Are You Vulnerable to Common Web Attacks?

  • Do you have any idea how many files you send to the user are modified in transit?
  • When a user logs in, do you know if they are impersonated by an attacker?
  • Are you performing access control checks at the right places, with the right data?
  • Are you fully aware of the devastating effects of XSS, regardless whether it's stored or reflected?

Learn how to minimise your exposure by protecting 4 key areas of your web applications

Register now, and get two YubiKey authentication keys for free!

Web Security Essentials

April 24 - 25, Leuven (Belgium)

Day 1

Registration and Welcome coffee

The modern web security landscape

Coffee break
Coffee break
End of day 1

Day 2

Welcome coffee
Coffee break
Coffee break

Fitting security into an application architecture

End of day 2

Registration now includes two free YubiKey USB authentication keys!

Major sites like Github, Facebook and Google already support FIDO U2F. Thanks to a sponsorship deal with Yubico, you will get hands-on experience with these hardware keys in this course. And the best part? You get to take them home afterwards!

I would recommend the Web Security Essentials training to all web developers and architects: the balance between the slide sessions and the practical labs made the course a joyful full-immersion in the security field.

Nicola Di Giorgio, Software Architect/CEO, PREGIOTEK sprl

Key Area 1

Keep your business private by securing the communication channel

In the modern web, end users have gone mostly wireless, which is wonderful for usability, but quite worrisome for security. Compared to the wired days, both passive and active network attacks have become easy to execute, and difficult to detect. In essence, without a full HTTPS deployment, the communication channel can no longer be considered private, and can no longer be trusted.

How much sensitive information is up for grabs to an eavesdropper?

Is there an attacker sitting in the middle, with the ability to carry out a dangerous SSL Stripping attack?

Today, simply deploying HTTPS is no longer sufficient. You need to move all of your content to HTTPS, and deploy additional security policies to establish a secure end-to-end communication channel. In this session, you will learn:

  • why a partial HTTPS deployment can easily be undermined by easy-to-execute network attacks
  • how to leverage the latest security technologies, like HSTS, to prevent attacks such as SSL Stripping
  • how to deal with mixed content, the number one issue when switching from HTTP to HTTPS
  • best practices for deploying HTTPS correctly, and verifying your deployment with automated tests

Key Area 2

Confirm your user’s identity with strong authentication

Billions of users have lost an online identity in a data breach, making their account details and personal information publicly available. And while the effects of a data breach of one application can already be devastating, it becomes a true nightmare if an attacker starts re-using stolen credentials to impersonate the user elsewhere.

Are the credentials you store easily retrieved in the event of a breach?

Does your application leak information, thereby exposing you to targeted brute-force attacks?

By protecting the user management flows in your application, you can effectively protect your user's identities, even in case of a potential breach. In this session, you will learn:

  • how your applications can effectively help users to improve their security practices
  • about common attacks against user management flows that occur in most applications
  • how to integrate effective countermeasures that neutralise these common attacks
  • about the benefits of multi-factor authentication, and practical ways to integrate this in your applications

I'm also really grateful for the excellent hand-outs, providing concise but complete information presented in a way that helped me a lot to better understand the more advanced web security mechanisms.

Stefan Eestermans, ICT Security Consultant, Optaris sprl

Key Area 3

Avoid authorization bypasses by locking down your sessions

Authorization bypass attacks are so common that they are covered by 4 items in the OWASP top 10. Coincidentally, various built-in session management mechanisms need additional tweaking to be secure. And because of the nature of the web, an attacker can launch such attacks from within the user's browser, thereby targeting internal systems on private networks, such as intranet applications, routers, printers, etc.

Are your session identifiers or session objects vulnerable to common attacks?

Does your backend know if a user intended to perform an action, or is it vulnerable to CSRF?

Avoiding authorization bypasses depends on making access control decisions with trusted data. In a web context, this means that everything coming from the client is considered untrusted, even the existence of the request itself. In this session, you will learn:

  • why almost all built-in session management mechanisms are vulnerable to common attacks, and how to fix them
  • how to add intent to requests coming from the browser, allowing the backend to prevent harm being done by uninentional requests
  • how to correctly move from server-side session management to client-side session management, either with cookies or with tokens
  • why Direct Object References can be insecure, and how to prevent this common vulnerability in your application

Key Area 4

Refuse to be compromised and neutralize code injection attacks

Cross-Site Scripting (XSS) vulnerabilities. Google has them. Facebook has them. Your application has them. XSS vulnerabilities are so severe, that bug bounty programs have turned it into a million dollar business. The main reason that XSS is so dangerous, is because it gives an attacker full control over a user's context, allowing him to access private data, make requests to the backend, ...

