Learn Web Security Basics

Day 1: Introduction

1. Hacking into One Month with Jon and Chris!

Learn how to fix your security issues, but stay out of your ex's Facebook account!

2. An Overview of the App We Are Hacking

Hey teach! What are we going to learn?

3. Legal Disclaimer

Use your new powers for good....

Day 2: Hacker Tools - The Proxy

1. Let's Dive into Proxies with Jon and Chris

Rock your sox with proxies

2. Understanding Ports

IP addresses and ports make the internet work

3. Intro to Proxies

Starting our hacking adventures with our first hacking tool

4. Intercepting Requests with Burp

Intercepting HTTP

5. Fun With Encoding

Not-so-lost in translation

Day 3: Account Bruteforcing

1. What is Bruteforcing?

Let's break into some user accounts

2. Guessing Usernames and Passwords

Without a username and password, how can you possibly get in?

3. Harvesting One Month

Want emails? Get collecting! In this lesson we'll use Harvester to collect emails

4. Password Attacks

Automating Bruteforce attacks

5. Fixing Error Message

Wrong error message

6. Enforcing Strong Passwords

Friends don't let friends create stupid passwords

7. Preventing Brute Force Attacks

The rack-attack gem is designed to protect your web app from bad clients

Day 4: Breaking Authorization Controls

1. Trusting Users

Can we hack URL's to access other user's accounts?

2. Securing Request Parameters

Don't trust users, let's fix the parameter security bug

3. Searching For Vulnerabilities

Searching through open source sites

4. Finding Hidden Pages

Let's guess some admin links!

5. Automating File and Directory Discovery with Dirbuster

Finding hidden features

6. Enforcing Admin Access

Locking down the Admin page

Day 5: Cross Site Scripting

1. Let's Discuss "Cross-Site Scripting"

Remember Myspace? Jon and Chris take a trip down memory lane

2. Javascript Hacks Using Cross-Site Scripting (XSS)

How JavaScript can be used to attack a website’s users

3. Hacking Tool - Beef

Where's the Beef? An XSS hacking framework

Day 6: SQL Injection

1. Jon and Chris Breakdown SQL Injection

Changing SQL queries for evil

2. Introduction to Database Queries Using SQL

Let's review SQL

3. Detecting SQL Injection

Finding SQL injection

4. Hack Tool - Sqlmap

Extracting the database

5. Fixing SQL Injection Vulnerabilities

A safer way to query the database

Day 7: Encryption and Storing Secrets

1. Storing Secrets

Shhh! Storing secret data

2. Keeping Passwords

Let’s grab some passwords!

3. Hack Tool - John The Ripper

Let's crack some passwords!

4. Stronger Hashes with Bcrypt

Let's strengthen our password hashes with BCrypt and Salt values

5. Protecting Sensitive Information in a Database

Adding encryption to secret data

6. Reviewing Encryption Code

Let's review some crypto code!

7. Applying Encryption

Encrypting Model Data

8. Masking Sensitive Data

Masking data

Day 8: Calling System Commands

1. Exploiting System Commands

System calls can be dangerous, and lead to the complete compromise of a server. P0wnage!

2. Securing File Operations

How to securely handle files

Day 9: API Security

1. "What the Heck is an API?"

Let's discuss APIs

2. Accessing Models Using an API

Let’s hack some API’s and understand how they can be broken

3. Securing an API

Limiting API data

Day 10: Cross-Site Request Forgery

1. Explaining Cross Site Forgery

Let's talk about forging requests

2. Ruin a Vacation Using Cross-Site Request Forgery

How do you fake a request for another user, for fun and profit?

3. Building a Cross-Site Request Forgery Attack

CSRF in action

4. Hacking Gmail Using CSRF

Let's check out a real life example - Hacking Gmail

5. Protecting Against CSRF

Adding tokens

Day 11: Mass Assignment

1. Understanding Mass Assignment

Mass Assignment in Rails

2. Privilege Escalation Using Mass Assignment

Mass Assignment exploit

3. Preventing Mass Assignment

Preventing Mass Assignment

4. Hacking Github Using Mass Assignment

Hacking Github with Mass Assignment

5. Enhancing Mass Assignment with Strong Parameters

I like my params like I like my coffee...strong

Day 12: Insecure Downloads

1. Hacking Download Functionality

Downloads, uploads, oh my. What could go wrong?

2. Securing File Downloads

Stopping unauthorized downloads!

Day 13: Keeping up to date

1. "Why Do I Have to Update Rails?"

Stay current

2. Maintaining Ruby, Rails, and Gems

Let’s take a look at some problems related to upgrades, patching, and old and busted packages

Day 14: URL Redirection

1. URL Redirection Explained

Keeping it all in the family

2. Understanding URL Redirection Attacks

Redirections gone wild

3. Exploiting URL Redirection

Locking down redirection

4. Fixing URL Redirection Vulnerabilities

Make sure no villains try to redirect you users to evil websites

Day 15: Security Tools - Brakeman

1. Code Audits with Brakeman

Brakeman's super power can be used to identify security issues

2. Hack Tool - Brakeman

A good toolbox will help you keep your code running smoothly and securely

Day 16: OWASP

1. What Can OWASP Do for You?

A cool non-profit that focuses on web app security

2. Additional Resources - OWASP

Introduction to OWASP

Day 17: Rumblr

1. A Rumblr in the Jungle with Jon and Chris

Crack it! You think you can hack it?

2. Rumblr Walkthrough

Let's dig into this Rails-Tumblr app

Day 20: Rumblr Security Issues

1. Rumblr Hack #1

2. Rubmlr Hack #2

3. Rumblr Hack #3

4. Rumblr Hack #4

5. Rumblr Hack #5

6. Rumblr Hack #6

7. Get Your Certificate!

Going Deeper with Jon Rose

1. Hey Jon, "What's Next?"

Apply it! Hack your own site