LEARNING PATH: Application Security Essentials

Attacking and Defending Authentication & Access Control

Web application security, among other things, deals with user authentication and controlling a user’s access to private information. From session management, to password management, to direct object reference, authentication and access control mechanisms are as critical as they are easy to misconfigure. 

In Attacking and Defending Authentication & Access Control, we’re getting in the shoes of both the attacker and defender to fully understand web app security. We begin with a look at methods to authenticate users. With the help of hands-on labs, we’ll explore how to attack and defend sessions, as well as defending web app session management. 

Next, you’ll learn in detail about the best practices of handling and resetting passwords. Our final module is all about access control. Here, you’ll primarily use hands-on labs to learn about various aspects of Insecure Direct Object Reference, including how to implement bulletproof Access Control Systems.

Our learning material is backed by years of security testing experience, knowledge, and original research across our entire security team. This course uses practical learning with labs and exercises extensively, with the aim of getting you as comfortable as possible with the moving parts of web application authentication and access control.  

Attacking and defending authentication & access control
Proficiency Beginner
Audience Application Security
Course Duration​ 4
Lessons​ 18
Cloud Labs​ 4



Cloud Security Expert

Course duration




Cloud Labs


    • Web App Authentication – An Overview
    • Web App Authorization – An Overview
    • Attacks against Authentication and Authorization – Evolution and Real-world attacks
    • Attacking and Defending Sessions
      • Lab: Session Fixation
      • Lab: Session Hijacking
    • Defending Web Application Session Management
      • Lab: Preventing Session Fixation
      • Lab: Session Security Attributes
    • Defending Password Management and Password Reset Systems
      • Password Handling best practices
      • Password Reset Best Practices
    • Insecure Direct Object Reference: A Primer
    • Lab: Insecure Direct Object Reference – Primary Key Variant
    • Lab: Insecure Direct Object Reference – Mass Assignment Variant
    • Labs: Preventing against Insecure Direct Object Reference 
    • Labs: Implementing Bullet-proof Access Control systems
  • Flaws in Session Fixation and Defense
  • Implementing AuthZ for a Web App with Casbin
  • Insecure Direct Object Reference with Ajax
  • Insecure Direct Object Reference - Mass Assignment
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking "Accept" you consent to the use of All the cookies