
 
ADVANCED PENETRATION TESTING.pdf
ADVANCED PENETRATION TESTING.pdfADVANCED PENETRATION TESTING.pdf
ADVANCED PENETRATION TESTING.pdfCert Hippo
 
5 step plan to securing your APIs
5 step plan to securing your APIs5 step plan to securing your APIs
5 step plan to securing your APIs💻 Javier Garza
 
Security Operations
Security OperationsSecurity Operations
Security Operationsankitmehta21
 
Secure Application Development Training
Secure Application Development TrainingSecure Application Development Training
Secure Application Development Trainingpivotalsecurity
 
Developing Secure Applications and Defending Against Common Attacks
Developing Secure Applications and Defending Against Common AttacksDeveloping Secure Applications and Defending Against Common Attacks
Developing Secure Applications and Defending Against Common AttacksPayPalX Developer Network
 
OSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ InfosectrainOSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ InfosectrainInfosecTrain
 
Modern Web Application Defense
Modern Web Application DefenseModern Web Application Defense
Modern Web Application DefenseFrank Kim
 
Let's get evil - threat modeling at scale
Let's get evil - threat modeling at scaleLet's get evil - threat modeling at scale
Let's get evil - threat modeling at scaleSecuRing
 
OWASP_Top_10_Introduction_and_Remedies_2017.ppt
OWASP_Top_10_Introduction_and_Remedies_2017.pptOWASP_Top_10_Introduction_and_Remedies_2017.ppt
OWASP_Top_10_Introduction_and_Remedies_2017.pptjangomanso
 
Security in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsSecurity in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsCenzic
 
PyCon Canada 2015 - Is your python application secure
PyCon Canada 2015 - Is your python application securePyCon Canada 2015 - Is your python application secure
PyCon Canada 2015 - Is your python application secureIMMUNIO
 

Similar to Web security Contents (20)

Securing your EmberJS Application
Securing your EmberJS ApplicationSecuring your EmberJS Application
Securing your EmberJS Application
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
Testing Web Application Security
Testing Web Application SecurityTesting Web Application Security
Testing Web Application Security
 
EC-Council Secure Programmer Java
EC-Council Secure Programmer JavaEC-Council Secure Programmer Java
EC-Council Secure Programmer Java
 
EC-Council secure programmer. net
EC-Council secure programmer. netEC-Council secure programmer. net
EC-Council secure programmer. net
 
Ec-Council secure programmer. net
Ec-Council secure programmer. netEc-Council secure programmer. net
Ec-Council secure programmer. net
 
Owasp web application security trends
Owasp web application security trendsOwasp web application security trends
Owasp web application security trends
 
[2.1] Web application Security Trends - Omar Ganiev
[2.1] Web application Security Trends - Omar Ganiev[2.1] Web application Security Trends - Omar Ganiev
[2.1] Web application Security Trends - Omar Ganiev
 
Penetration testing dont just leave it to chance
Penetration testing dont just leave it to chancePenetration testing dont just leave it to chance
Penetration testing dont just leave it to chance
 
ADVANCED PENETRATION TESTING.pdf
ADVANCED PENETRATION TESTING.pdfADVANCED PENETRATION TESTING.pdf
ADVANCED PENETRATION TESTING.pdf
 
5 step plan to securing your APIs
5 step plan to securing your APIs5 step plan to securing your APIs
5 step plan to securing your APIs
 
Security Operations
Security OperationsSecurity Operations
Security Operations
 
Secure Application Development Training
Secure Application Development TrainingSecure Application Development Training
Secure Application Development Training
 
Developing Secure Applications and Defending Against Common Attacks
Developing Secure Applications and Defending Against Common AttacksDeveloping Secure Applications and Defending Against Common Attacks
Developing Secure Applications and Defending Against Common Attacks
 
OSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ InfosectrainOSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ Infosectrain
 