Do you correctly encode your untrusted data, or are you vulnerable to XSS attacks?

Do you know how Content Security Policy can help you neutralize XSS attacks?

Tackling injection attacks is a challenging task, regardless whether it's a new or an existing application. Fortunately, by adhereing to a few best practices, you can vastly improve the security of your application. In this session, you will learn:

  • first-hand which tremendous power you get by successfully exploiting an XSS vulnerability
  • why almost every web application is vulnerable to XSS attacks, and the only right way to stop them
  • how modern JavaScript frameworks can actually make the problem a bit easier to solve
  • how to leverage the power of the recent Content Security Policy, and how to overcome common deployment problems

Book your seat for the Web Security Essentials course today!

Book a Seat

No thanks, I'll pass this time, just take me to your site.

Practical Information

Do I really get two YubiKey 4 USB authentication keys for free?

Yes! Because we strongly support multi-factor authentication, we have asked Yubico to sponsor the Web Security Essentials course. They generously donated 1 YubiKey 4 and 1 YubiKey 4 nano per attendee. That's a package worth $90! The only thing Yubico asks in return, are your professional contact details.

Don't worry if you're not comfortable sharing your information. You can still work with the YubiKeys during the lab sessions, you just don't get to take them home with you.

What do I need to participate in the lab sessions?

You will receive a VirtualBox image containing all required software and tools at the start of the training. All you need to bring is a computer capable of running VirtualBox VMs.

What course materials do I get?

The Web Security Training program of imec-DistriNet takes pride in its high-quality course materials. Both the slides used throughout the lectures, and the detailed guides for the lab sessions will be provided to you at the start of the training. You will a printed booklet, as well as a digital version.

What is the price?

The price for participating in the full course is € 1 000. An Early Bird discount of € 100 is available until March 16th 2017.

If you are a startup, you may be eligible for the Startup Discount Plan (see below). Every ticket includes course materials, coffee breaks, and lunches.

What is the Startup Discount Plan?

The Startup Discount Plan offers startups a 50% discount on the price of the full course, giving them the possibility to take security into account from the get go. This discount is available to any company that meets all of the following requirements:

  • Is privately held
  • Has been in business for no more than 3 years
  • Is engaged in development of a software-based product or service
  • Is an established business with a website and/or existing public references on the Internet
    Please note that any recently registered affiliates of existing business entities and business entities that were incorporated as a result of any legal/business process (merger, acquisition, etc.) do not qualify for this discount.

If you want to benefit from the Startup Discount Plan, please provide us with documentation to show that you meet these critera (e.g. Memorandum of Association). You can reach us at After approval, you will receive a discount code which you can use to register for the course.

How do I register?

Registration is handled by our internal registration system. Payments are charged to a credit card. If you need an invoice, make sure you select that option during registration.

Where will the training take place?

The training will take place at the offices of imec-DistriNet, located at the Department of Computer Science of the University of Leuven, Belgium. The full address can be found on the map below, and directions on how to get there are available here.

Endorsements of the Web Security Essentials course

100% of attendees recommend this course to colleagues and friends

As web architect, security is an important concern in the design and implementation of an application. However, I must admit, my knowledge on the subject was quite sparse as it was difficult to me to find a main reference on the subject.

For this reason I decided to join the Web Security Essentials training. The course allowed me to have a complete overview on the subject, understand the main security pitfalls, and use some of the most important tools to overcome them.

The awareness of the main security threats is key in my daily work with big companies and the course well addresses it via the presentations and the practical labs. I would recommend this training to all web developers and architects: the balance between the slide sessions and the practical labs made the course a joyful full-immersion in the security field.

Nicola Di Giorgio, Software Architect/CEO, PREGIOTEK sprl

Thanks for providing this course packed with very up-to-date information. I greatly appreciated the good balance between theory and hands-on labs which allowed me to gain a deeper understanding and new insights on web security measures to defend against current threats. I'm also really grateful for the excellent hand-outs, providing concise but complete information presented in a way that helped me a lot to better understand the more advanced web security mechanisms.

Stefan Eestermans, ICT Security Consultant, Optaris sprl

I was looking for information to get an idea of what kind of issues modern web applications face (or do not face), and how much an attacker needs to invest to launch various kinds of attacks. I do not believe such information can be obtained from high-level overview presentations. I was looking for a more hands-on approach, to get some experience with issues that managers often sweep under the rug as unimporant.

The course delivered on my expectations, not only by confirming that modern web applications face various threats, but also by clarifying that numerous threats depend on the level of freedom users have. Thanks to the Web Security Essentials course, I know have a better and more concrete understanding of what needs to happen to build a secure application.

Paul Valckenaers, Senior Researcher, UCCL