Tujuan Pembelajaran
Setelah selesai, peserta mampu:
- Memahami ancaman web modern
- Mengamankan aplikasi PHP / Node / Python
- Mencegah hacking umum
- Audit keamanan web
- Implementasi best practice industri
- Siap jadi Web Security Engineer / Secure Developer
LEVEL 1 — FUNDAMENTAL SECURITY
1. Konsep Dasar Security
Materi:
- CIA Triad
- Confidentiality
- Integrity
- Availability
- Authentication vs Authorization
- Hashing vs Encryption
- HTTPS
- Attack Surface
Contoh penjelasan
Authentication = siapa kamu
Authorization = boleh ngapain
2. Cara Hacker Menyerang Web
Jenis umum:
- SQL Injection
- XSS
- CSRF
- Brute force
- File upload exploit
- Session hijacking
- RCE (Remote Code Execution)
3. OWASP TOP 10 (WAJIB)
Standar global keamanan web.
Top list:
- Broken Access Control
- Cryptographic Failure
- Injection
- Insecure Design
- Security Misconfiguration
- XSS
- Auth Failure
- Data Integrity Failure
- Logging Failure
- SSRF
LEVEL 2 — PRAKTIK DASAR
4. SQL Injection
Contoh vulnerable PHP
$username = $_POST['username'];
$password = $_POST['password'];
$sql = "SELECT * FROM users
WHERE username='$username'
AND password='$password'";
Serangan
username: admin
password: ' OR '1'='1
Solusi: Prepared Statement
$stmt = $pdo->prepare(
"SELECT * FROM users WHERE username=? AND password=?"
);
$stmt->execute([$u,$p]);
5. XSS (Cross Site Scripting)
Contoh rentan
echo $_GET['nama'];
Serangan
<script>alert('hacked')</script>
Solusi
echo htmlspecialchars($_GET['nama']);
6. CSRF
Serangan:
User login → hacker kirim form palsu.
Solusi: CSRF Token
$_SESSION['token']=bin2hex(random_bytes(32));
form:
<input type="hidden" name="token" value="...">
cek:
if($_POST['token']!==$_SESSION['token']) die("CSRF");
7. Password Security
JANGAN:
md5()
sha1()
PAKAI:
password_hash($pass,PASSWORD_DEFAULT);
password_verify($pass,$hash);
LEVEL 3 — AUTH & SESSION SECURITY
8. Session Hijacking
Masalah:
- cookie dicuri
- session fixation
Solusi:
session_regenerate_id(true);
Set cookie:
session_set_cookie_params([
'httponly'=>true,
'secure'=>true,
'samesite'=>'Strict'
]);
9. JWT Security
Materi:
- token
- refresh token
- expiry
- secret key
Kesalahan umum:
- secret bocor
- expiry lama
10. Role & Permission System
RBAC:
- admin
- user
- editor
Middleware:
if($_SESSION['role']!='admin'){
die("Forbidden");
}
LEVEL 4 — ADVANCED ATTACK
11. File Upload Exploit
Serangan:
shell.php.jpg
Solusi:
$allowed=['jpg','png','pdf'];
Rename file:
$new = uniqid().'.jpg';
Simpan di folder non-public.
12. Remote Code Execution
Bahaya:
eval($_GET['cmd']);
system($_GET['cmd']);
JANGAN PERNAH dipakai.
13. Command Injection
Contoh:
system("ping ".$_GET['ip']);
Solusi:
escapeshellarg()
LEVEL 5 — SERVER SECURITY
14. HTTPS & SSL
- TLS
- Let’s Encrypt
- HSTS
15. Headers Security
Tambahkan header:
header("X-Frame-Options: DENY");
header("X-XSS-Protection: 1");
header("X-Content-Type-Options: nosniff");
header("Content-Security-Policy: default-src 'self'");
16. Rate Limiting
Cegah brute force.
login_attempts
Blokir jika >5.
17. Logging & Monitoring
Log:
- login
- error
- admin action
Tools:
- ELK
- Grafana
LEVEL 6 — SECURE CODING PRACTICE
18. Validasi Input
filter_input()
Whitelist > blacklist.
19. Security Architecture
Layer:
- frontend
- backend
- DB
- server
- network
20. Security Testing
Tools:
- Burp Suite
- OWASP ZAP
- Nikto
- Nmap
Praktik:
scan web sendiri.
LEVEL 7 — PENTEST BASIC
21. Recon
- subdomain
- open port
- directory scan
Tools:
dirsearch
nmap
22. Exploit Practice Lab
Gunakan:
- DVWA
- Juice Shop
- HackTheBox
LEVEL 8 — ADVANCED SECURITY ENGINEER
23. JWT attack
24. SSRF
25. Deserialization attack
26. API security
27. Cloud security
28. Docker security
PRAKTIK PROYEK (WAJIB UNTUK KELAS)
Project 1
Buat login aman.
Project 2
Audit web rentan.
Project 3
Hardening server.
Project 4
Pentest mini.
STRUKTUR SILABUS MENGAJAR (8 MINGGU)
Minggu 1
Basic security
Minggu 2
SQL injection
Minggu 3
XSS + CSRF
Minggu 4
Auth security
Minggu 5
File upload attack
Minggu 6
Server security
Minggu 7
Pentest tools
Minggu 8
Final project audit web