Modern Web Application Defense
Modern Web Application DefenseModern Web Application Defense
Modern Web Application Defense
 
Let's get evil - threat modeling at scale
Let's get evil - threat modeling at scaleLet's get evil - threat modeling at scale
Let's get evil - threat modeling at scale
 
OWASP_Top_10_Introduction_and_Remedies_2017.ppt
OWASP_Top_10_Introduction_and_Remedies_2017.pptOWASP_Top_10_Introduction_and_Remedies_2017.ppt
OWASP_Top_10_Introduction_and_Remedies_2017.ppt
 
Security in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsSecurity in the cloud protecting your cloud apps
Security in the cloud protecting your cloud apps
 
PyCon Canada 2015 - Is your python application secure
PyCon Canada 2015 - Is your python application securePyCon Canada 2015 - Is your python application secure
PyCon Canada 2015 - Is your python application secure
 

More from zakieh alizadeh

Session11-NoSQL InjectionPHP Injection
Session11-NoSQL InjectionPHP Injection Session11-NoSQL InjectionPHP Injection
Session11-NoSQL InjectionPHP Injection zakieh alizadeh
 
Session10-PHP Misconfiguration
Session10-PHP MisconfigurationSession10-PHP Misconfiguration
Session10-PHP Misconfigurationzakieh alizadeh
 
Session9-File Upload Security
Session9-File Upload SecuritySession9-File Upload Security
Session9-File Upload Securityzakieh alizadeh
 
Session6-Protecct Sensetive Data
Session6-Protecct Sensetive DataSession6-Protecct Sensetive Data
Session6-Protecct Sensetive Datazakieh alizadeh
 
Session3 data-validation-sql injection
Session3 data-validation-sql injectionSession3 data-validation-sql injection
Session3 data-validation-sql injectionzakieh alizadeh
 
Session2-Application Threat Modeling
Session2-Application Threat ModelingSession2-Application Threat Modeling
Session2-Application Threat Modelingzakieh alizadeh
 
Session1-Introduce Http-HTTP Security headers
Session1-Introduce Http-HTTP Security headers Session1-Introduce Http-HTTP Security headers
Session1-Introduce Http-HTTP Security headers zakieh alizadeh
 
Validating and Sanitizing User Data
Validating and Sanitizing User DataValidating and Sanitizing User Data
Validating and Sanitizing User Datazakieh alizadeh
 
Session3 data-validation
Session3 data-validationSession3 data-validation
Session3 data-validationzakieh alizadeh
 

More from zakieh alizadeh (15)

Session11-NoSQL InjectionPHP Injection
Session11-NoSQL InjectionPHP Injection Session11-NoSQL InjectionPHP Injection
Session11-NoSQL InjectionPHP Injection
 
Session10-PHP Misconfiguration
Session10-PHP MisconfigurationSession10-PHP Misconfiguration
Session10-PHP Misconfiguration
 
Session9-File Upload Security
Session9-File Upload SecuritySession9-File Upload Security
Session9-File Upload Security
 
S8-Session Managment
S8-Session ManagmentS8-Session Managment
S8-Session Managment
 
Session7-XSS & CSRF
Session7-XSS & CSRFSession7-XSS & CSRF
Session7-XSS & CSRF
 
Session6-Protecct Sensetive Data
Session6-Protecct Sensetive DataSession6-Protecct Sensetive Data
Session6-Protecct Sensetive Data
 
S5-Authorization
S5-AuthorizationS5-Authorization
S5-Authorization
 
Session4-Authentication
Session4-AuthenticationSession4-Authentication
Session4-Authentication
 
Session3 data-validation-sql injection
Session3 data-validation-sql injectionSession3 data-validation-sql injection
Session3 data-validation-sql injection
 
Session2-Application Threat Modeling
Session2-Application Threat ModelingSession2-Application Threat Modeling
Session2-Application Threat Modeling
 
