Segurança de Redes e Computadores

Este curso faz parte do Programa de cursos integrados Secure Coding Practices

Exploiting and Securing Vulnerabilities in Java Applications

oferecido por

Programa de cursos integrados Secure Coding Practices

Universidade da Califórnia, Davis

Informações sobre o curso

11,950 visualizações recentes

In this course, we will wear many hats. With our Attacker Hats on, we will exploit Injection issues that allow us to steal data, exploit Cross Site Scripting issues to compromise a users browser, break authentication to gain access to data and functionality reserved for the ‘Admins’, and even exploit vulnerable components to run our code on a remote server and access some secrets. We will also wear Defender Hats. We will dive deep in the code to fix the root cause of these issues and discuss various mitigation strategies. We do this by exploiting WebGoat, an OWASP project designed to teach penetration testing. WebGoat is a deliberately vulnerable application with many flaws and we take aim at fixing some of these issues. Finally we fix these issues in WebGoat and build our patched binaries. Together we will discuss online resources to help us along and find meaningful ways to give back to the larger Application Security community.

Curso 4 de 4 no

Programa de cursos integrados Secure Coding Practices

100% on-line

Comece imediatamente e aprenda em seu próprio cronograma.

Prazos flexíveis

Redefinir os prazos de acordo com sua programação.

Nível intermediário

Aprox. 14 horas para completar

Sugerido: 4 weeks of study, 2-5 hours/week...

Inglês

Legendas: Inglês

O que você vai aprender

Practice protecting against various kinds of cross-site scripting (XSS) attacks.

Form plans to mitigate injection vulnerabilities in your web application.

Create strategies and controls to provide secure authentication.

Examine code to find and patch vulnerable components.

Habilidades que você terá

Javasecure programmingJava Programmingsecurity

Curso 4 de 4 no

Programa de cursos integrados Secure Coding Practices

100% on-line

Comece imediatamente e aprenda em seu próprio cronograma.

Prazos flexíveis

Redefinir os prazos de acordo com sua programação.

Nível intermediário

Aprox. 14 horas para completar

Sugerido: 4 weeks of study, 2-5 hours/week...

Inglês

Legendas: Inglês

Programa - O que você aprenderá com este curso

Semana

7 horas para concluir

Setup and Introduction to Cross Site Scripting Attacks

In this module, you will be able to use Git and GitHub to pull needed source code. You will be able to run WebGoat in a Docker container and explain reasons for doing so. You'll be able to describe cross-site scripting attacks and explain how these attacks happen and how to guard against them. You'll be able to differentiate between a DOM-based, Reflected, and Stored cross-site scripting attacks. You will be able to practice protecting against various kinds of cross-site scripting attacks.

14 vídeos (Total 89 mín.), 3 leituras, 2 testes

14 videos

Course Introduction3min

Overview of Resources and Tools for This Course4min

Setup and Introduction to Cross-site Scripting1min

Tips and Tricks to Use Git for Course and Project8min

How to Import WebGoat into IDE7min

How to Run WebGoat in a Docker Container5min

Injection Attacks: What They Are and How They Affect Us9min

Cross-site Scripting (XSS), Part 110min

Protecting Against Cross-site Scripting (XSS), Part 29min

Patching Reflected Cross-site Scripting (XSS), Part 36min

Stored Cross-site Scripting (XSS)14min

Dangers of Cross-site Scripting (XSS) Attacks4min

A Note About Finding Lessons on WebGoat32s

Introduction to Labs (Peer Reviewed)2min

3 leituras

A Note From UC Davis10min

OWASP Cross Site Scripting Prevention Cheat Sheet1h

Note About Peer Review Assignments10min

1 exercício prático

Module 1 Quiz30min

Semana

7 horas para concluir

Injection Attacks

In this module, you will be able to exploit a SQL injection vulnerability and form plans to mitigate injection vulnerabilities in your web application. You will be able to discuss various approaches to finding and fixing XML, Entity and SQL attack vulnerabilities. You'll be able to describe and protect against a "man-in-the-middle" attack and describe the the thought process to find SQL injection vulnerabilities by "putting on the attacker's hat". You will be able to demonstrate how to properly modify queries to get them into prepared statements and analyze code while using an XML viewer and text editor to find vulnerabilities. You'll also be able to navigate a large code base to find critical segments of code and patch vulnerabilities.

