Learning Path: Application Security Essentials

Attacking and Defending Authentication & Access Control

Web application security, among other things, deals with user authentication and controlling a user’s access to private information. From session management, to direct object reference, this course takes the perspectives of both the attacker and defender in understanding web app security.

With the help of hands-on labs, we’ll explore how to attack and defend sessions, as well as defending web app session management. We’ll also talk in detail about the best practices of handling and resetting passwords. In our final module, you’ll primarily use hands-on labs to learn about various aspects of Insecure Direct Object Reference, including how to implement bulletproof Access Control Systems.

Our learning material is backed by years of security testing experience, knowledge, and original research across our entire security team. This course uses practical learning with labs and exercises extensively, with the aim of getting you as comfortable as possible with the moving parts of web application authentication and authorization.

Proficiency: Beginner
Graphical icon for XXE, Insecure deserialization courses
Audience: Application Security
Course Duration: 4 hours
18 lessons
4 Cloud Labs

Course Outline

  • Course Introduction
  • Course Pre-requisites
  • Web Sessions – Introduction and Overview
  • Session Fixation Flaws and Defense
  • Authorization Intro
  • Insecure Direct Object Reference – Primary Key Variant
  • Insecure Direct Object Reference – Mass Assignment Variant