August, 21st (1 day)
This hands-on workshop focuses on securing Java web applications against malicious hacker attacks. During the complete day a Java web application (written specifically for this workshop) with lots of vulnerabilities is examined, exploited, and secured. We will start with common vulnerabilities found in web applications (XSS, SQL-Injection, CSRF, Command Injection, Session Attacks, etc.) and continue to more specialized security holes (covering XML as well as REST-ful interfaces and WebSockets). Also prophylactic protection techniques are discussed like introducing protection tokens (e.g. OWASP’s CSRFGuard) as well as adding specialized security headers and considering encryption techniques. The main intention behind this course is to learn and practice web application hardening by stepwise finding security holes and closing them.
Participants should bring their laptop with a JDK 6, capable of running Burp Suite, either free or pro version (http://www.portswigger.net/burp/download.html). Please pre-install Burp and verify it works. Also Eclipse IDE for Java EE Developers (http://www.eclipse.org/downloads/) should be installed as well as the Firefox browser and Tomcat 7 (http://tomcat.apache.org). The rest (training application sources, etc.) will be available on-site via download link.
About the trainer
Christian Schneider (@cschneider4711) writes software since the nineties, works as a freelance software developer since 1997, and focuses on Java since 1999. Aside from the traditional software engineering tasks he support clients in the field of IT security. This includes penetration testing, security audits, architectural reviews, and web application hardening. Christian enjoys writing articles about web application security (for the German Java Magazin) and speaks at conferences about web application hardening (WJAX and JAX). He conducts in-house trainings about Java web application security and blogs at http://www.Christian-Schneider.net.
For more information or additional questions please contact Christian at mail _at_ christian-schneider.net