Web Application Security in Practice – OWASP Top 10 and APIs (HCK4)

Cybersecurity, ICT Security

This course guides you through the most common security mistakes in modern applications based on the current OWASP Top 10, covering not only technical vulnerabilities but also design flaws and process weaknesses that put apps at real-world risk.

The course is highly practical: each topic includes real attack demos, source code analysis and hands-on exercises to solve independently. A dedicated block covers REST and SOAP API security, token management, authorization and practical mitigation techniques.

Location, current course term

Contact us

Custom

Customized Training (date, location, content, duration)

The course:

Hide detail

• Introduction to application security
1. Attacker mindset and principles of a secure mindset
2. Summary of notable real incidents and their impact
3. Overview of the OWASP project and the Top 10 list
4. Relation to DevSecOps and building security culture

• A01: Broken Access Control
1. Why access control errors occur
2. Common mistakes: IDOR and missing server-side checks
3. Real incident examples and flawed implementations
4. Prevention and detection of insufficient access control

• A02: Cryptographic Failures
1. Failures in encrypting data in transit and at rest
2. Misuse of algorithms and incorrect TLS implementations
3. Poor password storage and hashing mistakes
4. Recommendations for storing, transmitting and protecting secrets

• A03: Injection
1. Types of injection: SQL, OS, LDAP, NoSQL
2. Unvalidated input reaching interpreters
3. Framework influences on inserting values into queries/commands
4. Prevention techniques and safe input handling

• A04: Insecure Design / SSDLC
1. Difference between design flaws and implementation bugs
2. Principles of secure-by-design systems
3. Threat modeling and risk identification early in development
4. Secure design patterns and practical examples
5. Design review versus late-stage vulnerability fixes

• A05: Security Misconfiguration
1. Common weaknesses in config files and tools
2. Default accounts, open ports, missing headers, incorrect CORS
3. Importance of secure default settings
4. Automated scanning and configuration checks

• A06: Vulnerable and Outdated Components
1. Risks of relying on outdated libraries and modules
2. Identifying vulnerabilities via CVEs and SBOMs
3. Update processes and dependency management
4. Importance of testing after updates

• A07: Identification and Authentication Failures
1. Password breaches, session hijacking, weak authentication
2. Misconfigured cookies and non-rotating tokens
3. Importance of multi-factor authentication (MFA)
4. Differences in authentication between apps and APIs

• A08: Software and Data Integrity Failures
1. Unverified modules, updates and supply-chain risks
2. Integrity of build processes (CI/CD)
3. Code and update signing practices
4. Trust issues with external repositories and libraries

• A09: Security Logging and Monitoring Failures
1. What and when to log from a security perspective
2. Relation to forensic analysis and incident detection
3. Common errors: missing logs, unprotected logs
4. Basics of SIEM integration and alerting

• A10: Server-Side Request Forgery (SSRF)
1. SSRF principles and why it’s increasingly common
2. Examples of handling user URLs or webhooks incorrectly
3. Abuse scenarios in cloud and internal networks
4. Protective measures (allowlists, metadata blocking)

• REST and SOAP API security
1. Differences between classic apps and REST/SOAP interfaces
2. Inputs, authentication and authorization at the API layer
3. Issues with rate limiting, pagination, IDOR, HPP
4. Token management and tenant data isolation
5. OWASP API Top 10 mapping and design implications

Assumed knowledge:

Basic web development or testing knowledge; familiarity with HTTP, web technologies and basic shell use.

Schedule:

2 days (9:00 AM - 5:00 PM )

Language: