October 30–31, 2016: Training
October 31–November 2, 2016: Tutorials & Conference
New York, NY

Web application defense essentials

Margus Ernits (Rangeforce)
9:00am - 5:00pm Sunday, October 30 - Monday, October 31
Location: Concourse D

Participants should plan to attend both days of this 2-day training. Training passes do not include access to tutorials on Monday.

Prerequisite knowledge

  • A basic understanding of computer architecture, operating systems, and databases (basic SQL)
  • General knowledge of Unix operating systems (how to install and set up basic services)

What you'll learn

  • Learn to recognize and detect common web attacks in your IT environment
  • Learn to set up and configure simple firewalls like mod_security and greenSQL
  • Learn to set up and configure buffering, cookies, settings, etc.
  • Learn to set up and configure intrusion detection systems and block attackers
  • Understand how to choose the right defense tactics and implement them in your IT infrastructure while working under pressure


Usually, IT professionals are highly specialized and really only know their own field. The lack of knowledge and broader view about web application security may give attackers an advantage. Join expert Margus Ernits ​for a hands-­on, in-­depth exploration of web application defense​, as Margus leads you through practical exercises to defend a small enterprise IT infrastructure. Everyone begins with a pre­designed IT environment with different ­built-in vulnerabilities. As simulated cybercriminals start to attack that environment, your task will be to keep all the IT services up and running and defend the infrastructure.

If you’re in DevOps​ and need to setup and secure web applications, a system engineer​ ​and need to protect unsecured web applications, or a web developer and need to develop and deploy secure web applications, this tutorial is for you.


Segment 1: Introduction (60 minutes)

  • Instructors will introduce the LAB system to the participants.
  • Participants will log in­to the LAB system and enumerate hosts and services.
    Assignment: Backup all databases and web application files

Segment 2: Basic attacks (60 minutes)

  • Instructors will start attack engine and deface websites, manipulate databases, and
    perform denial of service attacks against participant-protected infrastructure.
  • Participants will observe attacks using log events and recover from attacks.
    Assignment: Observe log files and collect information about attacks

Break (30 minutes)

Segment 3: Basic attacks (continued) (60 minutes)

  • Instructors will demonstrate how to test HTTPS security and ShellShock.
  • Participants will test and fix CGI application and HTTPS security.
    Assignment: Fix broken SSL setup and find and fix a ShellShock

Lunch (60 minutes)

Segment 4: DDoS mitigation (90 minutes)

  • Instructors will demonstrate how to figure out DDoS type and apply different mitigation
  • Participants will install web proxy and configure database caching.
    Assignment: Hands­-on install of Varnish Cache / measuring a web application performance

Break (30 minutes)

Segment 5: Common web attacks (60 minutes)

  • Instructors will demonstrate how to perform basic web attacks against a vulnerable web
    application (e.g., SQL injection, command injection, XSS, etc.).
  • Participants will configure their unsecured web application and learn how to perform simple
    injection type attacks.
    Assignment: Install vulnerable web application and perform SQL injections and Linux command
    injections, XSS, path traversal, and other attacks

Break (15 minutes)

Segment 6: Common web attacks (continued) (120 minutes)

  • Instructors will demonstrate path traversal, cookie security problems, and CSRF.
  • Participants will find attacks from log files and perform similar attacks.
    Assignment: Find attacks from log files and demonstrate attacks against the vulnerable system

Break (30 minutes)

Segment 7: Application firewalls (90 minutes)

  • Instructors will explain application-layer firewalls and demonstrate how to install SQL
    firewall and web application firewall.
  • Participants will protect their systems with application firewalling.
    Assignment: Install and configure SQL firewall and install and configure web application firewall

Lunch (60 minutes)

Segment 8: Competition (90 minutes)

  • Instructors start a set of small, hands-­on tasks in competition format.
  • Participants will compete to find and fix security vulnerabilities.
    Assignment: Find vulnerabilities in one target and fix several vulnerabilities in own targets

Break (30 minutes)

Segment 9: Recap (60 minutes)

  • Instructors will recap topics and help participants achieve learning objectives.
  • Participants will complete the competition objectives.
    Assignment: Make scoreboard green (all services are up and patched)
Photo of Margus Ernits

Margus Ernits


Margus Ernits is a CTO at RangeForce, where he is the architect of the RangeForce.com Cyber Simulator platform, which discovers, develops, and recruits cyber-talent using a cloud-based e-learning platform that enables users to simulate cyberattacks in complex networks for hands-on, gamified, and adaptive learning. He is also a lecturer at the Estonian IT College. Margus has in-depth experience in GNU Linux and IT security and robotics. He has been nominated three times as a Lecturer of the Year in the Estonian IT College. Margus holds a master of science in engineering in cybersecurity, a joint curriculum from Tallinn University of Technology and the University of Tartu. He is a Barclays TechStar New York 2015 class alumni and a PhD student at Tallinn University of Technology.