10 vídeos (Total 80 mín.), 2 leituras, 2 testes

10 videos

Injection Attacks1min

Tutorial: Using a Proxy to Intercept Traffic from Client to Servers7min

SQL Syntax and Basics: Putting On the Attacker Hat10min

Solution to SQL Injection Attacks (SQLi)7min

SQL Injection Attacks: Evaluation of Code13min

XML External Entity (XXE) Attacks8min

Demo of an XML External Entity (XXE) Attack to Gain Remote Code Execution (RCE)5min

Evaluation of Code - XXE through a REST Framework8min

Solution: Evaluation of Code - XXE through a REST Framework8min

Patching the XXE Vulnerability9min

2 leituras

OWASP SQL Injection Prevention Cheat Sheet45min

OWASP XML External Entity Prevention Cheat Sheet45min

1 exercício prático

Module 2 Quiz30min

Semana

6 horas para concluir

Authentication and Authorization

In this module, you will be able to evaluate authentication flaws of various kinds to identify potential problems and create strategies and controls to provide secure authentication. You'll be able to create and/or implement controls to mitigate authentication bypass and draw lessons from notable instances where others failed to authenticate users. You will be able to properly implement authentication methods like JSON Web Tokens (JWT). You will be able to find vulnerabilities in a large code base and provide a solution for demonstrating and exploiting JSON Web Tokens (JWT).

12 vídeos (Total 57 mín.), 2 leituras, 2 testes

12 videos

Authentication and Authorization53s

Introduction to Authentication Flaws in WebGoat1min

Authentication Bypass Exploit3min

Tips and Tricks for Burp Suite: Use Proxy to Intercept Traffic4min

Solution to Authentication Bypass: Evaluation of Code7min

Finding Vulnerabilities and Logical Flaws in Source Code10min

Introduction to JSON Web Tokens (JWT) and Authentication Bypass49s

Authentication Flaw JSON Web Tokens (JWT)7min

Solution Demo: Exploiting JSON Web Tokens (JWT)8min

Evaluating Code to Find the JSON Web Tokens (JWT) Flaw4min

Hint Video: (JWT) Patching the Vulnerable Code in WebGoat47s

Solution to Patch JWT Flaw6min

2 leituras

OWASP Transaction Authorization Cheat Sheet1h

A Beginner's Guide to JWTs in Java'45min

1 exercício prático

Module 3 Quiz30min

Semana

4 horas para concluir

Dangers of Vulnerable Components and Final Project

In this module, you will be able to use the OWASP Dependency Checker while analyzing code and verify that you have vulnerable components in the code. You will be able to examine code to find and patch vulnerable components. You will be able to apply what you learned from previous module activities to finalize your final project.

5 vídeos (Total 26 mín.), 3 leituras, 2 testes

5 videos

Dangers of Vulnerable Components Introduction1min

Vulnerable Components (XStream Library)9min

Solution: Fixing Vulnerabilities with XStream11min

Introduction to Labs (Peer Reviewed)2min

Course Summary1min

3 leituras

Article: How Hackers Broke Equifax: Exploiting a Patchable Vulnerabil10min

Article: Exploiting OGNL Injection in Apache Struts30min

Note About Peer Review Assignments10min

1 exercício prático

Module 4 Practice Quiz5min

Instrutores

Joubin Jabbari

Software Security Architect, Financial Industry

Continuing and Professional Education

Sobre Universidade da Califórnia, Davis

UC Davis, one of the nation’s top-ranked research universities, is a global leader in agriculture, veterinary medicine, sustainability, environmental and biological sciences, and technology. With four colleges and six professional schools, UC Davis and its students and alumni are known for their academic excellence, meaningful public service and profound international impact....

Sobre Programa de cursos integrados Secure Coding Practices

This Specialization is intended for software developers of any level who are not yet fluent with secure coding and programming techniques.Through four courses, you will cover the principles of secure coding, concepts of threat modeling and cryptography and exploit vulnerabilities in both C/C++ and Java languages, which will prepare you to think like a hacker and protect your organizations information. The courses provide ample practice activities including exploiting WebGoat, an OWASP project designed to teach penetration testing....

Perguntas Frequentes – FAQ

Quando terei acesso às palestras e às tarefas?
Ao se inscrever para um Certificado, você terá acesso a todos os vídeos, testes e tarefas de programação (se aplicável). Tarefas avaliadas pelos colegas apenas podem ser enviadas e avaliadas após o início da sessão. Caso escolha explorar o curso sem adquiri-lo, talvez você não consiga acessar certas tarefas.
O que recebo ao me inscrever nesta Especialização?
Quando você se inscreve no curso, tem acesso a todos os cursos na Especialização e pode obter um certificado quando concluir o trabalho. Seu Certificado eletrônico será adicionado à sua página de Participações e você poderá imprimi-lo ou adicioná-lo ao seu perfil no LinkedIn. Se quiser apenas ler e assistir o conteúdo do curso, você poderá frequentá-lo como ouvinte sem custo.
Qual é a política de reembolso?
Existe algum auxílio financeiro disponível?

Mais dúvidas? Visite o Central de Ajuda ao Aprendiz.

Coursera provides universal access to the world’s best education, partnering with top universities and organizations to offer courses online.