Web Application Security Certificate for GABRIELA DAN
1. OSI Layers and associated security threats and vulnerabilities on levels
= Transport Layer (overview SSL/TLS and PKI)
• Vulnerabilities:
a. SSL/TLS Implementation Weaknesses
b. DDoS Attacks
c. TCP Protocol Vulnerabilities
• Threats
a. Man-in-the-Middle (MitM) Attacks
b. Session Hijacking
c. Data Tampering
d. Traffic Analysis
= Session Layer
• Vulnerabilities:
a. Session Fixation
b. Session Expiration
c. Insufficient Entropy in Session IDs
• Threats:
a. Session Hijacking
b. Session Replay
c. Session Impersonation
d. Session Enumeration
= Presentation Layer :
• Vulnerabilities:
a. Injection Attacks
b. Insecure Data Encoding
c. Client-Side Security Risks
• Threats:
a. Cross-Site Scripting (XSS)
b. Content Spoofing
c. Insecure File Handling
d. Data Format Manipulation
2. OWASP Top 10 (vulnerabilities and countermeasures):
• A01:2021-Broken Access Control
• A02:2021-Cryptographic Failures
• A03:2021-Injection
• A04:2021-Insecure Design
• A05:2021-Security Misconfiguration
• A06:2021-Vulnerable and Outdated Components (CVE/CVSS, CWE)
• A07:2021-Identification and Authentication Failures
• A08:2021-Software and Data Integrity Failures
• A09:2021-Security Logging and Monitoring Failures
• A10:2021-Server-Side Request Forgery
• Hands-On Exercises
3. Denial-of-service attacks
• Introduction to Denial of Service (DoS) Attacks
• Vulnerabilities and Attack Vectors in Node.js Applications
▪ Slowloris Attack
▪ Resource Exhaustion
▪ Event Loop Blocking
▪ Regular Expression Denial of Service (ReDoS)
▪ WebSocket DoS Attacks
▪ Using Components with Known Vulnerabilities - npm
• DoS Mitigation Techniques in Node.js
▪ Rate Limiting Middleware
▪ Request Timeout Handling
▪ Asynchronous Operations Management
▪ Circuit Breaker Pattern
▪ Monitoring and Alerting
▪ Resource Limiting and Resource Pooling
▪ Fail2ban Integration
▪ Content Delivery Networks (CDNs) and Load Balancers
• Hands-On Exercises and Practical Defense Strategies
4. Secure coding practices associated with Node.js, Express.js, Angular
• Introduction to Secure Coding Practices
• Input Validation and Data Sanitization
• Authentication and Authorization
• Session Management and Cookie Security
• Cross-Site Scripting (XSS) Prevention
• Cross-Site Request Forgery (CSRF) Protection
• Security Headers and Content Security Policy (CSP)
• Secure Communication and HTTPS Configuration
• Configuring TLS/SSL certificates and enabling HTTPS in Node.js and Express.js applications
• Dependency Management and Vulnerability Scanning
• Error Handling and Logging
• Hands-On Exercises
5. Secure file uploads and downloads
• Secure File Handling
• File Upload Best Practices
• Client-Side File Upload Security
• Server-Side File Upload Security
• Secure File Storage
• File Download Security
• Implementing secure file delivery mechanisms
• Anti-Virus and Malware Scanning (clamscan)
• File Metadata Security
• Hands-On Exercises
6. Security testing and tools
• Burp Suite
• OWASP ZAP (Zed Attack Proxy)
• NodeJsScan
• Hands-On Exercises
7. Security Scanning
• Overview of security scanning tools and techniques
• Static Application Security Testing (SAST)
• Dynamic Application Security Testing (DAST)
• Interactive Application Security Testing (IAST)
• Dependency Scanning (NodeJsScan, Retire.js, and Snyk)
• Container Security Scanning
• API Security Scanning
• Best Practices and Case Studies