WAPT in pills: Self-paced, online, flexible access interactive slides. 4+ hours of video materials

Transcription

1 The most practical and comprehensive training course on Web App Penetration testing WAPT in pills: Self-paced, online, flexible access interactive slides 4+ hours of video materials Learn the most advanced Web Application Attacks Integrated with Coliseum Lab 24 Educational Coliseum labs 16 real world web applications to pentest in Coliseum Lab Learn newest HTML5 Attacks Dedicated BeEF Manual Leads to 100% practical ewpt certification Prepares for real world Web App Penetration testing job elearnsecurity has been chosen by students in 113 countries in the world and by leading organization such as:

2 The Web Application Penetration Testing course (WAPT) is the online, self-paced training course that provides all the necessary advanced skills to carry out a thorough and professional penetration test against modern web applications. Thanks to the extensive use of Coliseum Lab and the coverage of the latest researches in the web application security field, the WAPT course is not only the most practical training course on the subject but also the most up to date. The course, although based on the offensive approach, contains, for each chapter, advices and best practices to solve the security issues detected during the penetration test. The WAPT training course benefits the career of penetration testers and IT Security personnel in charge of defending their organization web applications. This course allows organizations of all sizes assess and mitigate the risk at which their web applications are exposed, by building strong, practical in-house skills. Penetration testing companies can train their teams with a comprehensive and practical training course without having to deploy internal labs that are often outdated and not backed by solid theoretical material The student willing to enroll in the course must possess a solid understanding of web applications and web application security models. No programming skills are required, however snippets of Javascript/HTML/PHP code will be used during the course. The WAPT course leads to the ewpt certification. The certification can be obtained by successfully completing the requirements of a 100% practical exam consisting in a penetration test of a real world complex web application hosted in our elearnsecurity Hera labs. An ewpt voucher is included in all the plans of the WAPT course. 2

3 The WAPT course is integrated with Coliseum Lab: the most advanced virtual lab on web application security available today, with sandboxed vulnerable web applications run on-the-fly within the elearnsecurity cloud infrastructure. Only a web browser and an internet connection are required to access the lab. Each sandbox will be exclusive and dedicated to the student. The student will be able to start, stop and reset each scenario at any time. WAPT course comes with 40 different labs in two different typologies: Educational labs These are guided scenarios with small tasks to be performed in order to understand in practice what has been studied in theory. These labs contain step by step instructions in PDF manuals. Educational labs are available in all the modules of the WAPT course. There are 24 different educational labs available in WAPT Penetration testing labs The Penetration testing labs are included in the Coliseum WAPT package (former WAS360) featuring 16 different website scenarios modeled after real world websites that the student will encounter during his career. The student will perform penetration tests against these increasing difficult scenario to self-assess and practice the acquired testing skills during the training course. By successfully completing all the labs in this package the student will have acquired enough experience to attempt the certification exam. There are 16 different educational labs available in WAPT The number of labs available for this training course increases over time as new updates are available and as new scenarios are added on the platform. Please refer to the course home page for an up to date list of labs. 3

4 The student is provided with a suggested learning path to ensure the maximum success rate and the minimum effort. - Module 1: Introduction Web Application Essentials - Module 2: Penetration Testing Process - Module 3: Information Gathering - Module 4: Cross Site Scripting - Module 5: SQL Injection - Module 6: Session Security and Attacks - Module 7: Flash security - Module 8: Authentication - Module 9: HTML5 and New Frontiers - Module 10: Common Vulnerabilities - Module 11: Web Services - Module 12 : XPath Injection - Module 13 : Va & Exploitation tools All modules come in slides + video format. Modules can be accessed from within the elearnsecurity Members area. Labs are referenced within the slides in order to suggest the correct learning path to follow. 4

