SCP - Writing Secure Code in PHP
Learn how to write secure code in PHP, identifying vulnerable patterns
PHP is one of the most famous languages in the world. Magento, WordPress, Drupal, and Joomla are written in PHP. Whether you are developing an extension for a blog or a complete e-commerce platform, knowing what vulnerable patterns look like is crucial for writing secure code. This course will guide you through different scenarios that will let you understand how attackers look at the code and applications. We will look at vulnerabilities and remediations from a developer's point of view, equipping you with the right knowledge and tools to support you in each phase of the software development lifecycle. "SCP - Writing secure code in PHP" is a course for developers, security engineers, or professionals that want to improve their skills in PHP secure code reviews and vulnerability exploitation. The training is based on the OWASP standards such as the OWASP Top 10 2021 and the OWASP ASVS v4.
Prerequisites
Knowledge about PHP fundamentals
Basic knowledge of Laravel
Basic knowledge of SQL syntax
Interest in security
Target audience
Security Engineers
Security Champions
DevOps
Developers
Tools used
Any IDE
Docker (docker-compose)
Burp Suite Community edition
Semgrep
Coffee or Tea ☕️
Syllabus
| Module | Topic | Details |
|---|---|---|
The hacking mindset | ||
How attackers will look at your applications | ||
Secure coding introduction | ||
Secure coding principles | ||
From SDLC to SSDLC | ||
OWASP Top 10 2021 | ||
OWASP ASVS and security requirements | ||
CVSS: how to rate vulnerabilities | ||
Exploiting the client side | ||
LAB: DOM Cross Site Scripting (XSS) | ||
LAB: Reflected Cross Site Scripting (XSS) | ||
LAB: Stored Cross Site Scripting (XSS) | ||
LAB: CORS misconfigurations | ||
LAB: Security Headers (Attacking CSP) | ||
LAB: Client side open redirect | ||
Authentication | ||
Authentication Mechanisms in PHP and Laravel | ||
Protecting routes | ||
Authorization and Access Control | ||
LAB: Broken Access Control | ||
LAB: Type Juggling attacks on hashing functions | ||
LAB: Mass Assignment | ||
LAB: Insecure Direct Object Reference | ||
LAB: Path Traversal | ||
LAB: CSRF (Cross Site Request Forgery) | ||
Server Side Injections | ||
LAB: SQL injections | ||
LAB: Command injection | ||
LAB: Code Injection | ||
LAB: XML External Entities | ||
LAB: Server-Side Request Forgery | ||
LAB: Server Side Template Injections in Twig | ||
Vulnerable and Outdated Components | ||
The importance of SCA (Static Component Analysis) | ||
LAB: Detecting known vulnerabilities using Snyk | ||
Integrate SCA in the CI/CD pipeline | ||
Detecting vulnerabilities in Laravel using SCA | ||
Scanning your code using Semgrep | ||
Semgrep basics | ||
LAB: Semgrep for PHP: How to write rules | ||
Semgrep automation |
Why should you attend this course?
This course will teach you the inside out of exploiting and securing PHP applications via real-life examples. If you are a PHP developer / DevOps this is the course for you.
Last updated