Session1-Introduce Http-HTTP Security headers
Session1-Introduce Http-HTTP Security headers Session1-Introduce Http-HTTP Security headers
Session1-Introduce Http-HTTP Security headers
 
yii framework
yii frameworkyii framework
yii framework
 
Validating and Sanitizing User Data
Validating and Sanitizing User DataValidating and Sanitizing User Data
Validating and Sanitizing User Data
 
Session3 data-validation
Session3 data-validationSession3 data-validation
Session3 data-validation
 
Introduce Yii
Introduce YiiIntroduce Yii
Introduce Yii
 

Web security Contents

  • 1. ‫معرفی‬‫دوره‬‫آموزشی‬‫تخصصی‬ ‫برنامه‬ ‫امنیت‬‫وب‬ ‫تحت‬ ‫کاربردی‬ ‫های‬ : ‫دوره‬ ‫کد‬APA 121 24‫ساعت‬ http://cert.um.ac.ir cert@um.ac.ir ‫دوره‬‫آموزشی‬ ‫های‬ ‫تاب‬‫ســتــان‬9315
  • 2. ‫معرفی‬‫دوره‬‫آموزشی‬‫تخصصی‬‫امنیت‬‫برنامه‬‫های‬‫کاربردی‬‫تحت‬‫وب‬ ‫کد‬:‫دوره‬APA 121–‫تاب‬‫ستان‬9315 http://cert.um.ac.ir ‫صفحه‬2‫از‬4 :‫دوره‬ ‫مخاطبان‬‫برنامه‬‫توسعه‬ ‫و‬ ‫نویسان‬‫برنامه‬ ‫دهندگان‬‫وب‬ ‫تحت‬ ‫کاربردی‬ ‫های‬ ‫پیش‬:‫دوره‬ ‫نیازهای‬‫با‬ ‫آشنایی‬‫برنامه‬‫وب‬ ‫تحت‬ ‫نویسی‬‫(پیاد‬‫ه‬‫سازی‬‫ها‬‫زبان‬ ‫به‬PHP)‫بود‬ ‫خواهد‬ ‫ثبت‬ ‫روش‬:‫نام‬‫به‬‫وب‬ ‫طریق‬ ‫از‬ ‫و‬ ‫الکترونیکی‬ ‫صورت‬‫آزمایشگاه‬ ‫گاه‬‫مشهد‬ ‫فردوسی‬ ‫دانشگاه‬ ‫آپا‬ ‫تخصصی‬‫نشانی‬ ‫به‬ http://cert.um.ac.ir‫می‬ ‫انجام‬.‫گیرد‬ :‫دوره‬ ‫سرفصل‬ Row # Course Syllabus (Web Application Security in PHP) 1  Description of "Web Application Architecture"  Introducing HTTP Protocol  Web Applications ' Main Security Problem  Introducing Some Vulnerable Web Applications  Introducing Some Security Testing Firefox Extensions  Scenario : "Tampering HTTP Requests"  HTTP Requests and Responses  HTTP Methods  HTTP Proxies  Security Related HTTP Headers  Practice: Tampering Some Headers & Fields 2,3  Data Validation  Data Validation Strategies  Where to Include Validation  Preventing SQL Injection Attacks in PHP  Scenario : " Perform SQL Injection attacks in College Library Website"  Introduction to SQL Injection Attacks  Countermeasures Of SQL Injection  Interpreter Injection  HTTP Injection o HTTP Response Splitting  Practice : Implement 2 Simple Login Page For "PHP Test Application" :  vulnerable to the SQL Injection  Secure to the SQL Injection 4  Strategies For Strong Authentication in PHP  Scenario : " Providing An Appropriate Authentication for College Library Website "  Common Web Authentication Threats  Common Attacker Testing Authentication  Common Weak Web Authentication Strategies  Strategies For Strong Authentication in php o Strategies For Preventing Brute Force Attacks o Strategies For Preventing SQL Injection Attacks o Strategies For Check strength Of Username And Password
