Cybr | NYU Tandon School of Engineering

Cybr

Introduction to AppSec; Cross-site Scripting (XSS); SQL Injections; OS Command Injections

Cybr is a career enablement community - a diverse and inclusive online cybersecurity community of interest and practice - where anyone can go to give or get the support needed to succeed in cybersecurity. It’s an open forum for professionals, students and educators - like yourself - to collaborate with other cybersecurity influencers, enthusiasts, practitioners, leaders, educators and students. Cybr wants to leverage the diversity, experience, interests, ideas, and creativity of those within their community to find ways to make building practical cybersecurity skills fun, simple, safe, and less scary for everyone!


Cybr

Cybr offers supplemental cybersecurity skill-building courses and content, experience-based learning resources, and a collaborative community targeted at helping individuals succeed in cybersecurity.

 

Register for a Cybr Account

Students and alumni can register by using their NYU email address. Registration is only necessary one-time.

Cybr’s Introduction to Application Security (AppSec) course will provide a high-level understanding of Application Security concepts, secure software development frameworks, the most common application security threats and secure software development best practices.

Topics covered include:

  • Application Security as a field, it’s scope, and the skills required for related jobs
  • Overview of OWASP resources and the NICE Framework
  • Critical Application Security concepts
  • Threat Modeling concepts and approaches
  • The current state of web, mobile, and cloud application security based on research and data
  • Cloud access control and permissions
  • Building secure APIs in the cloud
  • AppSec testing methods and concepts
  • Pentesting in a safe and legal environment, including example brute force, SQL injection, and XSS attacks
  • How to handle open-source software with known vulnerabilities

Upon completion of this course, badge earners will:

  • Learn how to build more secure software to power your organization’s web, mobile, or cloud applications
  • Learn core concepts of AppSec and how to apply them to real-world applications
  • Learn how to use important frameworks & tools to help create more secure software products/applications
  • Understand the top 10 OWASP Web Application Risks and the top 10 OWASP Mobile Application Risks
  • Learn about top cloud application security risks and concepts
  • Learn about the most efficient application security testing methodologies
  • Perform hands-on pentesting with demonstrations

To earn the Introduction to AppSec badge:

  1. Enroll in the Introduction to AppSec course.
  2. Complete all lessons and quizzes to receive the course certificate.

Approximate time to earn the Introduction to AppSec Badge: ~ 3 hours

Recommend Prerequisite Experience: The only prerequisite is a desire to learn, but general programming experience will be required for the hands-on learning exercises.


With 75% of cyber-attacks targeting websites and 40%-50% of those being XSS attacks, there’s a clear need for web application developers, product owners, and business leaders to understand exactly what XSS attacks are, how they occur, and what impact these attacks can have on organizations, customers, partners, and consumers. XSS is one of the most common and highest severity web application security risks on the OWASP Top 10 list.

Cybr’s Cross-site Scripting (XSS): The 2021 Guide is an activity-based course designed to help increase awareness of XSS vulnerabilities and attacks, as well as help build the XSS skills needed to prevent, identify and fix XSS flaws in web applications.  

Through skill-building exercises with 30+ video lessons, which include step-by-step tutorials to complete in safe lab environments, the course teaches both offensive and defensive XSS techniques and concepts to learn how to find and fix XSS vulnerabilities with both manual and automated approaches.

While completing these exercises, badge earners will:

  • Set up a lab environment with Kali Linux Virtual Machine for free
  • Easily configure and create safe & legal lab environments using containers inside of Kali
  • Get started with OWASP ZAP (a free alternative to Burp Suite)
  • Use manually-crafted payloads to evade security filters
  • Use automated tools to find successful XSS payloads (including ZAP, XSStrike, XSSer)
  • Remotely control browsers with BeEF
  • Gather information about the target in order to find potential vulnerabilities
  • Conduct side-by-side comparisons of vulnerable and safe code to learn coding best practices and how to identify XSS flaws
  • Review code for XSS vulnerabilities
  • Perform XSS injections by hand with crafted requests using a proxy tool (ZAP)
  • Use results from successful injections to exploit targets (ie: change a user's password with a single URL via CSRF)

Upon completion of this course, badge earners will understand:

  • What XSS is and how it works
  • The 3 main types of XSS attacks: Reflected, Stored and DOM-based
  • The real-world dangers of XSS in action
  • Effective (and ineffective) defenses against XSS
  • How XSS attacks by hand and with automated tools work
  • Real-world application through case studies of XSS vulnerabilities at Facebook, Gmail, Twitter, Tesla, and Airbnb 
  • Rules to follow in order to prevent XSS vulnerabilities for all 3 types of attacks
  • Recommended testing guides

To earn the Cross-site Scripting (XSS) badge: 

  1. Enroll in the Cross-site Scripting (XSS) - The 2021 Guide course 
    Complete the Introduction to AppSec badge to receive a free coupon code to enroll in this course. 
  2. Complete all lessons and quizzes to receive the course certificate.

Approximate time to earn the Cross-site Scripting (XSS) Badge: ~ 4.5 hours

Recommend Prerequisite Experience: Experience with JavaScript and experience with web applications will be required for the hands-on learning exercises.


Injections are one of the top threats facing web applications today. They target the heart of applications: databases, which can result in some of the most costly breaches a company can face.

In this course, we cover the biggest injection risks as listed in the OWASP Top 10, starting with SQL injections. With SQL injections accounting for nearly two-thirds of all web application attacks from 2017 to 2019 (according to an Akamai report), web developers, product owners, and business leaders need to understand exactly what injection attacks are, how they occur, and what impact these attacks can have on organizations, customers, partners, and consumers.

The course is designed to provide hands-on experience executing attacks against vulnerable applications, which is an important step in learning how to find vulnerabilities, and ultimately, how to fix and prevent those vulnerabilities. In addition, the course provides an explanation of other types of injection threats, examples of how these attacks work, the impact that successful attacks can have, and security best practices to prevent vulnerabilities.

Upon completion of this course, badge earners will develop the:

  • Knowledge of SQL injections, OS Command injections, LDAP injections, XML (XXE) and XPATH injections, and SMTP Header injections
  • Ability to gather information about a target to look for potential injection vulnerabilities
  • Ability to manually and automatically test applications for injection vulnerabilities
  • Ability to look at code and identify potential injection vulnerabilities
  • Knowledge of coding best practices to prevent all of the covered injection threats.

 

To earn the SQL Injections badge:

Approximate time to earn the SQL Injections Badge: ~ 4 hours

Recommend Prerequisite Experience: Experience working with web applications and an understanding of SQL is required.


OS Command injections can be used to attack systems running an operating system, such as: web servers, IoT devices, office devices (ie: printers), and more. In the worst of cases, vulnerabilities can provide an attacker with complete control of a system. From there, systems can be modified, backdoors can be created for persistence, and attackers can attempt to pivot to other systems within the organization. Given this risk, understanding what OS Command injections are, how they work and can be exploited, and how to prevent vulnerabilities, is important for any application developer and technical business leader. Thus why OS Command Injections are part of the OWASP Top 10 Web Application Security Risks. 

This course explores OS Command Injections all the way from concepts to practice. Starting by creating a safe and legal environment to perform attacks. The content covers the core concepts of command injections and teaches techniques that can be used to exploit vulnerable targets. Then going full-on offensive, learners perform manual injection attacks as well as automated attacks with a tool called Commix. Once vulnerabilities are found, we generate and plant persistent backdoors that can be exploited to create shells, giving access to the target server any time. After successfully attacking and compromising the targets, it’s time to take a step back and discuss defensive controls at the application layer. Also, to look at actual vulnerable code and explore ways of fixing that vulnerable code to prevent injections.

Upon completion of this course, badge earners will develop the: 

  • Knowledge of OS Command injections
  • Ability to perform OS Command injections manually
  • Ability to perform OS Command injections with Commix
  • Ability to leverage tools such as MSFvenom and Weevely to generate, upload, and use backdoor shells on remote servers
  • Knowledge of what backdoors are and the threat they pose
  • Ability to find vulnerabilities by looking at code
  • Knowledge of coding best practices to prevent vulnerabilities

To earn the OS Command Injection badge:

  1. Enroll in the Introduction to OS Command Injections course. 
  2. Complete all lessons and quizzes to receive the course certificate.

Approximate time to earn the OS Command Injection Badge: ~ 2 hours

Recommend Prerequisite Experience: Experience working with web applications and experience with OS Commands (Linux or Windows).