5 During this introductory module the student will understand the basics of Web applications. An in-depth coverage of the Same Origin Policy in its latest developments and the Cookie RFC will help experienced and nonexperienced penetration testers gain critical foundational skills useful for the rest of the training course. At the end of the module the student will become familiar with Burp Suite and its basic configuration. It s a light necessary introduction for an heavily practical, advanced training course. 1. Introduction 1.1. HTTP Protocol Basics Header and Body Requests Responses 1.2. Encoding Introduction Charsets ASCII Charset Unicode Charset Charset vs. Charset Encoding Encoding in Latin Encoding in Unicode Encoding in HTML URL Encoding HTML Entities (HTML Encoding) Base Same Origin (SOP) Introduction Origin What does Sop protect from? How SOP works Exceptions Window.location Examples Security Issues Document.domain Cross window messaging Cross Origin Resource Sharing 1.4. Cookies Cookies Domain Specified Cookie domain Unspecified Cookie domain Internet Explorer exception Inspecting the cookie protocol Correct cookie installation Incorrect cookie installation 1.5. Sessions 1.6. Web Application Proxies Burp Proxy Configuration 5

6 This module helps Penetration tester gain confidence with the processes and legal matters involved in a penetration testing engagement. The student will learn the methodologies and the reporting best practice in order to become a confident and professional penetration tester. 2. Penetration Testing Process 2.1. Pre-engagement Rules of engagement The goal and scope Goal Scope of engagement Time-table Liabilities and responsibilities NDA The Emergency plan The allowed techniques The deliverables 2.2. Methodologies PTES OSSTMM OWASP Testing Guide 2.3. Reporting This is a wealth of information useful throughout the entire career of a penetration tester. 6

7 Let the Penetration test start. Every penetration test begins with the Information gathering phase. This is where a penetration tester understands the application under a functional point of view and collects useful information for the following phases of the engagement. A multitude of techniques will be used in order to collect behavioral, functional, applicative and infrastructural information. The student will use a variety of tools to retrieve readily available information from the target. 3. Information Gathering 3.1. Gathering Information on Target Finding Owner, IP addresses, s WHOIS DNS Nslookup 3.2. Infrastructure Fingerprinting the Web Server Modules Enumerating subdomains Bing Subdomainer Zone Transfer Finding Virtual Hosts Hostmap 3.3. Fingerprinting Frameworks and Applications Fingerprinting Third-Party Add-Ons 3.4. Fingerprinting Custom Applications Mapping the Attack Surface 3.5. Enumerating Resources Crawling the Website Finding Hidden Files Back Up and Source Code File Enumerating Users Accounts with Burp Attack Preparation: Spotting the differences 3.6. Relevant Information through Misconfiguration Directory Listing Log and Configuration Files 3.7. Google Hacking Coliseum Labs included in this module 7

8 The most widespread web application vulnerability will be dissected and studied in all its parts. At first you will be provided with theoretical explanation. This understanding will help you in the exploitation and remediation process. Later you will master all the techniques to find XSS vulnerabilities through black box testing. 4. XSS 4.1. Cross site scripting Basics 4.2. Anatomy of a XSS exploitation 4.3. The three types of XSS Reflected XSS Persistent XSS DOM-based XSS 4.4. Finding XSS Finding XSS in PHP code 4.5. XSS Exploitation XSS, Browsers and same origin policy Real world attacks Cookie stealing through XSS Defacement 4.6. Advanced phishing attacks Coliseum Labs included in this module 8

9 This module will contain the most advanced techniques to find and exploit SQL Injections. From the explanation of the most basic SQL injection up to the most advanced. Advanced methods will be taught with real world examples and the best tools will be demonstrated on real targets. You will not just be able to dump remote databases but also get root on the remote machine through advanced SQL Injection techniques. 5. SQL Injection 5.1. Introduction to SQL Injection Dangers of a SQL Injection How SQL Injection works 5.2. How to find SQL injections How to find SQL injections Finding Blind SQL Injections 5.3. SQL Injection Exploitation Exploiting Union SQL Injections 5.4. Exploiting Error Based SQL Injections Dumping database data Reading remote file system Accessing the remote network 5.5. Exploiting Blind SQL Injection Optimized Blind SQL Injections Time Based SQL Injections 5.6. Tools Advanced SQLmap usage and other tools Tools taxonomy Coliseum Labs included in this module 9

