AppSec Labs Training Programs / Hacking & Penetration Testing

Web Application Hacking (Penetration Testing) 5-day Hands-On Course

Our web sites are under attack on a daily basis and the next security breach is just a matter of time. This intensive hands-on course will teach you how to find those vulnerabilities in your web applications before the bad guys do. The course will introduce the various methods, tools and techniques used by attackers, in order to know how to test for the major security vulnerabilities and how to identify security bugs on real systems, by using live hacking demonstrations and hands-on labs. The objectives of the course are to teach developers and security professionals about the most dangerous vulnerabilities and how to perform security testing, and by that increasing the amount and quality of test cases that can be performed by the auditor.

This course provides intensive hands-on labs using real world applications.

Download Syllabus (PDF)

Get quote

Enroll

Description

This course provides intensive hands-on labs using real world applications.

Topics

Day 1

Information Gathering

Application discovery

Site mapping & web crawling

Server & application fingerprinting

Identifying the entry points

File extensions handling

Page enumeration and brute forcing

Looking for leftovers

Google hacking

Analysis of error code

Injections & Validations

Encoding attacks

Command injection

Code injection

LDAP injection

Log/CRLF injection

Header injection

SMTP injection

XML injection

XPATH injection

Input validation techniques

Blacklist VS. Whitelist input validation bypassing

Day 2

Authentication Vulnerabilities

What is authentication?

Supported authentication types – anonymous, basic, digest, forms, Kerberos, client certificate

Authentication scenarios

User enumeration

Guessing passwords – brute force & dictionary attacks

Direct page requests

Parameter modification

Password reset flaws

Password change flaws

Bypassing weak CAPTCHA mechanisms

Common implementation mistakes – authentication bypassing using SQL injection, LDAP injection, XPATH injection

Authorization Vulnerabilities

What is authorization?

Authorization models – DAC/MAC

RBAC

Authorization bypassing

Canonicalization & path traversal

Parameter tampering

Forceful browsing

Rendering based authorization

Client side validation attacks

Hardening

Business Logic Vulnerabilities

Business flow bypass

Replay attack

Currency manipulation

Business logic attack vectors

Direct access to web services

Day 3

SQL Injection Vulnerabilities

Introduction to SQL command structure

NoSQL injection – Mongo, ORM

Database manipulation

Circumventing authentication

Retrieving data

Inserting data

Deleting data

Attacking availability

Local system access

Discovering vulnerable apps

Error based

Blind

Binary search

Evasion

File Handling Attacks

Path traversal

Canonicalization

Uploaded file backdoors

Insecure file extension handling

Directory listing

File size

File type

Malware upload

Day 4

Cross Site Scripting (XSS) Vulnerabilities

Overview of XSS

XSS Description

Reflected XSS

Stored / persistent XSS

DOM based XSS

XSS Whitelist VS. Blacklist input validation

Discovery approaches – Manual VS. Automatic VS. Semi-automatic

Different XSS scenarios

XSS input validation evasion

Browser Manipulation Techniques

CSRF (Cross Site Request Forgery)

Clickjacking

Open redirects

HTTP response splitting

Day 5

Cryptography Pitfalls

Symmetric cryptography

Asymmetric cryptography

Hashing

Digital signing

PKI / certificate

SSL protocol

SSL cipher suite

Insufficient transport layer protection

Application Denial of Service (DoS) Vulnerabilities

Application / OS crash

CPU starvation

Memory starvation

File system starvation

Resource starvation

Triggering high network bandwidth

User level DoS

Exploiting a specific vulnerability

Zip bomb

Over flows

reDoS

Parsing errors

Attacking Client-Side Applications

HTML5 approach

Client side attacks

Analyze client side source code

Insecure storage

Flash decompile

Crossdomain.xml

CORS requests

Target Audience

Prerequisites

Interested in this course? Have any questions?
Let us know and we’ll get back to you…

Days

108

Topics

100

% Pure Security knowledge!

AppSec Labs Training Programs / Hacking & Penetration Testing

Web Application Hacking (Penetration Testing) 5-day Hands-On Course

Description

Topics

Day 1

Information Gathering

Injections & Validations

Day 2

Authentication Vulnerabilities

Authorization Vulnerabilities

Business Logic Vulnerabilities

Day 3

SQL Injection Vulnerabilities

File Handling Attacks

Day 4

Cross Site Scripting (XSS) Vulnerabilities

Browser Manipulation Techniques

Day 5

Cryptography Pitfalls

Application Denial of Service (DoS) Vulnerabilities

Attacking Client-Side Applications

Target Audience

Prerequisites

Interested in this course? Have any questions?
Let us know and we’ll get back to you…

Send us mail

Stay updated, follow us..

AppSec Labs

AppSec Labs Training Programs / Hacking & Penetration Testing

Web Application Hacking (Penetration Testing) 5-day Hands-On Course

Description

Interested in this course? Have any questions? Let us know and we’ll get back to you…

Send us mail

Stay updated, follow us..

AppSec Labs

Interested in this course? Have any questions?
Let us know and we’ll get back to you…