MyPage is a personalized page based on your interests.The page is customized to help you to find content that matters you the most.


I'm not curious

Hack Yourself First: How to go on the Cyber-Offense

Course Summary

The prevalence of online attacks against websites has accelerated quickly in recent years and the same risks continue to be readily exploited. However, these are very often easily identified directly within the browser; it's just a matter of understanding


  • +

    Course Syllabus

    ● Introduction
        ◦ About the course
        ◦ Why hack yourself first
        ◦ Introducing a vulnerable website – Supercar Showdown
        ◦ Using Chrome's developer tools
        ◦ Monitoring and composing requests with Fiddler
        ◦ Modifying requests and responses in Fiddler
    ● Transport Layer Protection
        ◦ Introduction
        ◦ The three objectives of transport layer protection
        ◦ Understanding a man in the middle attack
        ◦ Protecting sensitive data in transit
        ◦ The risk of sending cookies over insecure connections
        ◦ How loading login forms over HTTP is risky
        ◦ Exploiting mixed-mode content
        ◦ The HSTS header
        ◦ Summary
    ● Cross Site Scripting (XSS)
        ◦ Introduction
        ◦ Understanding untrusted data and sanitisation
        ◦ Establishing input sanitisation practices
        ◦ Understanding XSS and output encoding
        ◦ Identifying the use of output encoding
        ◦ Delivering a payload via reflected XSS
        ◦ Testing for the risk of persistent XSS
        ◦ The X-XSS-Protection header
        ◦ Summary
    ● Cookies
        ◦ Introduction
        ◦ Cookies 101
        ◦ Understanding HttpOnly cookies
        ◦ Understanding secure cookies
        ◦ Restricting cookie access by path
        ◦ Reducing risk with cookie expiration
        ◦ Using session cookies to further reduce risk
        ◦ Summary
    ● Internal Implementation Disclosure
        ◦ Introduction
        ◦ How an attacker builds a website risk profile
        ◦ Server response header disclosure
        ◦ Locating at-risk websites
        ◦ HTTP fingerprinting of servers
        ◦ Disclosure via robots.txt
        ◦ The risks in HTML source
        ◦ Internal error message leakage
        ◦ Lack of access controls on diagnostic data
        ◦ Summary
    ● Parameter Tampering
        ◦ Introduction
        ◦ Identifying untrusted data in HTTP request parameters
        ◦ Capturing requests and manipulating parameters
        ◦ Manipulating application logic via parameters
        ◦ Testing for missing server side validation
        ◦ Understanding model binding
        ◦ Executing a mass assignment attack
        ◦ HTTP verb tampering
        ◦ Fuzz testing
        ◦ Summary
    ● SQL Injection
        ◦ Outline
        ◦ Understanding SQL injection
        ◦ Testing for injection risks
        ◦ Discovering database structure via injection
        ◦ Harvesting data via injection
        ◦ Automating attacks with Havij
        ◦ Blind SQL injection
        ◦ Secure app patterns
        ◦ Summary
    ● Cross Site Attacks
        ◦ Introduction
        ◦ Understanding cross site attacks
        ◦ Testing for a cross site request forgery risk
        ◦ The role of anti-forgery tokens
        ◦ Testing cross site request forgery against APIs
        ◦ Mounting a clickjacking attack
        ◦ Summary
    ● Account Management
        ◦ Introduction
        ◦ Understanding password strength and attack vectors
        ◦ Limiting characters in passwords
        ◦ Emailing credentials on account creation
        ◦ Account enumeration
        ◦ Denial of service via password reset
        ◦ Correctly securing the reset processes
        ◦ Establishing insecure password storage
        ◦ Testing for risks in the 'remember me' feature
        ◦ Re-authenticating before key actions
        ◦ Testing for authentication brute force
        ◦ Summary
     


Course Fee:
USD 29

Course Type:

Self-Study

Course Status:

Active

Workload:

1 - 4 hours / week

Attended this course?

Back to Top

Awards & Accolades for MyTechLogy
Winner of
REDHERRING
Top 100 Asia
Finalist at SiTF Awards 2014 under the category Best Social & Community Product
Finalist at HR Vendor of the Year 2015 Awards under the category Best Learning Management System
Finalist at HR Vendor of the Year 2015 Awards under the category Best Talent Management Software
Hidden Image Url

Back to Top