10 Session related vulnerabilities will be the subject of this module with extensive coverage of the most common attacking patterns. Code samples on how to prevent session attacks are provided in PHP, Java and.net At the end of the module the student will master offensive as well as defensive procedures related to session management within web applications. 6. Session Security 6.1. Weakness of Session Identifier 6.2. Understanding Session Hijacking Session Hijacking Introduction Session Hijacking through XSS Preventing Session Hijacking through XSS PHP Java NET Session Hijacking through Packet Sniffing Session Hijacking through Access to the Web Server PHP Java NET 6.3. Session Fixation Session Fixation Attacks Preventing Session Fixation PHP NET Java Coliseum Labs included in this module 10

11 Flash, although a dying technology, is still present on millions of websites online. Flash files can expose a web application and its users to a number of security risks that will be covered within this module. The student will first study the Flash security model and its pitfalls. Then will use the most recent tools to find and exploit vulnerabilities in Flash files. After having studied this module, students will never look at SWF files the same way. 7. Flash 7.1. Introduction Actionscript Compiling and decompiling Embedding Flash in HTML The allowscriptaccess Attribute Passing arguments to Flash Files 7.2. Flash Security model Sandboxes Stakeholders Administration Role User role Website role URL policy file Author role Calling Javascript from Actionscript Calling Actionscript from Javascript Method NavigateToURL Local Shared Objects 7.3. Flash Vulnerabilities Flash parameter injection Fuzzing Flash with SWFInvestigator Finding Hardcoded sensitive information 7.4. Pentesting Flash Applications Analyzing client side components Identifying communication protocol Analyzing server side components Coliseum Labs included in this module 11

12 Any application with a minimum of complexity requires authentication at some point. Chances are that the authentication mechanisms in place are not sufficient or are simply broken, exposing the organization at serious security issues leading to a complete compromise of the web application and the data it stores. During this module the student will learn the most common authentication mechanisms, their weaknesses and the related attacks. From Inadequate password policies to weaknesses in the implementation of common features. 8. Authentication 8.1. Introduction Authentication vs. Authorization Authentication factors Single-factor Authentication Two-factor Authentication 8.2. Common Vulnerabilities Credentials Over Unencrypted Channel Inadequate Password Policy Dictionary Attack Brute Force Attack Preventing Inadequate Password Policy Strong Passwords Storing Hashes Blocking Requests User Enumeration Examples Taking Advantage of User Enumeration Default or (easily) Guessable User Accounts Typical default credentials Default User Accounts Remember me feature Cache Browser Method Cookie Method Web Storage method Best defensive techniques Password reset Easily guessable answers Unlimited Attempts Password reset link Guessable Recyclable Predictable Secret questions Logout Weaknesses Incorrect Session Destruction 8.3. Bypassing Authentication Direct page request (Forced browsing) 12

13 Best defensive techniques Parameter modification An example of vulnerable web application Best defensive techniques Incorrect Redirection Using redirect to protect contents Are the contents really protected? A typical vulnerable WebApp Best defensive techniques SessionID prediction SQL Injection A vulnerable authentication form Exploitation through SQL Injection Coliseum Labs included in this module

14 This module is an extremely indepth coverage of all the attack vectors and weaknesses introduced by drafted as well as finalized W3C new standards and protocols. We will go through the most important elements of HTML5 and especially the new CORS paradigm that completely changes the way the SOP is applied to most modern web applications. By mastering this module in theory and practice the student will possess an arsenal of penetration testing techniques that are still unknown to the vast majority of penetration testers. A number of Coliseum labs are available to practice all the aspects covered within this module. This module brings penetration testers skills to the next level with next generation attack vectors that are going to affect web applications for the next decade. 9. HTML5 and New Frontiers 9.1. Cross Origin Resource Sharing (CORS) Same Origin Policy Issue Cross-Domain Policy in Flash Cross Origin Resource Sharing Cross Origin Ajax Request Cross Origin Requests Simple Requests Preflighted requests Request with Credentials Control Access Headers Header Access-Control- Allow-Origin Header Access-Control- Allow-Credentials Header Access-Control- Allow-Headers Header Access-Control- Allow-Methods Header Access-Control- Max-Age Header Access-Control- Expose-Headers Header Origin Header Access-Control- Request-Method Header Access-Control- Request-Headers 9.2. Cross Windows Messaging Relationship between windows Sending Messages Receiving Messages Security Issues 9.3. Web Storage Different Storages Local Storage Session Storage Local Storage APIs Adding an Item Retrieving an Item Removing an Item Removing all Items SessionStorage APIs Security Issues 9.4. Web Sockets 14

