This course is part of the Secure Coding Practices Specialization

4.4
stars
57 ratings

Joubin Jabbari

6,600 already enrolled

Offered By

Secure Coding Practices SpecializationUniversity of California, Davis

About this Course

6,416 recent views

In this course, we will wear many hats. With our Attacker Hats on, we will exploit Injection issues that allow us to steal data, exploit Cross Site Scripting issues to compromise a users browser, break authentication to gain access to data and functionality reserved for the ‘Admins’, and even exploit vulnerable components to run our code on a remote server and access some secrets. We will also wear Defender Hats. We will dive deep in the code to fix the root cause of these issues and discuss various mitigation strategies. We do this by exploiting WebGoat, an OWASP project designed to teach penetration testing. WebGoat is a deliberately vulnerable application with many flaws and we take aim at fixing some of these issues. Finally we fix these issues in WebGoat and build our patched binaries. Together we will discuss online resources to help us along and find meaningful ways to give back to the larger Application Security community.

Flexible deadlines

Reset deadlines in accordance to your schedule.

Shareable Certificate

Earn a Certificate upon completion

100% online

Start instantly and learn at your own schedule.

Coursera Labs

Includes hands on learning projects.

Learn more about Coursera Labs

Course 4 of 4 in the

Secure Coding Practices Specialization

Intermediate Level

Approx. 23 hours to complete

English

Could your company benefit from training employees on in-demand skills?

Try Coursera for Business

What you will learn

Practice protecting against various kinds of cross-site scripting (XSS) attacks.
Form plans to mitigate injection vulnerabilities in your web application.
Create strategies and controls to provide secure authentication.
Examine code to find and patch vulnerable components.

Skills you will gain

Java
secure programming
Java Programming
security

Flexible deadlines

Reset deadlines in accordance to your schedule.

Shareable Certificate

Earn a Certificate upon completion

100% online

Start instantly and learn at your own schedule.

Coursera Labs

Includes hands on learning projects.

Learn more about Coursera Labs

Course 4 of 4 in the

Secure Coding Practices Specialization

Intermediate Level

Approx. 23 hours to complete

English

Could your company benefit from training employees on in-demand skills?

Try Coursera for Business

Instructor

Instructor rating

4.42/5 (15 Ratings)

Joubin Jabbari

Software Security Architect, Financial Industry

Continuing and Professional Education

6,600 Learners

1 Course

Offered by

University of California, Davis

See how employees at top companies are mastering in-demand skills

Learn more about Coursera for Business

Syllabus - What you will learn from this course

Week1

Week 1

7 hours to complete

Setup and Introduction to Cross Site Scripting Attacks

In this module, you will be able to use Git and GitHub to pull needed source code. You will be able to run WebGoat in a Docker container and explain reasons for doing so. You'll be able to describe cross-site scripting attacks and explain how these attacks happen and how to guard against them. You'll be able to differentiate between a DOM-based, Reflected, and Stored cross-site scripting attacks. You will be able to practice protecting against various kinds of cross-site scripting attacks.

7 hours to complete

14 videos (Total 89 min), 3 readings, 2 quizzes

14 videos

Course Introduction3mOverview of Resources and Tools for This Course4mSetup and Introduction to Cross-site Scripting1mTips and Tricks to Use Git for Course and Project8mHow to Import WebGoat into IDE7mHow to Run WebGoat in a Docker Container5mInjection Attacks: What They Are and How They Affect Us9mCross-site Scripting (XSS), Part 110mProtecting Against Cross-site Scripting (XSS), Part 29mPatching Reflected Cross-site Scripting (XSS), Part 36mStored Cross-site Scripting (XSS)14mDangers of Cross-site Scripting (XSS) Attacks4mA Note About Finding Lessons on WebGoat32sIntroduction to Labs (Peer Reviewed)2m

3 readings

A Note From UC Davis10mOWASP Cross Site Scripting Prevention Cheat Sheet1hNote About Peer Review Assignments10m

1 practice exercise

Module 1 Quiz30m

Week2

Week 2

7 hours to complete

Injection Attacks

In this module, you will be able to exploit a SQL injection vulnerability and form plans to mitigate injection vulnerabilities in your web application. You will be able to discuss various approaches to finding and fixing XML, Entity and SQL attack vulnerabilities. You'll be able to describe and protect against a "man-in-the-middle" attack and describe the the thought process to find SQL injection vulnerabilities by "putting on the attacker's hat". You will be able to demonstrate how to properly modify queries to get them into prepared statements and analyze code while using an XML viewer and text editor to find vulnerabilities. You'll also be able to navigate a large code base to find critical segments of code and patch vulnerabilities.

