I'm into web app security and I enjoy security research. It's an interesting and sensitive area where every thing left forgotten no matter how small it is can get you and your users into big trouble. I like to blog and talk about security. I'll teach your developers how to secure web apps they are building and how to spot security issues. The course is also suitable for developers working in languages like Python, Java and others, as most of the attacks and priniciples is the same.

HTTPS transport security is also important topic that's why there's an extra course for developers and admins.

Course name

PHP application security

Content

Description, threats, and defense against web attacks:

  • Application and device discovery

    Using specialized search engines like Shodan or Certificate Transparency.

  • Full Path Disclosure

    Why are PHP error messages appealing to the attacker and what do they learn from them?

  • Cross-Site Scripting (XSS)

    Attacks againt visitors and their browsers, different XSS types (stored, reflected, DOM-based), defending on the server and in the browser, XSS Auditor, BeEF demo.

  • Content Security Policy (CSP)

    Another additional defense layer against XSS and more. Uses lists of allowed resources.

  • SQL Injection

    About “dumping” data and changing them in tables that are not accessible by default. Details about Blind SQL Injection, Time-based blind SQL Injection, and the differences between prepared statements and variable binding. Testing the vulnerability using a demo site, sqlmap demo.

  • File uploads and remote execution

    How to upload user files, where to store then, how to name the files. Running external programs (for example image resizing) “in the cloud”, and the danger lurking in deserializing user inputs.

  • Cross-Site Request Forgery (CSRF), Clickjacking

    A bad guy can force a user to perform an action without their knowledge or lure him to click on a page element they would not normally click. What is it good for and how to defend against such thing?

  • Session Hijacking, Session Fixation

    Whoever is in possesion of session id is the master, so we have to protect the id. About HTTP-only cookies, session id regeneration, and also about multiple user sessions.

  • XML External Entity Injection (XXE)

    Configuration files or source code can be obtained from the server by parsing XML files with custom entities. We'll see how and how to stop it.

  • Secure random data

    Where the randomness comes from, why rand() shouldn't be used for generating tokens, encryption keys etc.

  • Hashing and storing user passwords

    How passwords are cracked, what's “salt”, why use algorithms like bcrypt or Argon2i, why not MD5 or SHA-1 (or SHA-2, SHA-3). How to change hashing algorithm without resetting passwords for all users?

  • Data encryption

    What's Authen­ticated Encryption (AE) and how to encrypt data?

  • HTTPS

    Server configuration, testing tools, enforcing HTTPS with HTTP Strict Transport Security (HSTS). Connection security is an extensive topic which I cover in more details in my HTTPS training (next date: termín zatím nevypsán) where you'll learn more about certificates and certification authorities, key exchange, Certificate Transparency, CAA and other technologies and settings used to secure data in transit.

  • Unauthorized data access

    How to get other customers' invoices and how to protect your application against the Insecure Direct Object Reference attack.

  • Abusing contact forms to send spam

    Adding arbitrary headers to send messages to attacker-supplied recipients, with custom message bodies.

  • Configuration and protecting source code

    Server and PHP configuration best practices.

  • HTTP security headers

    Some HTTP headers may help you protect your application better, or just make a successful attack less bad. We'll see which headers and how to test your site using Security Headers and Mozilla Observatory.

Lecturer

Michal Špaček (about the lecturer, contact the lecturer)

Prerequisites

Just basic knowledge of HTML, JavaScript, PHP and SQL. Training is also appropriate for developers working in other languages (e.g. Java or Python), most of the principles and attacks are the same.

Target audience

The training is designed for both senior web application developers and junior developers to gain competitive advantage.

Length

The training duration is 2 days, 8 hours including breaks each day, but sometimes it might be prolonged by up to an hour.
If you're willing to skip some topics, it's also possible to shorten the training to just one day.

Capacity

Unlimited but over 12 people we'll have less time for questions.

Price

50 000 Kč, 60 500 Kč incl. VAT
Base price of the 1-day shorter training is 25 000 Kč without VAT, 30 250 Kč including VAT.

Materials

On-site participants will receive a certificate and printed materials that I'll also email after completing the training together with the code examples used for the class. Remote participants will get a presentation they can print upfront and also a PDF certificate after completing the training. We'll dedicate enough time for questions.

Training reviews

Jan Pospíšil, Senior PHP developer, Český rozhlas

Michalovo školení jsem původně domlouval primárně pro svoje kolegy, protože já přece “všechno z osnovy školení znám”… Z omylu mě Michal hned první hodinu prvního dne a pak postupně celé dva dny. Teprve díky tomuto školení jsem některé koncepty útoků/obran pochopil v plné šíři, hloubce a hlavně správném kontextu.

Zejména kvituji spoustu praktických příkladů, ukázek a hlavně tipů. Některé z nich jsem na naše weby aplikoval už v průběhu školení. Školení určitě doporučuji každé firmě (a jednotlivci), která to s vývojem a provozem webů myslí vážně.

Martin Ambrož, AVAST Software a.s.

Školení o bezpečnosti PHP aplikací Michala Špačka předčilo má očekávání. Vývoji webových aplikací se profesionálně věnuji 13 let, přesto musím zkonstatovat, že pořád je co nového se učit. Je vidět, že pan Špaček má o bezpečnosti velký přehled a že je to i jeho koníček. Kromě přehledně zpracovaných podkladů ke školení jsem uvítal i mnoho praktických ukázek a dostatečný prostor pro dotazy přímo při probírání každého tématu.

Pavel Kutáč, Moravio s.r.o.

Školení předčilo mé očekávání a to i přesto, že se o bezpečnost se také trochu zajímám, Michala sleduji na webu i sociálních sítích a některé probírané techniky jsem již znal. Nic ale nenahradí osobní setkání a diskuzi k tématu, kdy se člověk dozví nejvíce. Rozhodně mohu doporučit, protože je stále co objevovat! (more…)

Find more reviews on the public training reviews page.

Sign-up

To order an in-house training, just pick a date and drop me an e-mail to sort out other details.