Web Security: Common Vulnerabilities And Their Mitigation
4.0 (136 ratings)
Course Ratings are calculated from individual students’ ratings and a variety of other signals, like age of rating and reliability, to ensure that they reflect course quality fairly and accurately.
3,391 students enrolled

Web Security: Common Vulnerabilities And Their Mitigation

A guide to dealing with XSS, session hijacking, XSRF, credential management, SQLi and a whole lot more
4.0 (136 ratings)
Course Ratings are calculated from individual students’ ratings and a variety of other signals, like age of rating and reliability, to ensure that they reflect course quality fairly and accurately.
3,391 students enrolled
Created by Loony Corn
Last updated 4/2018
English [Auto-generated]
Current price: $69.99 Original price: $99.99 Discount: 30% off
5 hours left at this price!
30-Day Money-Back Guarantee
This course includes
  • 8 hours on-demand video
  • 105 downloadable resources
  • Full lifetime access
  • Access on mobile and TV
  • Certificate of Completion
Training 5 or more people?

Get your team access to 4,000+ top Udemy courses anytime, anywhere.

Try Udemy for Business
What you'll learn
  • Understand how common web security attacks work
  • Know how to write code which mitigates security risks
  • Implement secure coding practices to reduce vulnerabilities
Course content
Expand all 56 lectures 08:01:56
+ What Is Security?
2 lectures 23:53

Authentication, authorization, auditing, availability, confidentiality and integrity. If any of these principles are compromised on your site, your site is at risk

Preview 13:41

A few definitions - risk, threat, vulnerability and attack. Reasons why websites are at risk. Known and unknown risks.

Preview 10:12
+ Cross Site Scripting
4 lectures 50:18

Start off with a well known security attack - script injection can wreak havoc on your site.

What is XSS?

A simple but realistic example of how XSS could affect your site

Learn by example - how does a XSS attack work?

Persistent, reflected and DOM based XSS. The differences are subtle but important.

Types of XSS

How can you protect yourself from script injection? What are the good practices to follow?

XSS mitigation and prevention
+ User Input Sanitization And Validation
5 lectures 50:45

Some more techniques by which input can be cleaned up

Sanitizing input - still not done

Check for patterns in your input. Only allow those patterns which seem legit!

Validating input

PHP offers a whole bunch of ways to validate input, some more here.

Validating input - some more stuff to say

What else can you do to make sure user input is safe to use?

Client Side Encoding, Blacklisting and Whitelisting inputs
+ The Content Security Policy Header
4 lectures 39:43
Rules for the browser

Specify default directives so things are less onerous and learn to use wildcards

Default directives and wildcards

Inline code and the eval() functions usually spell trouble for your site

Preview 08:13

If you must use inline code, the Content Security Policy header gives you a few outs.

The nonce attribute and the script hash
+ Credentials Management
6 lectures 57:14

What makes a good password? Set some constraints so your users are forced to choose strong passwords.

All about passwords - Strength, Use and Transit

Do not store passwords in plain text. When it comes to security you cannot trust even those who work with you.

All about passwords - Storage
Learn by example - login authentication
A little bit about hashing
All about passwords - Recovery
+ Session Management
8 lectures 51:53
Session hijacking - count the ways
Learn by example - sessions without cookies
Session ids using hidden form fields and cookies
Session hijacking using session fixation
Session hijacking counter measures
Session hijacking - sidejacking, XSS and malware
+ SQL Injection
8 lectures 57:35
Learn by example - how does SQLi work?
Anatomy of a SQLi attack - unsanitized input and server errors
Anatomy of a SQLi attack - table names and column names
Anatomy of a SQLi attack - getting valid credentials for the site
Types of SQL injection
SQLi mitigation - parameterized queries and stored procedures
SQLi mitigation - Escaping user input, least privilege, whitelist validation
+ Cross Site Request Forgery
4 lectures 32:24
What is XSRF?
Learn by example - XSRF with GET and POST parameters
XSRF mitigation - The referer, origin header and the challenge response

An example using a secure token to verify that the request comes from a trusted site.

XSRF mitigation - The synchronizer token
  • A basic understanding of how the web browser, rendering, headers, cookies and sessions
  • A basic understanding of Javascript and PHP to follow the examples

Coat your website with armor, protect yourself against the most common threats and vulnerabilities. Understand, with examples, how common security attacks work and how to mitigate them. Learn secure practices to keep your website users safe.

Let's parse that.

  • How do common security attacks work?: This course walks you through an entire range of web application security attacks, XSS, XSRF, Session Hijacking, Direct Object Reference and a whole lot more.
  • How do we mitigate them?: Mitigating security risks is a web developer's core job. Learn by example how you can prevent script injection, use secure tokens to mitigate XSRF, manage sessions and cookies, sanitize and validate input, manage credentials safely using hashing and encryption etc.
  • What secure practices to follow?: See what modern browsers have to offer for protection and risk mitigation, how you can  limit the surface area you expose in your site.  

What's included in this course:

  • Security attacks such as Cross Site Scripting, Session Hijacking, Credential Management, Cross Site Request Forgery, SQL Injection, Direct Object Reference, Social Engineering 
  • Risk mitigation using the Content Security Policy Header, user input validation and sanitization, secure token validation, sandboxed iframes, secure sessions and expiry, password recovery
  • Web security basics: Two factor authentication, Open Web Application Security Project, 

Who this course is for:
  • Yep! Students who have some experience in web programming and understand basic browser concepts
  • Nope! Students who are beginners and have never done any web programming