Web Application Security: hands-on intro

formerly known as: Hack the heck out of this website!
(not this one though, the one we'll be using in the course)

Course schedule:

• Day 1:
• 9.00-10.30:
• Welcome and get to know each other
• Intro block: web application security
• 10.45-12.15:
• Intro block: web hacking quickstart reference
• Practice Session I: XSS
• - - - ( 🍲 🌮 🥪 L U N C H   B R E A K 🥪 🌮 🍲 ) - - -
• 14.00-15.45:
• Practice Session II: CSRF
• 16.00-16.30:
• Open questions

• Day 2:
• 9.00-10.30:
• Warm-up & quick recap
• Practice Session III: SQLi
• 10.45-12.15:
• Practice Session IV: Command injection, file inclusion, file uploads
• - - - ( 🍲 🌮 🥪 L U N C H   B R E A K 🥪 🌮 🍲 ) - - -
• 14.00-15.45:
• Open practice block
• 16.00-16.30:
• Closing reflection & discussion

Practice session outline:

• Intro to the type of vulnearbility / attack (~ 20-30min)
• Hands-on hacking (~ 30-45min)
• Reflection & discussion (~ 15-30min)

Content links:

• Setup Guide
• Intro Guide: Web Application Security ((slides))
• Intro Guide: Web Hacking Quickstart Reference ((slides))
• XSS
• CSRF
• SQLi
• Command injection, file inclusion, file upload
• Collection of solutions to exercises and further materials

Credits:

This course is based on an older version we did for the ditact in 2021 and 2022 together with Melanie Hosinner. Specifically the guides on XSS and SQLi where created by Melanie.