SCP - Writing Secure Code in PHP

Learn how to write secure code in PHP, identifying vulnerable patterns

PHP is one of the most famous languages in the world. Magento, WordPress, Drupal, and Joomla are written in PHP. Whether you are developing an extension for a blog or a complete e-commerce platform, knowing what vulnerable patterns look like is crucial for writing secure code. This course will guide you through different scenarios that will let you understand how attackers look at the code and applications. We will look at vulnerabilities and remediations from a developer's point of view, equipping you with the right knowledge and tools to support you in each phase of the software development lifecycle. "SCP - Writing secure code in PHP" is a course for developers, security engineers, or professionals that want to improve their skills in PHP secure code reviews and vulnerability exploitation. The training is based on the OWASP standards such as the OWASP Top 10 2021 and the OWASP ASVS v4.


  • Knowledge about PHP fundamentals

  • Basic knowledge of Laravel

  • Basic knowledge of SQL syntax

  • Interest in security

Target audience

  • Security Engineers

  • Security Champions

  • DevOps

  • Developers

Tools used

  • Any IDE

  • Docker (docker-compose)

  • Burp Suite Community edition

  • Semgrep

  • Coffee or Tea ☕️



The hacking mindset

How attackers will look at your applications

Secure coding introduction

Secure coding principles


OWASP Top 10 2021

OWASP ASVS and security requirements

CVSS: how to rate vulnerabilities

Exploiting the client side

LAB: DOM Cross Site Scripting (XSS)

LAB: Reflected Cross Site Scripting (XSS)

LAB: Stored Cross Site Scripting (XSS)

LAB: CORS misconfigurations

LAB: Security Headers (Attacking CSP)

LAB: Client side open redirect


Authentication Mechanisms in PHP and Laravel

Protecting routes

Authorization and Access Control

LAB: Broken Access Control

LAB: Type Juggling attacks on hashing functions

LAB: Mass Assignment

LAB: Insecure Direct Object Reference

LAB: Path Traversal

LAB: CSRF (Cross Site Request Forgery)

Server Side Injections

LAB: SQL injections

LAB: Command injection

LAB: Code Injection

LAB: XML External Entities

LAB: Server-Side Request Forgery

LAB: Server Side Template Injections in Twig

Vulnerable and Outdated Components

The importance of SCA (Static Component Analysis)

LAB: Detecting known vulnerabilities using Snyk

Integrate SCA in the CI/CD pipeline

Detecting vulnerabilities in Laravel using SCA

Scanning your code using Semgrep

Semgrep basics

LAB: Semgrep for PHP: How to write rules

Semgrep automation

Why should you attend this course?

This course will teach you the inside out of exploiting and securing PHP applications via real-life examples. If you are a PHP developer / DevOps this is the course for you.

More info? Contact us at

Last updated