Web Security Crash Course

Presenter: Scott Hand

Date: 9 Feb 2013

Description: This presentation goes over some basic attack techniques for compromising web applications. A brief background on web applications and HTTP is given. Vulnerabilities covered include parameter tampering, SQL injections, Cross Site Scripting, Cross Site Request Forgery, and general tips on attacking web applications. There was a web CTF with new problems for the course, and a link to the source of the problems is provided on a previous web crash course post.

Also uploaded are the demo web apps for learning how to do parameter tampering, SQLi, and XSS/CSRF. There were problems during the presentation due to UT Dallas intrusion prevention systems blocking attempts to demo them. However, they should work fine on any LAMP server with the Sqlite PDO module installed. Make sure the data directories are writable by the web server user.

Finally, I also uploaded a cookie grabber that everyone is free to use whenever they need it. It's usually necessary during capture the flag web challenges.

Web Security Crash Course Slides

Cookie Grabber Page

Web Crash Course Demos