Training: OWASP Top 10

• Web applications are ubiquitous in today's computing world. In

• this course, you'll learn about software developer tools that can
• result in secure web application creation. You'll learn about
• server-side and client-side code, as well how to scan a web app for
• vulnerabilities using OWASP ZAP and Burp Suite. Next, you’ll
• explore secure coding using the OWASP ESAPI. Moving on, you’ll
• examine how to enable the Metasploitable intentionally vulnerable
• web app virtual machine. You'll also learn about different types of
• software testing methodologies and the difference between
• vulnerability scanning and penetration testing. Lastly, you'll
• learn how to deploy a web application firewall in the Microsoft
• Azure cloud.

• Many web applications accept input from either external data

• sources or app users. In this course, you'll learn about various
• types of injection attacks such as SQL and command injections. You
• will learn how malicious users submit malicious code or commands to
• a web app for execution by the web server stack. Next, you'll learn
• how to test a web app for injection vulnerabilities using the OWASP
• ZAP tool. Next, you’ll set low security for a vulnerable web
• application tool in order to allow the execution of injection
• attacks. Next, you'll execute various types of injection attacks
• against a web application. Lastly, you will learn how to mitigate
• injection attacks using techniques such as input validation and
• input sanitization.

• Hardening user and device authentication can go a long way in

• securing web applications. In this course, you'll start by learning
• the difference between authentication and authorization, where
• authorization follows successful authentication. You'll also learn
• how authentication and authorization are related to web application
• security. Next, you'll explore how to hash and encrypt user
• credentials and harden user accounts through Microsoft Group
• Policy. You'll then examine how to use freely available tools to
• crack user credentials in various ways, such as using the John the
• Ripper tool to pass Linux passwords and the Hydra tool to crack RDP
• passwords. Lastly, you'll learn how to enable user multi-factor
• authentication and conditional access policies, as well as how to
• mitigate weak authentication.

• Data is one of the most valuable assets to an organization and

• must be protected in accordance with applicable laws, regulations,
• and security standards. In this course, you'll learn about attacks
• that compromise sensitive data, as well as how to classify
• sensitive data using a variety of methods. Next, you'll examine how
• to hash files in Windows and Linux, along with various methods of
• file encryption for Windows devices. You'll then explore the PKI
• hierarchy and how to use a certificate to secure a web application
• with HTTPS. Lastly, you'll learn how to configure IPsec, encrypt
• cloud storage, and mitigate sensitive data attacks.

• Extensible Markup Language uses tags to describe data and has

• become the standard information exchange format between dissimilar
• systems. Many applications use XML to share and manage data. In
• this course, you'll begin with an XML overview, including document
• type definitions and how XML differs from HTML. Next, you’ll learn
• what XML external entity attacks are. Moving on, you'll examine how
• the OWASP ZAP tool can scan a vulnerable web application and
• identify weaknesses. Next, you'll explore how to scan a web app for
• XXE vulnerabilities and execute an XXE attack. Lastly, you'll learn
• how to mitigate XXE attacks.

• Resource authorization occurs after successful authentication.

• Resources include objects such as files, folders, web apps, storage
• accounts, virtual machines, and so on. In this course, you'll learn
• about various resource access control models including MAC, DAC,
• and RBAC. Next, you'll examine how broken access control attacks
• occur. You'll then explore HTTP methods, as well as how to set file
• system permissions in Windows and Linux, assign permissions to
• code, and digitally sign a PowerShell script. Lastly, you'll learn
• about identify federation, how to execute broken access control
• attacks, and how to mitigate broken access control attacks.

• Modern on-premises and cloud networks consist of many types of

• network devices, hosts, and services. Each of these must be
• configured and monitored to ensure continued compliance with
• organization security policies. In this course, you'll learn about
• various types of security misconfigurations, including using
• default credentials, leaving unnecessary services running, and
• exposing services unnecessarily to the Internet. Next, you'll
• explore application container management, including how to pull
• containers from Docker Hub and then start them. Moving on, you'll
• examine how containers relate to security, how to harden security
• settings through Group Policy, and how to manage software updates
• on-premises and in the cloud.

• Most web apps accept some kind of input, whether from users or

• through other automated means. All app input must be treated as
• untrusted and must be vigorously validated to ensure application
• and data integrity. In this course, you'll learn the difference
• between Java and JavaScript, as well as what cross-site scripting
• is and how it can compromise a web site and its visitors. Next,
• you'll learn how to execute various XSS attacks against an
• intentionally vulnerable virtual machine, including through web
• forms. You'll also explore how to use XSS to hijack a user web
• browser and how to mitigate XSS attacks.

• Object-oriented programming is common when writing scripts, as

• well as during software development. OOP treats items as objects
• that have properties and methods, as opposed to treating command
• output as a simple string. In this course, you'll learn about OOP
• along with some syntax examples. You'll explore how programming
• objects become serialized and deserialized and how this can present
• a security risk to web applications. Next, you'll examine how
• deserialization works in PowerShell, as well as how to execute a
• deserialization attack against an intentionally vulnerable web
• application. Lastly, you'll learn how to prevent deserialization
• attacks from succeeding.

• Software developers often use existing third-party APIs and

• software components instead of recreating the wheel, so to speak.
• This reduces development time and time to market for software
• products. In this course, you'll learn that only trusted APIs and
• components should be used, that developers must truly understand
• how these items work, and that they must be kept up-to-date. Next,
• you'll learn about the Heartbleed Bug and how to view components in
• Microsoft Visual Studio. You'll then examine how security must
• apply to all aspects of Continuous Integration and Continuous
• Delivery. Lastly, you'll explore how to search the shodan.io web
• site for vulnerable devices and apps.

• Modern web applications can consist of many components, which

• are often running within application containers. Each component
• must be monitored to detect intrusions. In this course, you'll
• learn about various ways monitoring can be enabled in Linux on
• individual hosts, in Windows, and in cloud computing environments.
• Next, you'll explore how to forward log entries to a central
• logging host in Linux and in Windows. You'll then learn how to
• monitor cloud-based web application performance. Moving on, you’ll
• examine how to download and configure the Snort IDS by creating IDS
• rules for Telnet and ICMP network traffic. Lastly, you'll learn how
• to analyze packet captures for suspicious activity and mitigate
• monitoring deficiencies.

• There are almost two billion web sites in the world today. Many

• of these sites are not sufficiently protected against attacks. In
• this course, you'll begin by learning how to install a sample
• vulnerable web application. Next, you'll explore how to use
• reconnaissance methods, such as nmap scanning and web app scanning
• using OWASP ZAP, to discover HTTP hosts and vulnerable
• applications. You'll learn how to execute attacks including XSS,
• CSRF, file injection, and denial of service. You'll move on to
• examine how to capture user keystrokes using a hardware keylogger
• and capture cleartext HTTP transmissions. Lastly, you'll learn how
• to forge fake TCP/IP packets and then deploy and secure a
• cloud-hosted web application.

Final Exam: OWASP Top 10 Mitigations will test your knowledge and application of the topics presented throughout the Skillsoft Aspire Web App Vulnerability Analyst Journey.