CSX Immersion: The OWASP Top 10
Grapple with the OWASP to 10 in live environments!
Difficulty: Multilevel CSF Domain: All domains
CSX Immersion: The OWASP Top 10
The “OWASP Top 10*” list has informed information security professionals for many years about cybersecurity and information security vulnerabilities. ISACA has created a course package that allows you to train and sharpen your skills to make sure you have the proper skills and some hands-on experience to identify and mitigate these specific challenges.Within the state-of-the-art Cybersecurity Nexus (CSX) training platform, this course will help you:
- Understand how each of these vulnerabilities puts an organization at risk.
- Identify if your organization is facing a threat event.
- Mitigate risk before—and minimize impact if—a threat event takes place.
- Practice in an immersive live network environment with real vulnerabilities as each lab goes over the intricacies of each vulnerability.
- Six-month access to train and test on your schedule, 24/7.
* The Open Web Application Security Project (OWASP) is a global organization that is dedicated to driving visibility and evolution in the safety and security of the world’s software. ISACA does not claim affiliation with OWASP in the creation of course content.
This course includes:
Ten lessons with labs that focus on each of the OWASP Top 10 Critical Web Application Security Risks, plus two bonus “Challenge” labs to give you the tools you need to be successful.
Lesson and Lab Injection
Lesson objectives:
- Understand how systems are vulnerable to injection attacks
- Know the different types of injection attacks
- Understand how to protect from injection attacks
- Identify an injection vulnerability present on a simulated organization’s system of responsibility.
Lesson and Lab Broken Authentication
Lesson objectives:
- Understand what constitutes a broken authentication
- Know how to identify if an application is vulnerable to broken authentication
- Understand how to mitigate and prevent broken authentications
- Identify a broken authentication capability within an organizational application. Once identified, take action to exploit the vulnerability.
Lesson and Lab Sensitive Data Exposure
Lesson objectives:
- Know how to identify sensitive data
- Determine if the information should be exposed or protected
- Understand how to appropriately protect sensitive data
- Enter an environment wherein key organizational data is incorrectly protected. Identify the exposed sensitive data and take steps to protect it from potential misuse
Lesson and Lab XML External Entities (XXE)
Lesson objectives:
- Understand how threat agents exploit vulnerable XML processors
- Know how to identify if an application is vulnerable to XXE
- Understand how to prevent potential XXE exploitations
- Identify a potential XXE exploitation on a network of responsibility and test the exploit on the vulnerable XML processors.
Lesson and LabBroken Access Control
Lesson objectives:
- Understand the elements which make broken access control exploitable
- Know how to identify potential access control bypasses
- Understand how to harden access control mechanisms for an organization
- Identify potential broken access mechanisms within the environment, leveraging them to gain access to a system, and then harden the system from additional implementation of the access control.
Lesson and LabSecurity Misconfiguration
Lesson objectives:
- Understand the dangers presented with misconfigured systems and networks
- Understand examples of misconfigurations which can make a system vulnerable to exploitation
- Know how to reconfigure certain system applications to increase security
- Identify specific misconfigured applications within a live environment which, when exploited, will give attackers greater influence over a network.
Lesson and LabCross-Site Scripting (XSS)
Lesson objectives:
- Understand the different forms of XSS
- Understand how XSS can exploit a user system
- Know how to prevent XSS
- Identify a poorly configured site which performs XSS attacks against user browsers, then implement mechanisms to prevent XSS on an application under their purview.
Lesson and LabInsecure Deserialization
Lesson objectives:
- Understand the two primary types of deserialization attacks
- Understand which types of applications leverage serialization
- Learn how to prevent deserialization attacks
- Identify applications with potential insecure deserialization vulnerabilities. Take action to test the vulnerability to see if the environment is susceptible.
Lesson and LabUsing Components with Known Vulnerabilities
Lesson objectives:
- Understand characteristics which indication potentially vulnerable applications
- Know the importance of testing for vulnerabilities
- Understand how to prevent potential compromise through implementing proven applications
- Identify applications which are potentially vulnerable to exploitation, take action to address the vulnerabilities and harden the system.
Lesson and LabInssufficient Logging and Monitoring
Lesson objectives:
- Understand the importance of log monitoring
- Understand how inattentive administrators miss attacks
- Know how to prevent poor logging mechanisms within an infrastructure
- Identify a misconfigured event logger and identify key events which required should have been escalated. Reconfigure the logger to ensure appropriate notification and logging occurs.
Challenge LabInjection Challenge
CHALLENGE LAB
- As a web app penetration tester, it will be your responsibility to apply learned skills and techniques in order to complete an injection-based web app security challenge.
Challenge LabAuthentication & Security Misconfiguration Challenge
CHALLENGE LAB
- Using knowledge from the Broken Authentication (#2) and Security Misconfigurations (#6) labs, complete this final challenge lab!