Call : (+91) 968636 4243
Mail : info@EncartaLabs.com

Web Application Security in Python

( Duration: 3 Days )

Your Web application written in Python works as intended, so you are done, right? But did you consider feeding in incorrect values? 16Gbs of data? A null? An apostrophe? Negative numbers, or specifically -1 or -231? Because that’s what the bad guys will do – and the list is far from complete.

This Web Application Security in Python training course goes through the common Web application security issues following the OWASP Top Ten but goes far beyond it both in coverage and the details. All this is put in the context of Python, and extended by core programming issues, discussing security pitfalls of the programming language.

By attending Web Application Security in Python workshop, delegates will learn:

Getting familiar with essential cyber security concepts
Understanding Web application security issues
Detailed analysis of the OWASP Top Ten elements
Putting Web application security in the context of Python
Going beyond the low hanging fruits
Managing vulnerabilities in third party components
Identify vulnerabilities and their consequences
Security best practices in Python
Input validation approaches and principles

General Python and Web development

The Web Application Security in Python class is ideal for:

Python developers working on Web applications

COURSE AGENDA

1

Cyber security basics

What is security?
Threat and risk
Cyber security threat types
Consequences of insecure software

2

The OWASP Top Ten - 1

OWASP Top 10
A1 – Injection

Injection principles
Injection attacks
SQL injection

SQL injection basics
Attack techniques
Content-based blind SQL injection
Time-based blind SQL injection

Input validation
Parameterized queries
Additional considerations

Code injection

Code injection via input()
OS command injection
Avoiding command injection with the right APIs
Script injection
Server-side template injection (SSTI)

A2 – Broken Authentication

Authentication basics
Multi-factor authentication
Authentication weaknesses – spoofing
Spoofing on the Web
Password management

Inbound password management
Storing account passwords
Password in transit
Dictionary attacks and brute forcing
Salting
Adaptive hash functions for password storage
Password policy
NIST authenticator requirements for memorized secrets
The dictionary attack
The ultimate crack
Exploitation and the lessons learned
Password database migration
(Mis)handling null passwords

3

The OWASP Top Ten - 2

A2 – Broken Authentication

Password management

Outbound password management
Hard coded passwords
Protecting sensitive information in memory
Challenges in protecting memory

Session management

Session management essentials
Why do we protect session IDs – Session hijacking
Session fixation
Session handling in Flask

A3 – Sensitive Data Exposure

Information exposure
Exposure through extracted data and aggregation
Error and exception handling principles

A4 – XML External Entities (XXE)

DTD and the entities
Entity expansion
External Entity Attack (XXE)

File inclusion with external entities
Server-Side Request Forgery with external entities
Preventing XXE

A5 – Broken Access Control

Access control basics
Failure to restrict URL access
Confused deputy

Insecure direct object reference (IDOR)
Authorization bypass through user-controlled keys

File upload

Unrestricted file upload
Good practices

A6 – Security Misconfiguration

Configuration principles
Configuring Flask

A7 – Cross-site Scripting (XSS)

Cross-site scripting basics
Cross-site scripting types

Persistent cross-site scripting
Reflected cross-site scripting
Client-side (DOM-based) cross-site scripting

Protection principles – escaping
XSS protection APIs in Python
XSS protection in Jinja2
Additional protection layers
Client-side protection principles

A8 – Insecure Deserialization

Serialization and deserialization challenges
Deserializing untrusted streams
Deserialization with pickle
PyYAML deserialization challenges

A9 – Using Components with Known Vulnerabilities

Using vulnerable components
Assessing the environment
Hardening
Untrusted functionality import
Malicious packages in Python
Importing JavaScript
Vulnerability management

Patch management
Vulnerability databases

A10 – Insufficient Logging & Monitoring

Logging and monitoring principles
Insufficient logging
Plaintext passwords at Facebook

Web application security beyond the Top Ten

Client-side security
Same Origin Policy

Tabnabbing

Frame sandboxing

Cross-Frame Scripting (XFS) attack
Clickjacking beyond hijacking a click

4

Common software security weaknesses

Input validation

Input validation principles

Blacklists and whitelists
Data validation techniques
What to validate – the attack surface
Where to validate – defense in depth
How to validate – validation vs transformations
Output sanitization
Encoding challenges
Validation with regex
Regular expression denial of service (ReDoS)
Dealing with ReDoS

Files and streams

Path traversal
Path traversal-related examples
Additional challenges in Windows
Format string issues

Unsafe native code

Native code dependence

5

JSON security

JSON injection
Dangers of JSONP
JSON/JavaScript hijacking

Encarta Labs Advantage

One Stop Corporate Training Solution Providers for over 6,000 various courses on a variety of subjects
All courses are delivered by Industry Veterans
Get jumpstarted from newbie to production ready in a matter of few days

Trained more than 50,000 Corporate executives across the Globe
All our trainings are conducted in workshop mode with more focus on hands-on sessions

View our other course offerings by visiting https://www.encartalabs.com/course-catalogue-all.php

Contact us for delivering this course as a public/open-house workshop/online training for a group of 10+ candidates.

Top

Notice

X