| Chapter | Details |
| Partner | Goce Delcev University |
| Title | Web Application Security: Attacks and Best Practices |
| Service | [Insert Service Identifier] |
| Target Group | Web administrators and web developers who are employed in the public and private sector |
| Format | Workshop |
| Focused on Key Technologies | Damn Vulnerable Web Application (DVWA) like vulnerable PHP/MariaDB web application
Some other vulnerable web applications from the OWASP Vulnerable Web Applications Directory Web servers: USBWebServer, Apache Web application vulnerability scanners like OWASP ZAP, Greenbone OpenVAS и Website Vulenrability Scanner; Lighthouse extension for Google Chrome LLMs like ChatGPT and DeepSeek |
| Status | In development |
| Stakeholders from SME/PA Side | Public and private sector in Republic of N. Macedonia |
| Requirements for Participation | Computer engineers, electrical engineers, people with experience as web administrators, web programmers, students of computer science and electrical engineering faculties, all interested in web application security. |
| Estimated Duration | Two-day with 8×45 minutes or three-day with 1 day with 6×45 minutes and 2 days with 5×45 minutes |
Description of the Course
Introduction: With the start of the new government, a Ministry for Digital Transformation began to function in Macedonia, which is responsible, among other things, for adopting the new National Cybersecurity Strategy 2025-2028, as well as the new draft law on the security of networks and information systems. The security of web applications is an integral part of these documents, and it is of great importance that all Macedonian websites are securely programmed, and that the web servers where they are hosted are securely configured and have the latest security updates and patches installed.
Technical Context and Examples:
Objective 1: Learning and understanding how different web application attacks are possible and how is performed, together with how to use best practices from secure programming for protection against these attacks.
Objective 2: Learning to use tools that can help in the improvement of web application security, such as scanners of web application vulnerabilities, LLMs, etc.
Within the training, participants will be introduced to different attacks on the HTTP session management, such as session hijaking, session fixation, Cross Site Scripting – XSS (Reflected, Stored and DOM-based), Cross-Site Request Forgery (CSRF), but also with several different web application attacks that can arrise because the bad coding, bad configuration and similar, such as SQL Injection (Classic, Blind, Out-of-band), clickjacking, etc [1]. For that purpose, DVWA [2] will be used (or other vulnerable web aplication from [4]) with web server like [3]. Participants will learn best practises from secure programming. Also, they will learn how to scan web applications for vulnerabilities by using tools like OWASP ZAP, Greenbone OpenVAS и Website Vulenrability Scanner [5, 6, 7], how to use LLMs to enhance web application security, etc.
Detailed Explanation of Core Concepts: This training covers most important attacks on web applications, together with best practices from secure programming for their prevention. The training emphasizes practical attack’s demonstration rather than just theoretical knowledge. Participants will work with real-world tools and known vulnerable web applications. Also, labs are designed in an interactive and layered way, because participants can practice different security levels (low, medium, high and impossible) in vulnerable web applications for demonstration of pros and cons of different solutions. The training incorporates AI and LLMs for improvement of web application security, in combination with known vulnerability scanners.
Conclusion and Unique Value: The unique value of the course lies in its approach of practical demonstration of known attacks on web applications, together with learning best practices for their prevention. The course combines important topic, practical interactive labs, and real-world tools into a single, cohesive learning experience. It is designed to be accessible for web programmers and web administrators.
Additional Course Information
| Category | Details |
| Value of Service | Participants will acquire knowledge and skills, including: |
| Skill 1: learning and understanding session management in HTTP and different attacks regarding it
Skill 2: learning and understanding different web application attacks Skill 3: learning to perform different web application attacks manually and automatically on some vulnerable web application, like DVWA Skill 4: using tools for testing web applications vulnerabilities Skill 5: learning and applying best practices from secure programming Skill 6: learning to use LLMs like ChatGPT and DeepSeek for static code analysis, AI-assisted dynamic scanning, vulnerability explanation & remediation, etc. |
|
| Learning Methods Used | Mix of lectures and hands-on exercises, together with group discussions |
| References/Resources | [1] OWASP Top Ten
[2] Damn Vulnerable Web Application (DVWA) [3] USBWebServer [4] OWASP Vulnerable Web Applications Directory [5] OWASP ZAP |
| Overview Slides |