7 hours to complete

10 videos (Total 80 min), 2 readings, 2 quizzes

10 videos

Injection Attacks1mTutorial: Using a Proxy to Intercept Traffic from Client to Servers7mSQL Syntax and Basics: Putting On the Attacker Hat10mSolution to SQL Injection Attacks (SQLi)7mSQL Injection Attacks: Evaluation of Code13mXML External Entity (XXE) Attacks8mDemo of an XML External Entity (XXE) Attack to Gain Remote Code Execution (RCE)5mEvaluation of Code - XXE through a REST Framework8mSolution: Evaluation of Code - XXE through a REST Framework8mPatching the XXE Vulnerability9m

2 readings

OWASP SQL Injection Prevention Cheat Sheet45mOWASP XML External Entity Prevention Cheat Sheet45m

1 practice exercise

Module 2 Quiz30m

Week3

Week 3

6 hours to complete

Authentication and Authorization

In this module, you will be able to evaluate authentication flaws of various kinds to identify potential problems and create strategies and controls to provide secure authentication. You'll be able to create and/or implement controls to mitigate authentication bypass and draw lessons from notable instances where others failed to authenticate users. You will be able to properly implement authentication methods like JSON Web Tokens (JWT). You will be able to find vulnerabilities in a large code base and provide a solution for demonstrating and exploiting JSON Web Tokens (JWT).

6 hours to complete

12 videos (Total 57 min), 2 readings, 2 quizzes

12 videos

Authentication and Authorization53sIntroduction to Authentication Flaws in WebGoat1mAuthentication Bypass Exploit3mTips and Tricks for Burp Suite: Use Proxy to Intercept Traffic4mSolution to Authentication Bypass: Evaluation of Code7mFinding Vulnerabilities and Logical Flaws in Source Code10mIntroduction to JSON Web Tokens (JWT) and Authentication Bypass49sAuthentication Flaw JSON Web Tokens (JWT)7mSolution Demo: Exploiting JSON Web Tokens (JWT)8mEvaluating Code to Find the JSON Web Tokens (JWT) Flaw4mHint Video: (JWT) Patching the Vulnerable Code in WebGoat47sSolution to Patch JWT Flaw6m

2 readings

OWASP Transaction Authorization Cheat Sheet1hA Beginner's Guide to JWTs in Java'45m

1 practice exercise

Module 3 Quiz30m

Week4

Week 4

4 hours to complete

Dangers of Vulnerable Components and Final Project

4 hours to complete

5 videos (Total 26 min), 3 readings, 2 quizzes

5 videos

Dangers of Vulnerable Components Introduction1mVulnerable Components (XStream Library)9mSolution: Fixing Vulnerabilities with XStream11mIntroduction to Labs (Peer Reviewed)2mCourse Summary1m

3 readings

Article: How Hackers Broke Equifax: Exploiting a Patchable Vulnerabil10mArticle: Exploiting OGNL Injection in Apache Struts30mNote About Peer Review Assignments10m

1 practice exercise

Module 4 Practice Quiz5m

Reviews

4.4

14 reviews

5 stars
70.17%
4 stars
17.54%
3 stars
3.50%
2 stars
3.50%
1 star
5.26%

TOP REVIEWS FROM EXPLOITING AND SECURING VULNERABILITIES IN JAVA APPLICATIONS

by GSMay 25, 2020

Great course, got lot to earn about vulnerabilities and their mitigation strategies

by LSOct 2, 2019

course is good but it seems like, i am learner of this course..There is no one who can review my asginments -_-'

by VVJan 29, 2020

Very Good course material. dicover it, try it, fix it method.

by GPJun 22, 2020

Excellent and really helpful material... By far the best and most interesting course in the series!

View all reviews

About the Secure Coding Practices Specialization

This Specialization is intended for software developers of any level who are not yet fluent with secure coding and programming techniques.Through four courses, you will cover the principles of secure coding, concepts of threat modeling and cryptography and exploit vulnerabilities in both C/C++ and Java languages, which will prepare you to think like a hacker and protect your organizations information. The courses provide ample practice activities including exploiting WebGoat, an OWASP project designed to teach penetration testing.

Frequently Asked Questions

When will I have access to the lectures and assignments?
Access to lectures and assignments depends on your type of enrollment. If you take a course in audit mode, you will be able to see most course materials for free. To access graded assignments and to earn a Certificate, you will need to purchase the Certificate experience, during or after your audit. If you don't see the audit option:
The course may not offer an audit option. You can try a Free Trial instead, or apply for Financial Aid.
The course may offer 'Full Course, No Certificate' instead. This option lets you see all course materials, submit required assessments, and get a final grade. This also means that you will not be able to purchase a Certificate experience.
What will I get if I subscribe to this Specialization?
When you enroll in the course, you get access to all of the courses in the Specialization, and you earn a certificate when you complete the work. Your electronic Certificate will be added to your Accomplishments page - from there, you can print your Certificate or add it to your LinkedIn profile. If you only want to read and view the course content, you can audit the course for free.
Is financial aid available?
Yes. In select learning programs, you can apply for financial aid or a scholarship if you can’t afford the enrollment fee. If fin aid or scholarship is available for your learning program selection, you’ll find a link to apply on the description page.

More questions? Visit the Learner Help Center.

Build employee skills, drive business results

Discover Coursera for Business

Exploiting and Securing Vulnerabilities in Java Applications

About this Course

What you will learn

Skills you will gain