# SCP - Writing Secure Code in PHP ![](/files/A1Tw4s7ZcTXv6OBNclL8) PHP is one of the most famous languages in the world. Magento, WordPress, Drupal, and Joomla are written in PHP. Whether you are developing an extension for a blog or a complete e-commerce platform, knowing what vulnerable patterns look like is crucial for writing secure code. This course will guide you through different scenarios that will let you understand how attackers look at the code and applications. We will look at vulnerabilities and remediations from a developer's point of view, equipping you with the right knowledge and tools to support you in each phase of the software development lifecycle. "SCP - Writing secure code in PHP" is a course for developers, security engineers, or professionals that want to improve their skills in PHP secure code reviews and vulnerability exploitation. The training is based on the OWASP standards such as the OWASP Top 10 2021 and the OWASP ASVS v4. ![IDOR vulnerability in PHP. Example from the course](/files/KAu5N4vO0JOhPFMHzHPA) ## Prerequisites * Knowledge about PHP fundamentals * Basic knowledge of Laravel * Basic knowledge of SQL syntax * Interest in security ## Target audience * Security Engineers * Security Champions * DevOps * Developers ## Tools used * Any IDE * Docker (docker-compose) * Burp Suite Community edition * Semgrep * Coffee or Tea ☕️ ## Syllabus
ModuleTopicDetails
The hacking mindset
How attackers will look at your applications
Secure coding introduction
Secure coding principles
From SDLC to SSDLC
OWASP Top 10 2021
OWASP ASVS and security requirements
CVSS: how to rate vulnerabilities
Exploiting the client side
LAB: DOM Cross Site Scripting (XSS)
LAB: Reflected Cross Site Scripting (XSS)
LAB: Stored Cross Site Scripting (XSS)
LAB: CORS misconfigurations
LAB: Security Headers (Attacking CSP)
LAB: Client side open redirect
Authentication
Authentication Mechanisms in PHP and Laravel
Protecting routes
Authorization and Access Control
LAB: Broken Access Control
LAB: Type Juggling attacks on hashing functions
LAB: Mass Assignment
LAB: Insecure Direct Object Reference
LAB: Path Traversal
LAB: CSRF (Cross Site Request Forgery)
Server Side Injections
LAB: SQL injections
LAB: Command injection
LAB: Code Injection
LAB: XML External Entities
LAB: Server-Side Request Forgery
LAB: Server Side Template Injections in Twig
Vulnerable and Outdated Components
The importance of SCA (Static Component Analysis)
LAB: Detecting known vulnerabilities using Snyk
Integrate SCA in the CI/CD pipeline
Detecting vulnerabilities in Laravel using SCA
Scanning your code using Semgrep
Semgrep basics
LAB: Semgrep for PHP: How to write rules
Semgrep automation
## Why should you attend this course? This course will teach you the inside out of exploiting and securing PHP applications via real-life examples. If you are a PHP developer / DevOps this is the course for you. {% hint style="info" %} ### More info? Contact us at {% endhint %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://1337.dcodx.com/trainings/scp-writing-secure-code-in-php.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.