You, This Course and Us
  • You, This Course and Us
What Is Security?
  • Security and its building blocks
  • Security related definitions and categories
Cross Site Scripting
  • What is XSS?
  • Learn by example - how does a XSS attack work?
  • Types of XSS
  • XSS mitigation and prevention
User Input Sanitization And Validation
  • Sanitizing input
  • Sanitizing input - still not done
  • Validating input
  • Validating input - some more stuff to say
  • Client Side Encoding, Blacklisting and Whitelisting inputs
The Content Security Policy Header
  • Rules for the browser
  • Default directives and wildcards
  • Stay away from inline code and the eval() function
  • The nonce attribute and the script hash
Credentials Management
  • Broken authentication and session management
  • All about passwords - Strength, Use and Transit
  • All about passwords - Storage
  • Learn by example - login authentication
  • A little bit about hashing
  • All about passwords - Recovery
Session Management
  • What is a session?
  • Anatomy of a session attack
  • Session hijacking - count the ways
  • Learn by example - sessions without cookies
  • Session ids using hidden form fields and cookies
  • Session hijacking using session fixation
  • Session hijacking counter measures
  • Session hijacking - sidejacking, XSS and malware
SQL Injection
  • Who Is Bobby Tables?
  • Learn by example - how does SQLi work?
  • Anatomy of a SQLi attack - unsanitized input and server errors
  • Anatomy of a SQLi attack - table names and column names
  • Anatomy of a SQLi attack - getting valid credentials for the site
  • Types of SQL injection
  • SQLi mitigation - parameterized queries and stored procedures
  • SQLi mitigation - Escaping user input, least privilege, whitelist validation
Cross Site Request Forgery
  • What is XSRF?
  • Learn by example - XSRF with GET and POST parameters
  • XSRF mitigation - The referer, origin header and the challenge response
  • XSRF mitigation - The synchronizer token
Lot's Of Interesting Bits Of Information
  • The Open Web Application Security Project
  • 2 factor authentications and OTPs
  • Social Engineering
Direct Object Reference
  • The direct object reference attack - do not leak implementation details
  • Direct object reference mitigations
IFrames
  • IFrames come with their own security concerns
  • Sandboxing iframes
One last word
  • Wrapping up the OWASP top 10 list
PHP and MySQL Install And Set Up
  • Installing PHP (Windows)
  • Enabling MySQL and using phpmyadmin (Windows)
  • Installing PHP (Mac)
  • Installing MySQL (Mac)
  • Using MySQL Workbench (Mac)
  • Getting PHP and MySQL to talk to each other (Mac)