Topics
Day 1
Authentication
What is authentication
Store passwords securely
Hashing
Brute force
Dictionary attack
Anti-automation
CAPTCHA
Account lockout
User enumeration
Basic & Digest authentication
Windows integration
Form based authentication
Authorization
Client side authorization
Forceful browsing
UI based security
Parameter tampering
Insecure direct object reference
File authorization
URL authorization
ACL (Access Control List)
RBAC (Role based ACL)
Input Validation
OS command injection
SQL Injection
Prepared statement
Store procedure
Xpath injection
LDAP injection
Data type conversion
Black list
White list
Day 2
File Handling
Directory traversal
Canonicalization
File extension handling
Filename threats
Directory listing
Data Confidentiality & Integrity
Homemade algorithm
Insecure communication
Secure traffic enforcement
Insecure storage
Symmetric encryption
A-Symmetric encryption
Java Cryptography Architecture (JCA)
Hash functions
Digital signatures
Application Denial of Service Vulnerabilities
Application / OS crash
CPU starvation
Memory starvation
File system starvation
Resource starvation
Resource locking
Triggering high network bandwidth
User level DoS
Exploiting a specific vulnerability to cause DoS
Day 3
Code Protection
Reverse engineering techniques
Obfuscation
Native compilers
Jar protection – Signed jar, Sealed jar
Digitally signed applets
Secure object serialization
Error Handling
Information disclosure
Exceptions and stack trace
Default error pages
Security Logging
Logging technologies
Events you should log
Events you should not log
Business Logic
Logical attacks
Flow bypassing
Replay attacks
Abuse of functionality