  • 3. ‫معرفی‬‫دوره‬‫آموزشی‬‫تخصصی‬‫امنیت‬‫برنامه‬‫های‬‫کاربردی‬‫تحت‬‫وب‬ ‫کد‬:‫دوره‬APA 121–‫تاب‬‫ستان‬9315 http://cert.um.ac.ir ‫صفحه‬3‫از‬4  Authorization  Scenario : " Providing An Appropriate Authorization for College Library Website "  Objectives  Authorization Strategies  Principle Of Least Privilege o How to Determine If Application Is Vulnerable o How to Protect Application  Centralized Authorization Routines  Client-Side Authorization Tokens  Access Control models o DAC o MAC o RBAC  Practice 1 : Complete "PHP Test Application" Login o Secure To Brute Force Attacks  Practice 2 : Implement Simple RBAC Access Control in Test Application 5,6  Preventing XSS and CSRF Attacks in PHP  Scenario 1 : " Preventing XSS in College Library Website "  Scenario 2 : " Stealing Cookies Using XSS "  Introduce XSS attacks  Strategies for Preventing of XSS  Scenario 3 : " Testing CSRF in College Library Website "  Introduce CSRF Attacks  Strategies For Preventing Of CSRF o Some Weak Strategies For Preventing Of CSRF  Web Browser Security Models  Same Origin/Domain Policy  Cookie Security Model  Flash Model Security  Clickjacking  Introduce Clickjacking Attacks  defending against Clickjacking  Practice: Implement News Management Page For "PHP Test Application" :  Vulnerable to XSS Attacks 7  Next Generation Web Application Attacks  Cross-Domain Attacks  Malicious JavaScript  Malicious AJAX  Scenario: "Intercepting And Modifying Ajax Requests" 8  AJAX Security  AJAX Types  AJAX Parameter Manipulation 9  Protecting Sensitive Data  Scenario : " Protecting Sensitive Data in College Library Website "  Encryption  Data Protection in Storage o Encryption vs. Encoding
  • 4. ‫معرفی‬‫دوره‬‫آموزشی‬‫تخصصی‬‫امنیت‬‫برنامه‬‫های‬‫کاربردی‬‫تحت‬‫وب‬ ‫کد‬:‫دوره‬APA 121–‫تاب‬‫ستان‬9315 http://cert.um.ac.ir ‫صفحه‬4‫از‬4 o Least Privilege o using ORM  Data Protection in Transit  Using SSL  Channel Security vs. Token Security 10  Secure Session Management  Scenario : " Providing Strong Session Management in College Library Website "  Description Mechanism of Sessions and Cookies  Common Attacker Testing Session Management  Introducing Session Management Attacks o Session Fixation o Session Brute-Forcing o Session Hijacking o Session Poisoning  Strategies Of Session Storage  Strategies For Providing Secure Session Management 11  Path traversal & File Inclusion  Scenario : " Preventing Path traversal & File Inclusion in College Library Website "  Introducing File Uploads Threats  Countermeasure Of File Uploads Threats  Strategies Of Secure File Upload  Practice: Implement Secure File Upload in Test Application:  Data integrity must be respected 12  Application Threat Modeling  Introducing Sample Application " College Library Website "  Scenario : " Producing The Threat Model For The College Library Website "  Decompose The Application  Threat Model Information o External Dependencies o Entry Points o Assets o Trust Levels  Determine And Rank Threats o Threat Categorization o Introducing STRIDE And ASF  Security Controls  Countermeasure Identification  Mitigation Strategies  Review of Other Vulnerabilities of Web Application  Security Missconfiguration in PHP o When Application Vulnerable to 'Security Misconfiguration  Invalidated Redirect and Forwards  Error handling And Logging  Introducing MVC Software Architecture  Introducing and Comparing PHP Framworks o Introducing " Yii " PHP Framework