15 Real Time Applications Using HTTP WebSocket Features Benefits APIs 9.5. Sandboxed frames Security Issues before HTML Redirection Example Preventing Accessing the Parent Document from iframe HTML5 sandbox attribute Coliseum Labs included in this module

16 During this module the student will practice a number of vulnerabilities that, despite being less known or publicized, are still affecting a number of web applications across many different programming languages and platforms. Advanced clickjacking attacks are covered in depth with real world examples and dissected real world attacks. The level of depth and the amount of practical sessions during this module will provide even seasoned penetration testers with new ways to break the security of their targets. 10. Common Vulnerabilities OWASP A4 - Insecure Direct Object Reference Examples References to file system References to DB Keys OWASP A8 Failure to restrict URL access Path Traversal Path Convention Encoding Best defensive techniques File Inclusion Local File Inclusion Remote File Inclusion Unrestricted File Upload A vulnerable Web Application Best defensive techniques Filtering based on file content Clickjacking Understanding Clickjacking Feasibility study Case1: possible Case2: not possible Building Malicious Web Pages Spreading the Malicious Link Waiting for the victim Best defensive techniques The Old School HTTP header X-Frame- Options Likejacking in Facebook Cursorjacking HTTP Response splitting A typical Scenario XSS through HTTP Response splitting Header Injection Bypassing Same Origin Policy Attack explained Best defensive 16

17 17 techniques Logical Flaws A vulnerable Web Application Best defensive techniques Denial of Services Different DoS Attacks Request bombing Greedy Pages Best defensive techniques Coliseum Labs included in this module

18 Professional penetration testers should master all aspects related to web services testing. Web services are nowadays the data and logic provider for a variety of thin and thick clients, from web application clients to mobile applications. During this highly in depth module the student will first become familiar with web services paradigms and protocols and then learn all the most important related security issues. WSDL and SOAP testing will be covered not only in theory but also in practice in our Coliseum Lab. 11. Web Services Introduction Why using Web Services Standardized Protocols HTTP XML SOAP Interoperability between different Applications Exposing Services Description of a Web Service The WSDL Language Interaction between Client and Web Service Object in WSDL Binding PortType Message Operation Attacks WSDL Disclosure WSDL Google Hacking WSDL Scanning SOAP Action Spoofing Pre-requirements Attack in action Best defensive techniques SQL Injection through SOAP messages Best defensive techniques Coliseum Labs included in this module 18

19 Xpath is the XML standard that allows web applications to query XML databases. In this module the student will learn advanced XPath injection techniques, in theory and practice in the Coliseum. 12. XPath XML Documents and Databases XPath XPath vs. SQL No comment statements Case Sensitive Detecting XPath Injection Error Based Injection Blind Injection Detect True Detect False Coliseum Labs included in this module 19

20 In this module the student will learn how to use Open source and commercial tools to find and exploit all the vulnerabilities studied and practiced during the training course. 13. VA & Exploitation Tools Acunetix VA Exploitation Netsparker VA Exploitation W3af VA Exploitation BeEF Architecture User Interface Communication Server (CS) Zombie Hooking Example BeEF Commands Browser Commands Host Commands Network Commands Exploits Commands XSSrays Requester Tunneling Proxy Configuring a tunneling Proxy Metasploit Integration All tools can be practiced within the Coliseum Lab 20

21 About elearnsecurity Based in Pisa, Italy, elearnsecurity is a leading provider of IT security and penetration testing courses for IT professionals. elearnsecurity advances the careers of IT security professionals by providing affordable top-level instruction. We use engaging elearning and the most effective mix of theory, practice and methodology in IT security all with real-world lessons that students can immediately apply to build relevant skills and keep their companies data and systems safe. For more information, visit elearnsecurity S.R.L Via Matteucci 36/ Pisa, Italy 21