Web Security: Common Vulnerabilities And Their Mitigation
4.2 (34 ratings)
Instead of using a simple lifetime average, Udemy calculates a course's star rating by considering a number of different factors such as the number of ratings, the age of ratings, and the likelihood of fraudulent ratings.
1,883 students enrolled
Wishlisted Wishlist

Please confirm that you want to add Web Security: Common Vulnerabilities And Their Mitigation to your Wishlist.

Add to Wishlist

Web Security: Common Vulnerabilities And Their Mitigation

A guide to dealing with XSS, session hijacking, XSRF, credential management, SQLi and a whole lot more
4.2 (34 ratings)
Instead of using a simple lifetime average, Udemy calculates a course's star rating by considering a number of different factors such as the number of ratings, the age of ratings, and the likelihood of fraudulent ratings.
1,883 students enrolled
Created by Loony Corn
Last updated 7/2016
Current price: $12 Original price: $50 Discount: 76% off
4 days left at this price!
30-Day Money-Back Guarantee
  • 8 hours on-demand video
  • 104 Supplemental Resources
  • Full lifetime access
  • Access on mobile and TV
  • Certificate of Completion

Training 5 or more people?

Get your team access to Udemy's top 2,000 courses anytime, anywhere.

Try Udemy for Business
What Will I Learn?
  • Understand how common web security attacks work
  • Know how to write code which mitigates security risks
  • Implement secure coding practices to reduce vulnerabilities
View Curriculum
  • A basic understanding of how the web browser, rendering, headers, cookies and sessions
  • A basic understanding of Javascript and PHP to follow the examples

Coat your website with armor, protect yourself against the most common threats and vulnerabilities. Understand, with examples, how common security attacks work and how to mitigate them. Learn secure practices to keep your website users safe.

Let's parse that.

  • How do common security attacks work?: This course walks you through an entire range of web application security attacks, XSS, XSRF, Session Hijacking, Direct Object Reference and a whole lot more.
  • How do we mitigate them?: Mitigating security risks is a web developer's core job. Learn by example how you can prevent script injection, use secure tokens to mitigate XSRF, manage sessions and cookies, sanitize and validate input, manage credentials safely using hashing and encryption etc.
  • What secure practices to follow?: See what modern browsers have to offer for protection and risk mitigation, how you can  limit the surface area you expose in your site.  

What's included in this course:

  • Security attacks such as Cross Site Scripting, Session Hijacking, Credential Management, Cross Site Request Forgery, SQL Injection, Direct Object Reference, Social Engineering 
  • Risk mitigation using the Content Security Policy Header, user input validation and sanitization, secure token validation, sandboxed iframes, secure sessions and expiry, password recovery
  • Web security basics: Two factor authentication, Open Web Application Security Project, 

Using discussion forums

Please use the discussion forums on this course to engage with other students and to help each other out. Unfortunately, much as we would like to, it is not possible for us at Loonycorn to respond to individual questions from students:-(

We're super small and self-funded with only 2 people developing technical video content. Our mission is to make high-quality courses available at super low prices.

The only way to keep our prices this low is to *NOT offer additional technical support over email or in-person*. The truth is, direct support is hugely expensive and just does not scale.

We understand that this is not ideal and that a lot of students might benefit from this additional support. Hiring resources for additional support would make our offering much more expensive, thus defeating our original purpose.

It is a hard trade-off.

Thank you for your patience and understanding!

Who is the target audience?
  • Yep! Students who have some experience in web programming and understand basic browser concepts
  • Nope! Students who are beginners and have never done any web programming
Compare to Other Cyber Security Courses
Curriculum For This Course
56 Lectures
You, This Course and Us
1 Lecture 01:48
What Is Security?
2 Lectures 23:53

Authentication, authorization, auditing, availability, confidentiality and integrity. If any of these principles are compromised on your site, your site is at risk

Preview 13:41

A few definitions - risk, threat, vulnerability and attack. Reasons why websites are at risk. Known and unknown risks.

Preview 10:12
Cross Site Scripting
4 Lectures 50:18

Start off with a well known security attack - script injection can wreak havoc on your site.

What is XSS?

A simple but realistic example of how XSS could affect your site

Learn by example - how does a XSS attack work?

Persistent, reflected and DOM based XSS. The differences are subtle but important.

Types of XSS

How can you protect yourself from script injection? What are the good practices to follow?

XSS mitigation and prevention
User Input Sanitization And Validation
5 Lectures 50:45

Some more techniques by which input can be cleaned up

Sanitizing input - still not done

Check for patterns in your input. Only allow those patterns which seem legit!

Validating input

PHP offers a whole bunch of ways to validate input, some more here.

Validating input - some more stuff to say

What else can you do to make sure user input is safe to use?

Client Side Encoding, Blacklisting and Whitelisting inputs
The Content Security Policy Header
4 Lectures 39:43
Rules for the browser

Specify default directives so things are less onerous and learn to use wildcards

Default directives and wildcards

Inline code and the eval() functions usually spell trouble for your site

Preview 08:13

If you must use inline code, the Content Security Policy header gives you a few outs.

The nonce attribute and the script hash
Credentials Management
6 Lectures 57:14

What makes a good password? Set some constraints so your users are forced to choose strong passwords.

All about passwords - Strength, Use and Transit

Do not store passwords in plain text. When it comes to security you cannot trust even those who work with you.

All about passwords - Storage

Learn by example - login authentication

A little bit about hashing

All about passwords - Recovery
Session Management
8 Lectures 51:53

Session hijacking - count the ways

Learn by example - sessions without cookies

Session ids using hidden form fields and cookies

Session hijacking using session fixation

Session hijacking counter measures

Session hijacking - sidejacking, XSS and malware
SQL Injection
8 Lectures 57:35

Learn by example - how does SQLi work?

Anatomy of a SQLi attack - unsanitized input and server errors

Anatomy of a SQLi attack - table names and column names

Anatomy of a SQLi attack - getting valid credentials for the site

Types of SQL injection

SQLi mitigation - parameterized queries and stored procedures

SQLi mitigation - Escaping user input, least privilege, whitelist validation
Cross Site Request Forgery
4 Lectures 32:24
What is XSRF?

Learn by example - XSRF with GET and POST parameters

XSRF mitigation - The referer, origin header and the challenge response

An example using a secure token to verify that the request comes from a trusted site.

XSRF mitigation - The synchronizer token
Lot's Of Interesting Bits Of Information
3 Lectures 28:14

2 factor authentications and OTPs

Social Engineering
4 More Sections
About the Instructor
Loony Corn
4.3 Average rating
5,508 Reviews
42,789 Students
75 Courses
An ex-Google, Stanford and Flipkart team

Loonycorn is us, Janani Ravi and Vitthal Srinivasan. Between us, we have studied at Stanford, been admitted to IIM Ahmedabad and have spent years  working in tech, in the Bay Area, New York, Singapore and Bangalore.

Janani: 7 years at Google (New York, Singapore); Studied at Stanford; also worked at Flipkart and Microsoft

Vitthal: Also Google (Singapore) and studied at Stanford; Flipkart, Credit Suisse and INSEAD too

We think we might have hit upon a neat way of teaching complicated tech courses in a funny, practical, engaging way, which is why we are so excited to be here on Udemy!

We hope you will try our offerings, and think you'll like them :-)