Seminars

Websecurity Workshop

We would be happy to support you with a workshop on specific topics in the area of IT security. Our workshops are individually tailored to your company’s needs and are aimed at IT experts, IT security experts and IT and IT security managers .

Below you will find an exemplary agenda for a web security workshop.

Day 1
  • Introduction to the topic
  • IT and information security – information on the DSGVO
  • Technical and organizational security – protocols on the web (HTTP, WebSocket)
  • Principles on the Web (DOM, SOP)
  • Coding principles
  • Session attacks (man-in-the-middle, cookie replay attacks)
  • Session Hijacking & Session Fixation
  • Cross Site Request Forgery (CSRF)
  • Protective measures (encryption, session IDs, CSRF tokens)
Day 2
  • Cross Site Scripting (XSS)
  • Persistent XSS, reflexive XSS, DOM-based XSS, flash-based XSS
  • uXSS, social-engineered XSS, self-XSS
  • Protective measures (filter, XSS filter in browser, http-only flag, content security policy)
  • Injection errors such as SQL, OS and LDAP injection / SMTP header injection / HTTP header injection
  • Backup of downstream database systems
  • Local File Inclusion (LFI) / Remote File Inclusion (RFI) / Path Traversal / Nullbyte Injection
  • XML External Entities (XXE)
  • File Inclusions Safeguards
  • Broken Access Control
  • Insecure Deserialization
  • UI Redressing / Clickjacking
  • Cursor hacking
  • Advanced UI redressing attacks
  • Protective measures (X-Frame-Options (XFO), Framebusting, Content-Security-Policy)
Day 3
  • Code Audits – .NET Security Code Scan – Security of Authentication Mechanisms
  • Dictionary attacks / brute force method / unsafe comparisons – Rainbow Tables / password cracking
  • Protection measures: Password hashing, password policies, rate limits
  • Kerberos authentications
  • Kerberos authentication security
  • Certificate infrastructure
  • Certificate authentication security
  • Information Pricing (Sensitive Data Exposure)
  • Default values / publicly available information
  • Misconfigurations (directory listing, error messages, referrer leak)
  • “Hidden subdomains” / unchecked redirects and forwardings
  • Using Components with Known Vulnerabilities
  • Race Conditions
  • Attacks against business logic
  • DNS attacks
  • Subdomain Hijacking
  • Typosquatting
  • Vulnerability identification tools
Day 4
  • Security by design (Security by Default)
  • Secure development in the context of agile methods
  • Most important rules for developers and security managers
  • Security Review Basics / Vulnerability Scanning
  • Experience of a penetration tester
  • Security in conception in the context of cloud environments

Your contact

You can always reach us personally. Because loyalty based on partnership is far more important to us than short-term success.

Philipp Kalweit

Philipp Kalweit

Managing Partner

 

+49 40 285 301 257

hello@kalwe.it

Philipp Kalweit is an experienced IT security consultant on the topics of security awareness and offensive IT auditing. For the past six years, he has been advising and auditing clients from the SME and group environment, in particular ECB and BaFin-regulated organizations as well as groups in the retail sector. His consulting focus is on holistic IT security. He was honored for his work in 2019 by DIE ZEIT as “Hamburger of the Month” and in the same year was included in the Forbes “30 under 30 DACH” list.

 

Book individual workshop for your company