Video Description

This lesson offers a solution to the lab of Web Goat: Insecure Configuration forced browsing. The goal was to guess to URL for the user interface and this shows participants how to make the config page appear via transversal and using a variety of commands to discover how to find the administrative interface without force.

Course Modules

Secure Coding

Introduction

06:48
Part 1 Intro
05:28
Part 2 Lab Setup
13:14
Part 3 BurpSuite
03:17
Part 4 Mutillidae

Module 01 OWASP Top 10 A1 Injection

01:27
Part 1 Intro
12:08
Part 2 Explanations
03:24
Part 3 SQL Injection Demo
02:37
Part 4 Command Injection Demo
06:58
Part 5 JSON Injection Demo
06:30
Part 6 Defenses
02:43
Part 7 Lab Solution

Module 02 OWASP Top 10 A2 Broken Authentication and Session Management

01:13
Part 1 Intro
14:13
Part 2 Explanations
03:58
Part 3 CookieManipulation Demo
11:41
Part 4 Username Enum Demo
06:00
Part 5 BruteForce Demo
05:35
Part 6 Defenses
02:15
Part 7 Lab Solution 1
02:54
Part 8 Lab Solutions 2
03:03
Part 9 Lab Solutions 3

Module 03 OWASP Top 10 A3 Cross-site Scripting

01:14
Part 1 Intro
10:27
Part 2 Explanations
05:23
Part 3 Reflected XSS HTML context Demo
10:44
Part 4 Reflected XSS JS context Demo
06:34
Part 5 Stored Demo
13:57
Part 6 Defenses
04:44
Part 7 Lab Solutions 1
02:57
Part 8 Lab Solutions 2

Module 04 OWASP Top 10 A4 Insecure Direct Object Reference

01:12
Part 1 Intro
12:37
Part 2 Explanations
07:28
Part 3 IDOR files tokens Demo
04:23
Part 4 IDO urls tokens Demo
07:44
Part 5 Defenses
02:44
Part 6 Lab Solutions

Module 05 OWASP Top 10 A5 Security Misconfiguration

01:23
Part 1 Intro
08:40
Part 2 Explanations
05:05
Part 3 Dir Demo
05:32
Part 4 XXE Demo
07:54
Part 5 User Agent Demo
08:58
Part 6 Defenses
01:55
Part 7 Lab Solutions

Module 06 OWASP Top 10 A6 Sensitive Data Exposure

01:29
Part 1 Intro
10:02
Part 2 Explanations
02:45
Part 3 Comments Demo
05:18
Part 4 HiddenPages Demo
08:41
Part 5 HTMLS Web Storage Demo
11:42
Part 6 Defenses

Module 07 OWASP Top 10 A7 Missing Function Level Access Control

01:08
Part 1 Intro
13:30
Part 2 Explanations
03:32
Part 3 Role Demo
06:46
Part 4 Defenses
05:31
Part 5 Missing FL AC Lab

Module 08 OWASP Top 10 A8 Cross-site Request Forgery

01:05
Part 1 Intro
07:28
Part 2 Explanations
07:35
Part 3 CSRF JS Demo
06:45
Part 4 Entropy Demo
07:05
Part 5 CSRF Defenses
05:25
Part 6 CSRF Lab Solution

Module 09 OWASP Top 10 A9 Using Components with Known Vulns

01:09
Part 1 Intro
05:40
Part 2 Explanations
04:51
Part 3 Libraries & CVSS Demo
04:31
Part 4 Defenses
04:28
Part 5 WebGoat Library CVSS Lab

Module 10 OWASP Top 10 A10 Unvalidated Redirects and Forwards

00:59
Part 1 Intro
04:06
Part 2 Explanations
05:25
Part 3 Unvalidated URLs Demo
04:29
Part 4 Defenses
04:00
Part 5 JS redirect Lab

Module 11 CWE SANS Top 25 Buffer Overflows

01:06
Part 1 Intro
11:43
Part 2 Explanations
09:49
Part 3 Classic BufferOverflow Demo
04:46
Part 4 Defenses
05:19
Part 5 WebGoat BO OffByOne Lab

Module 12 CWE SANS Top 25 Insecure Interaction Between Components

01:09
Part 1 Intro
08:55
Part 2 Explanations
03:51
Part 3 FileUpload Demo
07:22
Part 4 Defenses
04:56
Part 5 WebGoat FileUpload Lab

Module 13 CWE SANS Top 25 Risky Resource Management

01:16
Part 1 Intro
06:54
Part 2 Explanations
02:50
Part 3 Risky Resource Mgmt Demo
11:59
Part 4 Defenses
04:22
Part 5 Lab Defenses

Module 14 CWE SANS Top 25 Porous Defenses

01:06
Part 1 Intro
11:45
Part 2 Explanations
02:19
Part 3 JS Validation Bypass Demo
06:02
Part 4 Defenses
06:57
Part 5 HTTP Response Splitting Lab

Module 15 Honorable Mentions

00:57
Part 1 Intro
12:58
Part 2 Explanations
03:54
Part 3 Lab

Module 16 Active Defenses

01:00
Part 1 Intro
08:16
Part 2 Explanations

Module 17 Threat Modeling

01:23
Part 1 Intro
25:50
Part 2 Explanations
10:20
Part 3 Card Game Demo

Instructed By

Instructor Profile Image
Sunny Wear
Instructor