Free OWASP Top 10 CBT

Language agnostic. Complete at your own pace.
Real exploit concepts around web application threats, vulnerabilities & strategies to mitigate them.

2 Day Training

2 Day Training

Intermediate Level

Intermediate Level

PHP Developers

PHP Developers

Instructor Led<br />CBT / Remote<br /> Training Available

Instructor Led
CBT / Remote
Training Available

Course Overview

Students will gain valuable insight in to developing secure PHP5 applications.

The course will show students the latest in web based threats and how students should go about defending them. Students will learn to define and identify secure code, differentiate between secure coding methods, employ secure code in practice, and build safer web applications from the start.

Students completing this class will find their secure coding abilities materially sharpened and able to integrate these techniques in your organization.

Learning Objectives

  • Express the vulnerabilities and exploits facing modern web applications.
  • Learn how insecure coding techniques can result in vulnerability within PHP applications.
  • Implement defensive coding methods in PHP using secure code, tools and libraries that can help support secure coding for PHP.

Day 1 Outline


  • OWASP Top 10
  • Defending PHP5

1. SQL Injection

  • About SQL Injection
  • Realtime example
  • Newsflash
  • Parameterized Queries

2. Cross-site Scripting

  • About XSS
  • Blacklist validation
  • Whitelist validation
  • Safe re-encoding
  • Safe vs unsafe
  • HTTPonly

3. Session Hijacking

  • About Session Hijacking
  • Stealing credentials
  • Encryption
  • Short session timeouts

4. Parameter Manipulation

  • About Parameter Manipulation
  • Server-side validation
  • Session variables

5. Insecure Storage

  • About Insecure Storage
  • Sensitivity of information
  • Threat modeling
  • Hashing passwords

6. Forcible Browsing

  • About Forcible Browsing
  • Page Level authorization
  • Programmed authorization

7. Cross-site Request Forgery

  • About XSRF
  • Meg goes shopping
  • Decreasing timeouts
  • XSRF tokens
  • Re-authentication

8. Insecure Configuration

  • About insecure configuration
  • Users, Software
  • Hardening
  • Standardized builds
  • Patch management
  • Updates and audits

9. Unchecked Redirects

  • About unchecked redirects
  • Newsflash
  • Validating parameters
  • Server-side checks

10. Clear-Text communication

  • About clear-text communication
  • Eavesdropping
  • Newsflash
  • Encryption in transit
  • Proper SSL implementations

Day 2 Outline

11. SQL Injection Defenses

  • Common pitfalls in PHP
  • Parameterized Queries in PHP
  • MySQL
  • PHP Data Objects

12. XSS Defenses

  • Common pitfalls in PHP
  • Whitelisting
  • Output re-encoding in PHP
  • HTTP Only in PHP

13. Session Hijacking Defenses

  • Common pitfalls in PHP
  • SSL Encryption
  • Shorter session timeouts

14. Parameter Manipulation Defenses

  • Common pitfalls in PHP
  • Security Logic
  • Regular Expressions
  • Centralized Validation

15. Insecure Storage Defenses

  • Common pitfalls in PHP
  • MCrypt Library
  • Hashing
  • Storing Passwords with Bcrypt

16. Forcible Browsing Defenses

  • Common pitfalls in PHP
  • Access Controls
  • Programmed Authorization

17. XSRF Defenses

  • Common pitfalls in PHP
  • Best Practices
  • XSRF tokens

18. Insecure Configuration Defenses

  • Common pitfalls in PHP
  • Register globals
  • Error reporting and trace
  • Logging
  • Safe mode
  • Magic quotes
  • Session management

19. Unchecked Redirects

  • Common pitfalls in PHP
  • PHP Header Redirects
  • Indirect Object Mapping in PHP

20. Clear-Text communication

  • Common pitfalls in PHP
  • Enabling encryption
  • Enforcing strong ciphers

Download Datasheet

Download Datasheet

Security Compass training courses are offered using a variety of delivery methods. Download the data sheet to learn more.

Public Classes

Security Compass offers this course as a public class. Contact us for a schedule of all our upcoming public training classes.