Who should attend this talk?
This talk is completely beginner friendly, from newbies, developers, security engineers to pentesters who want to get more practical experience in finding vulnerabilities and secure coding practices.

Detailed Plan
The talk will be divided into two sections: Attack & Secure Coding. This talk is completely beginner friendly for an audience ranging from students to
professionals and will start with fundamentals of web, web architecture and technologies.
Web Architecture (Client-Server components, models, styles and types)
Web Fundamentals:
● Caching
● Cloud Storage
● Load Balancers
● CDN
● Databases
Application layer (Web services mapped in OSI Layer):
● Requests & Responses
● HTTP Methods
● HTTP Status codes
● Cookies & Sessions
● SOP
● Sandbox
● URL & its decomposition

Web & API Exploitation:
Note: The demonstration will be shown for every vulnerability and patches alongside the talk. If the participant wants to have a hands-on session, the dockerized application will be provided to the participants to be set up in their personal laptops.
The Hands-on lab is an intentionally vulnerable dockerized e-commerce application for testing for bugs which our team would demonstrate. The application uses a microservice architecture which uses multiple components of the e-commerce app as services which are written in different programming languages and databases to help attendees learn attack and defense vectors in multiple tech stacks. We would explain the bug, where to find it and why it occurs along with a demonstration of how to look for the bug in any application. This class focuses on specific areas of
appsec and on advanced vulnerability identification and exploitation techniques.

Hands-on labs to attack the components of the vulnerable e-commerce site would be provided with multiple ways of exploiting the bug.
● Mass Assignment vulnerability
● SQL Injection
● File Upload Vulnerability
● Remote Code Execution
● IDOR
● Server Side Template Injection
● OS Command Injection
● Server Side Request Forgery
● Cross Site Scripting
● Lack of validation
● Local File Inclusion

This talk takes a comprehensive and practical approach at implementing DevSecOps Practices for efficient Application Security.
The attendees would be taught to do source code analysis, mitigation techniques and security practices. Secure code snippets to implement the following practises would be taught:
● Input Sanitisation
● Data transfer Objects
● Parameterized queries
● Stored procedures
● File type validation checks
● Access Controls
● Whitelisting
● Rate Limiting
● Sandboxing
● Shell Escape Mitigations
● Parameter Validation
● Response Validation
● Regex checks
● Authorization Checks

They will in turn have to modify the vulnerable code with secure code snippets, deploy it with docker and test the attack vectors again. We will wrap the session with a Capture the Flag style competition hosted in CTFd platform with multiple challenges on Source code review where the participants will be provided with dockerised challenges to test their attacking and patching skills learned from the talk.
Main Take-Away
Web Fundamentals
Web & API Exploitation
Advanced Vulnerability analysis
Secure Coding Practises
A&D CTF Challenges