Free OWASP Top 10 CBT

Language agnostic. Complete at your own pace.
Real exploit concepts around web application threats, vulnerabilities & strategies to mitigate them.

1 Day Training

1 Day Training

Beginner Level

Beginner Level

All Staff

All Staff

Instructor Led<br />CBT / Remote<br /> Training Available

Instructor Led
CBT / Remote
Training Available

Course Overview

Students will gain valuable insight in to threats that are part of the OWASP Top 10 2010.

This is a language agnostic course that dives into the concepts around web application threats, vulnerabilities and strategies to mitigate them. The course dives into each of the Top 10 items, providing easy to understand conceptual ideas, newsflashes demonstrating how these vulnerabilities have resulted in real exploits against organizations and recommendations to defending them.

Learning Objectives

  • Express the vulnerabilities and exploits facing modern web applications.
  • Learn about the OWASP Top 10 2010 covering all aspects including the vulnerability, why it happens, exploits and defenses.
  • See how real organizations have been affected by these exploits.

Course Outline


  • OWASP Top 10

1. SQL Injection

  • About SQL Injection
  • Realtime example
  • Newsflash
  • Parameterized Queries

2. Cross-site Scripting

  • About XSS
  • Blacklist validation
  • Whitelist validation
  • Safe re-encoding
  • Safe vs unsafe
  • HTTPonly

3. Session Hijacking

  • About Session Hijacking
  • Stealing credentials
  • Encryption
  • Short session timeouts

4. Parameter Manipulation

  • About Parameter Manipulation
  • Server-side validation
  • Session variables

5. Insecure Storage

  • About Insecure Storage
  • Sensitivity of information
  • Threat modeling
  • Hashing passwords

6. Forcible Browsing

  • About Forcible Browsing
  • Page Level authorization
  • Programmed authorization

7. Cross-site Request Forgery

  • About XSRF
  • Meg goes shopping
  • Decreasing timeouts
  • XSRF tokens
  • Re-authentication

8. Insecure Configuration

  • About insecure configuration
  • Users, Software
  • Hardening
  • Standardized builds
  • Patch management
  • Updates and audits

9. Unchecked Redirects

  • About unchecked redirects
  • Newsflash
  • Validating parameters
  • Server-side checks

10. Clear-Text communication

  • About clear-text communication
  • Eavesdropping
  • Newsflash
  • Encryption in transit
  • Proper SSL implementations

Download Datasheet

Download Datasheet

Security Compass training courses are offered using a variety of delivery methods. Download the data sheet to learn more.

Public Classes

Security Compass offers this course as a public class. Contact us for a schedule of all our upcoming public training classes.